How to replace shorewall with pfSense with 3 NICs?

zenny

I am so far using shorewall with 3 NICs  (net or WAN, loc or LAN, and dmz or OPT1) in two locations. I am thinking of migrate to pfsense with site-to-site vpn tunnel with advanced threat detection for the services behind pfsense. I found some tutorials on pfsense site-to-site openVPN and IPSec tunneling with WAN and LAN but not with the third OPT1 or say dmz that connects to web-services.

my scheme is:

Public IPs provided by ISP in two locations –> WAN
Private IPs --> LAN and OPT1 (behind NAT)

LAN and OPT1 passes through WAN interface behind NAT while site-to-site tunneling betweeen two WANs so that the services appears to be in the same subnet.

So far I checked the following official documentations:
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29
http://www.youtube.com/watch?v=bhfNbQ_bzu4
http://doc.pfsense.org/index.php/VPN_Capability_IPsec
http://serverfault.com/questions/495248/ipsec-site-to-site-tunnel-config

Appreciate if experts here can share their advice the best practices for a three interface pfsense with openvpn/IPsec. I tend to be a bit exhausted with the webguis rather than command lines, so please share the screenshots if possible. Thanks in advance!

My current shorewall rules-configuration looks like as follows:

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK

PORT PORT(S) DEST LIMIT GROUP

Accept DNS connections from the firewall to the Internet

DNS(ACCEPT) $FW net

Accept SSH connections from the local network to the firewall and DMZ

SSH(ACCEPT)     loc             $FW
SSH(ACCEPT)     loc             dmz

DMZ DNS access to the Internet

DNS(ACCEPT) dmz net
DNS(ACCEPT) all dmz

Drop Ping from the "bad" net zone.

Ping(DROP)   net             $FW

Make ping work bi-directionally between the dmz, net, Firewall and local zone

(assumes that the loc-> net policy is ACCEPT).

Ping(ACCEPT)    loc             $FW
Ping(ACCEPT)    dmz             $FW
Ping(ACCEPT)    loc             dmz
Ping(ACCEPT)    dmz             loc
Ping(ACCEPT)    dmz             net

ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp

#ACCEPT net $FW udp 3478,4569,5060:5088,10001:20000
ACCEPT net $FW tcp 10000
ACCEPT loc dmz udp 4569

Uncomment this if using Proxy ARP and static NAT and you want to allow ping from

the net zone to the dmz and loc

#Ping(ACCEPT)    net             dmz
#Ping(ACCEPT)    net             loc

#Accept ssh connection to the firewall machine from outside the network
#i.e from internet

SSH/ACCEPT net $FW
#SSH/ACCEPT $FW dmz

#Accept the connection from the net to the trixbox voip server
DNAT net dmz:192.168.1.250 udp 5000:5100
DNAT net dmz:192.168.1.250 udp 10001:20000
#DNAT net dmz:192.168.1.250 udp 1720
DNAT net dmz:192.168.1.250 udp 3478
#DNAT net dmz:192.168.1.250 udp 3478:3479
DNAT net dmz:192.168.1.250 udp 4569
DNAT net dmz:192.168.1.250 tcp 25
DNAT net dmz:192.168.1.250 tcp 110
DNAT            net     dmz:192.168.1.250:7000  tcp     7000
#Following ports are DNATted to allow the http/s conenctions to dmz machines
DNAT net dmz:192.168.1.250:80 tcp 8080
DNAT net dmz:192.168.1.250:81 tcp 8081
DNAT            net     dmz:192.168.1.250:443   tcp     8443
DNAT net dmz:192.168.1.250:22 tcp 33022
DNAT loc dmz:192.168.1.250 udp 4569