DMZ design in CARP environment

  • Hi

    At my company we are currently running 2 pfSense 2.03 firewalls in a CARP config. For months I have been arguing that its a VERY bad idea hosting our webservers on the internal LAN.

    I have finally had a breakthrough  ;D because top management is now ready to listen.

    I need to decide on a design for our DMZ and I'm not sure what would be best.

    I'm hoping you guys could assist with some comments  ::)

    Here are my ideas so far:

    Option 1:
    Create new VM with pfSense and 3 NIC.
    NIC1 "Outside" used only for routing traffic from main FW - but resides physically on internal LAN.
    NIC2 "DMZ" Connects to DMZ virtual switch.
    NIC3 "Inside" Connects to Internal LAN with access to internal hosts and DB server.

    Option 2:
    Add extra NIC in existing two FW and create DMZ using those.

    Option 3:
    Create two new VM with pfSense each with two NIC.
    One for "outside" to DMZ
    one for DMZ to "inside".

    How to balance security vs ease of use/simplicity. KISS  ::)

    Currently we use 1:1 NAT on several public IP's - how will this be affected by adding another NAT device ?

    In order to protect traffic I would like to add somekind of content scanning/IDS.

    Been looking at Snort, but for the purpose of protecting webservers - maybe a proxy with mod security would be enough ?

    Since we are using HTTPS on all webservers - contentscanning will be somehow complicated  :-\

    Any thoughst on this matter would be grately appreciated  ;)


  • I am in exactly the same situation, CARP setup and everything.  I have an ESXi host for DMZ virtual machines and a virtual pfsense inside it, but with two interfaces (I probably need 3) and a vSwitch on the host.  I chose to do this because I don't have an extra interface on the main FW cluster.

    I am interesting in finding out what you ended up doing and any advice you may have.  Did you use NAT to bring external traffic into the DMZ?

  • Well - we have not reached a final conclusion yet - but….

    We realized that using virtual firewalls, how ever flexible, it still would be a single point of failure, and thus effectively making CARP on main firewall pointless.
    Yes we would have HW failure protection, but there would still be ONE VM that could fail, and  thus essentially creation a "System Down" event.

    So - currently we are leaning towards option 2 - in regards to the DMZ.

    On the matter of using Snort or Proxy ... - welll - we are still in the dark and looking into options.

    Not sure that helped much...  ::)


Log in to reply