Looking for some network design advice…



  • Ok so heres what ive got.

    Two incoming WAN connections, a Comcast cable modem (dedicated ip) and a dedicated T1 with 6 ips.

    I have an old Nortel Brick firewall with 4 Intel nic's in it that im going to beef up and try to get pfSense running on.
    I also have a Sonicwall 1260 that im currently using as my only firewall.

    Im looking to host a web box to the outside world via the T1 (and possibly also the Comcast via DNS 2nd address if possible). I would like this web box to be in the best DMZ/security scenario possible based on my assets available. The web server is going to host a stripped down read only SQL database, a few corporate public websites, maybe some FTP, and act as an Exchange front end/edge transport server.

    On the inside I have about 4 servers and 20+ clients. As far as routing goes, the exchange traffic needs to get routed inbound to the back-end, as well as the SQL data needs to be passed outward to the Web box (the SQL stuff is for a client-accessible web application for inventory reports and such). Also I need to provide inward access to exchange services such as OWA and Exchange ActiveSync inside my internal network (probably via NAT with one of the T1 ips).

    I would like WAN failover for the LAN clients. Their traffic should go out the cable modem if possible, if not, the T1.

    The two (high level) scenarios ive seen for this would be a Wan - Firewall - Firewall - LAN deployment where the DMZ/Web box is stringed off one of the firewalls (most likely the first one), or the second scenario being the "sandwich" if you will, Wan - Firewall - DMZ - Firewall - LAN.

    What should I go with? Is there a better way to do it then the two scenarios listed above? Any recommendations? :-) Thanks guys!

    (If applicable: Should the web server be made public via NAT? or straight through IP access?)



  • For what you want to do do you need a single pfsense with 4 nics: WAN, WAN2, LAN (Clients), DMZ (Public Servers).  Everything else is just some Virtual IP-/Firewallrules-/NAT- magic to make things secure. If you have not done so yet have a look at the multiwan docs how to set this up. If you can live with all services running on a single IP but different ports you can even do without the Virtual-IP stuff.



  • Would 1:1 Nat be the best solution for the published web machine(s)?



  • IMO for small numbers of services you are better off with port forwarding.  It avoids exposing the entire host to the Internet.



  • A 1:1 NAT doesn't expose the complete hosz to the internet. You still need firewallrules to allow traffic. But I wouldn't use 1:1 NAT for only a few ports either and it's more flexible if you do it with portforwards as you can forward some ports to server a and some other ports to server b then. Another advantage is that portforwards will work with natreflection whereas 1:1 nat won't.


Locked