Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple LAN adapters, different subnets, not visible to eachother

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mattlach
      last edited by

      Hey all,

      First off, I'm not quite sure which section to put this into, as it touches on NAT, Firewalls, and a few other topics, so I hope here is fine.

      I currently have a setup I am very happy with.

      pfSense is a guest on my ESXi box with its own dedicated (and direct I/O forwarded) dual port gigabit Intel NIC. It serves as the router, firewall and DHCP server for my home network.

      The WAN port is connected to my outside internet (of course) and the LAN side is connected to my major house switch (24port managed procurve)

      I know typically people get a little bit uncomfortable when it comes to running the firewall and router as a virtual machine as it has the risk of exposing the host server to the outside network, but I feel I have minimized the risk by using a dedicated NIC that is direct I/O forwarded to the guest, so no traffic goes through VMWares vswitches.  For all intents and purposes from a networking perspective its like pfSense is tunning on bare metal.  I am comfortable with it.

      So here's my question.

      I need to host a small web server accessible to the outside world.  I don't want it to be able to be in contact with my internal network (from am isolation perspective should anything go wrong).  I'm thinking the best way to do this is to give the webserver it's own dedicated LAN NIC in pfSense on a different subnet and making sure my main home subnet and the webserver subnet can't see each eachother, but both can see the outside network.

      Question is, what is the correct way to do this?

      I'd appreciate any thoughts!

      –Matt

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        What you want is a DMZ.

        With only two NICs you'll probably want to move your LAN to a VLAN interface and create another VLAN for the DMZ.  You can then create firewall rules that allow LAN traffic to the DMZ for management purposes, but disallow DMZ traffic to the LAN.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          mattlach
          last edited by

          @Derelict:

          What you want is a DMZ.

          With only two NICs you'll probably want to move your LAN to a VLAN interface and create another VLAN for the DMZ.  You can then create firewall rules that allow LAN traffic to the DMZ for management purposes, but disallow DMZ traffic to the LAN.

          Yeah,

          Something like that was the plan.

          I plan on keeping the physical NIC as is with one port for WAN and one port for LAN to my switch.

          I was thinking I could add a virtual nic for the secondary LAN/DMZ (this should be easy since the plan is for the webserver to reside on the same host).

          I know how to do all the VMWare stuff.  That part is easy.  Can you give some suggestions as to how I need to setup pfSense to accomplish this DMZ, or are you aware of a good guide?

          The firewall setup always confuses the crap out of me.

          Thanks,
          Matt

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            It's pretty straight forward really. Add an extra virtual NIC to the pfSense VM. Now assign that as a new interface in pfSense, it will be named OPT1 but rename it as you wish. Set the subnet/mask etc. Add DHCP if you want to use that. There will be no firewall rules on the new interface so all traffic will be blocked. Add appropriate rules to allow/restrict access to/from your server.

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.