• Has anyone done this before, and how well does it work?

    -Two-Tier firewall
    -First tier has Internet-facing VIP addresses with 1:1 NAT relationships to VIPs that reside on the external interfaces of the second tier firewalls .
    -That Internal tier's VIP addresses all perform some kind of port forwarding for FTP, HTTP, or other protocols, and also some proxying.

    It looks this:

    Internet
                                                    |
                                                  VIP1
                                                -PFSense-
                                                InternalIP
                                                    |
                                                  VIP2
                                            -Second tier FW-
                                                Internal IP
                                                    |
                                                  router
                                                    |
                                                Web Server

    1:1 Nat from VIP1 to VIP2
    VIP2, does port redirection for HTTP

    How well does that work?  I'm concerned with the double-NAT part in particular.  Can any of y'all see any problems there?

    Thanks,
    Schnibitz


  • I run a similar setup at home, but don't NAT on the internal (second) firewall. You can route on that one and avoid all the issues of double NAT.


  • Can you give me an example of issues I might run into with the double-nat stuff?