Multiple LAN adapters, different subnets, not visible to eachother



  • Hey all,

    First off, I'm not quite sure which section to put this into, as it touches on NAT, Firewalls, and a few other topics, so I hope here is fine.

    I currently have a setup I am very happy with.

    pfSense is a guest on my ESXi box with its own dedicated (and direct I/O forwarded) dual port gigabit Intel NIC. It serves as the router, firewall and DHCP server for my home network.

    The WAN port is connected to my outside internet (of course) and the LAN side is connected to my major house switch (24port managed procurve)

    I know typically people get a little bit uncomfortable when it comes to running the firewall and router as a virtual machine as it has the risk of exposing the host server to the outside network, but I feel I have minimized the risk by using a dedicated NIC that is direct I/O forwarded to the guest, so no traffic goes through VMWares vswitches.  For all intents and purposes from a networking perspective its like pfSense is tunning on bare metal.  I am comfortable with it.

    So here's my question.

    I need to host a small web server accessible to the outside world.  I don't want it to be able to be in contact with my internal network (from am isolation perspective should anything go wrong).  I'm thinking the best way to do this is to give the webserver it's own dedicated LAN NIC in pfSense on a different subnet and making sure my main home subnet and the webserver subnet can't see each eachother, but both can see the outside network.

    Question is, what is the correct way to do this?

    I'd appreciate any thoughts!

    –Matt


  • LAYER 8 Netgate

    What you want is a DMZ.

    With only two NICs you'll probably want to move your LAN to a VLAN interface and create another VLAN for the DMZ.  You can then create firewall rules that allow LAN traffic to the DMZ for management purposes, but disallow DMZ traffic to the LAN.



  • @Derelict:

    What you want is a DMZ.

    With only two NICs you'll probably want to move your LAN to a VLAN interface and create another VLAN for the DMZ.  You can then create firewall rules that allow LAN traffic to the DMZ for management purposes, but disallow DMZ traffic to the LAN.

    Yeah,

    Something like that was the plan.

    I plan on keeping the physical NIC as is with one port for WAN and one port for LAN to my switch.

    I was thinking I could add a virtual nic for the secondary LAN/DMZ (this should be easy since the plan is for the webserver to reside on the same host).

    I know how to do all the VMWare stuff.  That part is easy.  Can you give some suggestions as to how I need to setup pfSense to accomplish this DMZ, or are you aware of a good guide?

    The firewall setup always confuses the crap out of me.

    Thanks,
    Matt


  • Netgate Administrator

    It's pretty straight forward really. Add an extra virtual NIC to the pfSense VM. Now assign that as a new interface in pfSense, it will be named OPT1 but rename it as you wish. Set the subnet/mask etc. Add DHCP if you want to use that. There will be no firewall rules on the new interface so all traffic will be blocked. Add appropriate rules to allow/restrict access to/from your server.

    Steve


Log in to reply