Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setup DMZ Using Virtual IPS, CARP, and ESXI (Virtual Servers)

    Routing and Multi WAN
    1
    1
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      copper21
      last edited by

      Hello all,

      I am a noob to Pfsense, and so far I am really liking it.  I used to use Untangle, but it did not do what I wanted it too; so far Pfsense has!  Anyway, I would like to place a couple of virtual servers that I have on an ESXI host into a DMZ, yet still having internal access to them.  My setup exists of a Pfsense server (standalone) with 4 NICs.  I am currently using only 2 of them, 1 WAN, 1 LAN.  I have 5 Uverse static IP addresses.  The main reason why I went with Pfsense is because it can create the virtual IPs, CARP,  needed for my Uverse router to hand out each of the static IPs.  My Uverse router needs a MAC address for each static IP…lots of reseach on this one.  I got the Uverse router to hand out the static IPs through the WAN connection by creating virtual IPs, CARP.

      Right now I have a web server and an exchange server running as virtual machines on an ESXI 5.0 host.  They both have IPs from my internal network, 10.2.XXX.XXX.  So I could get the servers up and running, I then setup a 1:1 NAT pulling one of the external IPs for each of the servers; that works great.  I have the external IP routed to the internal network IP.  When each of these virtual servers does a "What's my IP" check they are showing the right external IP address.  I also set up firewall rules so that they could get the appropriate traffic through to them.

      I know a bit about networking, and I think that putting these virtual servers in a DMZ should be the best thing seeing how they both face the internet.

      I am hoping that I could get a bit of guidance on how to set Pfsense/ESXI so that these virtual servers can be placed into a DMZ, protecting any attacks from getting into my internal network.  The other key is that I still want to be able to connect to them via RDP/VSphere to make changes/upgrades/etc.  I know that I would have to set some rules only allowing certain kinds of traffic, but I would like to make this the most secure I can with the limited knowledge that I have.

      This link:  http://serverfault.com/questions/309187/pass-through-public-ip-addresses-to-pfsense  might be a start to what I want to do, but I am not sure.  I was looking at the first answer.

      Thank you in advance for any assistance,

      Brian

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.