Setup DMZ Using Virtual IPS, CARP, and ESXI (Virtual Servers)



  • Hello all,

    I am a noob to Pfsense, and so far I am really liking it.  I used to use Untangle, but it did not do what I wanted it too; so far Pfsense has!  Anyway, I would like to place a couple of virtual servers that I have on an ESXI host into a DMZ, yet still having internal access to them.  My setup exists of a Pfsense server (standalone) with 4 NICs.  I am currently using only 2 of them, 1 WAN, 1 LAN.  I have 5 Uverse static IP addresses.  The main reason why I went with Pfsense is because it can create the virtual IPs, CARP,  needed for my Uverse router to hand out each of the static IPs.  My Uverse router needs a MAC address for each static IP…lots of reseach on this one.  I got the Uverse router to hand out the static IPs through the WAN connection by creating virtual IPs, CARP.

    Right now I have a web server and an exchange server running as virtual machines on an ESXI 5.0 host.  They both have IPs from my internal network, 10.2.XXX.XXX.  So I could get the servers up and running, I then setup a 1:1 NAT pulling one of the external IPs for each of the servers; that works great.  I have the external IP routed to the internal network IP.  When each of these virtual servers does a "What's my IP" check they are showing the right external IP address.  I also set up firewall rules so that they could get the appropriate traffic through to them.

    I know a bit about networking, and I think that putting these virtual servers in a DMZ should be the best thing seeing how they both face the internet.

    I am hoping that I could get a bit of guidance on how to set Pfsense/ESXI so that these virtual servers can be placed into a DMZ, protecting any attacks from getting into my internal network.  The other key is that I still want to be able to connect to them via RDP/VSphere to make changes/upgrades/etc.  I know that I would have to set some rules only allowing certain kinds of traffic, but I would like to make this the most secure I can with the limited knowledge that I have.

    This link:  http://serverfault.com/questions/309187/pass-through-public-ip-addresses-to-pfsense  might be a start to what I want to do, but I am not sure.  I was looking at the first answer.

    Thank you in advance for any assistance,

    Brian


Locked