Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Looking for some network design advice…

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sangheili
      last edited by

      Ok so heres what ive got.

      Two incoming WAN connections, a Comcast cable modem (dedicated ip) and a dedicated T1 with 6 ips.

      I have an old Nortel Brick firewall with 4 Intel nic's in it that im going to beef up and try to get pfSense running on.
      I also have a Sonicwall 1260 that im currently using as my only firewall.

      Im looking to host a web box to the outside world via the T1 (and possibly also the Comcast via DNS 2nd address if possible). I would like this web box to be in the best DMZ/security scenario possible based on my assets available. The web server is going to host a stripped down read only SQL database, a few corporate public websites, maybe some FTP, and act as an Exchange front end/edge transport server.

      On the inside I have about 4 servers and 20+ clients. As far as routing goes, the exchange traffic needs to get routed inbound to the back-end, as well as the SQL data needs to be passed outward to the Web box (the SQL stuff is for a client-accessible web application for inventory reports and such). Also I need to provide inward access to exchange services such as OWA and Exchange ActiveSync inside my internal network (probably via NAT with one of the T1 ips).

      I would like WAN failover for the LAN clients. Their traffic should go out the cable modem if possible, if not, the T1.

      The two (high level) scenarios ive seen for this would be a Wan - Firewall - Firewall - LAN deployment where the DMZ/Web box is stringed off one of the firewalls (most likely the first one), or the second scenario being the "sandwich" if you will, Wan - Firewall - DMZ - Firewall - LAN.

      What should I go with? Is there a better way to do it then the two scenarios listed above? Any recommendations? :-) Thanks guys!

      (If applicable: Should the web server be made public via NAT? or straight through IP access?)

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        For what you want to do do you need a single pfsense with 4 nics: WAN, WAN2, LAN (Clients), DMZ (Public Servers).  Everything else is just some Virtual IP-/Firewallrules-/NAT- magic to make things secure. If you have not done so yet have a look at the multiwan docs how to set this up. If you can live with all services running on a single IP but different ports you can even do without the Virtual-IP stuff.

        1 Reply Last reply Reply Quote 0
        • S
          Sangheili
          last edited by

          Would 1:1 Nat be the best solution for the published web machine(s)?

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            IMO for small numbers of services you are better off with port forwarding.  It avoids exposing the entire host to the Internet.

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              A 1:1 NAT doesn't expose the complete hosz to the internet. You still need firewallrules to allow traffic. But I wouldn't use 1:1 NAT for only a few ports either and it's more flexible if you do it with portforwards as you can forward some ports to server a and some other ports to server b then. Another advantage is that portforwards will work with natreflection whereas 1:1 nat won't.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.