Part two

schnibitz

Has anyone done this before, and how well does it work?

-Two-Tier firewall
-First tier has Internet-facing VIP addresses with 1:1 NAT relationships to VIPs that reside on the external interfaces of the second tier firewalls .
-That Internal tier's VIP addresses all perform some kind of port forwarding for FTP, HTTP, or other protocols, and also some proxying.

It looks this:

Internet
                                                |
                                              VIP1
                                            -PFSense-
                                            InternalIP
                                                |
                                              VIP2
                                        -Second tier FW-
                                            Internal IP
                                                |
                                              router
                                                |
                                            Web Server

1:1 Nat from VIP1 to VIP2
VIP2, does port redirection for HTTP

How well does that work?  I'm concerned with the double-NAT part in particular.  Can any of y'all see any problems there?

Thanks,
Schnibitz

cmb

I run a similar setup at home, but don't NAT on the internal (second) firewall. You can route on that one and avoid all the issues of double NAT.

schnibitz

Can you give me an example of issues I might run into with the double-nat stuff?