<![CDATA[Creating/Managing Multiple Real/Virtual Subnets]]>I am new to networking, and only have a basic understanding. I have had great difficulty finding relevant and useful guides/examples on how to implement network security using pfsense. I will attempt to explain what I am attempting to do:

I have a number of physical/virtual machines distributed over a number of different (and mostly virtual) NAT'd subnets.

At present other than the LAN/WAN Firewall Router, there is no network based structure or other security apart from firewall software loaded on individual machines.

I wish to replace the existing chaos with a structured solution using 1 or more pfsense servers.

Ideally I would like to create three zones within my LAN, each zone containing 1 or more subnets.

Zone 1 - LAN to WAN tunnel:

I would like to create a series of at least 3 (up to 5) Virtual Firewalled Subnets in sequence connecting the WAN to the LAN (Example 192.168.1.0 <> 192.168.2.0 <> 192.168.3.0). These Subnets would not contain any equipment, other than the WAN/LAN Firewall Router in the first subnet and a single machine (perhaps a pfsence server) to which the DMZ and Internal Zones are connected.

Traffic between each subnet in this zone would be restricted to a limited set of ports. I would like to use port redirection and encrypted tunneling between subnets, so that traffic for a specific service, might traverse several arbitrary (and possibly random) ports. (Example WAN:80<>192.168.1.0:80 - 192.168.1.0:10080 <> 192.168.2.0:10080 - 192.168.2.0:20080 <> 192.168.3.0:20080 - 192.168.3.0:80).

Zone 2:DMZ

I would also like to create one or more DMZ subnets each either in parallel AND/OR a series of DMZ subnets in sequence with firewalls in between each DMZ subnet to allow only limited access between each subnet. Serial DMZ subnets might contain a web/email/other server in the outer most DMZ subnet, and contain database, security and other storage servers in the inner most DMZ subnets.

Zone 3:Internal

I would like to create separate subnets for groups of real/virtual machines, in most cases isolating each subnet from all others.

Exception where traffic may need to travel from one subnet to another may be established by either opening relevent ports for specific subnets OR by creating a secure tunnel for specific ports and specific machines and/or subnets.

In all cases I will be using low cost consumer network equipment and where possible a number of Virtual Machines or in limited cases, a physical server. The majority of my Laptops/PC's/Servers will be either be running CentOS7/Scientific Linux7/Oracle Linux7, or in some cases Windows. Some of all of these machines will also each be hosting 1 or more Virtual Machines using VirtualBox, KVM or ESXi.

I realise that the layout described above may be unorthodox, possibly, even in part it may be unfeasible, however I would like to find out how to achieve as much of the above as possible.

I would appreciate any constructive guidance that you can provide, and any pointers to relevant information or similar configurations.

Thankyou.

]]>https://forum.netgate.com/topic/80656/creating-managing-multiple-real-virtual-subnetsRSS for NodeWed, 10 Jun 2026 15:40:48 GMTTue, 03 Mar 2015 18:52:19 GMT60<![CDATA[Reply to Creating/Managing Multiple Real/Virtual Subnets on Wed, 04 Mar 2015 09:20:24 GMT]]>Not really possible. Sorry. Layers 1, 2, and 3 are not to be conned.

]]>https://forum.netgate.com/post/524833https://forum.netgate.com/post/524833Wed, 04 Mar 2015 09:20:24 GMT<![CDATA[Reply to Creating/Managing Multiple Real/Virtual Subnets on Wed, 04 Mar 2015 09:17:44 GMT]]>Tough but not impossible?

It isn't possible to define multiple DHCP/NAT'd subnets and define rules for subnet to subnet traffic between each subnet?

I assume that is the minimum to create a basic version of what I am attempting to do?

I currently have DHCP/NAT from my firewall Router, and NAT on each machine with VirtualBox/KVM. All I really want to do is move all these disperate mechanisms onto a pfsense server so I can manage them more effectively.

I would not also object to improving security between subnets, so I can be reasonably happy that my network would be much harder to penetrate.

If it is necessary to use separate instances of pfsense for each subnet, then while this is less impressive, it is something I might consider.

Please understand I am not a business, I don't have a budget for additional hardware. I have to make the best of what I have.

]]>https://forum.netgate.com/post/524831https://forum.netgate.com/post/524831Wed, 04 Mar 2015 09:17:44 GMT<![CDATA[Reply to Creating/Managing Multiple Real/Virtual Subnets on Wed, 04 Mar 2015 00:23:50 GMT]]>Surry, but you're going to have a tough time doing all that without at least a "web smart" switch.

]]>https://forum.netgate.com/post/524771https://forum.netgate.com/post/524771Wed, 04 Mar 2015 00:23:50 GMT<![CDATA[Reply to Creating/Managing Multiple Real/Virtual Subnets on Tue, 03 Mar 2015 23:21:23 GMT]]>I only have unmanaged Network Switches including Netgear GS105.

Any solution I create would have to be configured through PFsense without the benefit of external hardware.

]]>https://forum.netgate.com/post/524756https://forum.netgate.com/post/524756Tue, 03 Mar 2015 23:21:23 GMT<![CDATA[Reply to Creating/Managing Multiple Real/Virtual Subnets on Tue, 03 Mar 2015 19:01:50 GMT]]>What kind of switch do you have?

]]>https://forum.netgate.com/post/524661https://forum.netgate.com/post/524661Tue, 03 Mar 2015 19:01:50 GMT