Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Creating/Managing Multiple Real/Virtual Subnets

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      PFSenseNovice
      last edited by

      I am new to networking, and only have a basic understanding. I have had great difficulty finding relevant and useful guides/examples on how to implement network security using pfsense. I will attempt to explain what I am attempting to do:

      I have a number of physical/virtual machines distributed over a number of different (and mostly virtual) NAT'd subnets.

      At present other than the LAN/WAN Firewall Router, there is no network based structure or other security apart from firewall software loaded on individual machines.

      I wish to replace the existing chaos with a structured solution using 1 or more pfsense servers.

      Ideally I would like to create three zones within my LAN, each zone containing 1 or more subnets.

      Zone 1 - LAN to WAN tunnel:

      I would like to create a series of at least 3 (up to 5) Virtual Firewalled Subnets in sequence connecting the WAN to the LAN (Example 192.168.1.0 <> 192.168.2.0 <> 192.168.3.0). These Subnets would not contain any equipment, other than the WAN/LAN Firewall Router in the first subnet and a single machine (perhaps a pfsence server) to which the DMZ and Internal Zones are connected.

      Traffic between each subnet in this zone would be restricted to a limited set of ports. I would like to use port redirection and encrypted tunneling between subnets, so that traffic for a specific service, might traverse several arbitrary (and possibly random) ports. (Example WAN:80<>192.168.1.0:80 - 192.168.1.0:10080 <> 192.168.2.0:10080 - 192.168.2.0:20080 <> 192.168.3.0:20080 - 192.168.3.0:80).

      Zone 2:DMZ

      I would also like to create one or more DMZ subnets each either in parallel AND/OR a series of DMZ subnets in sequence with firewalls in between each DMZ subnet to allow only limited access between each subnet. Serial DMZ subnets might contain a web/email/other server in the outer most DMZ subnet, and contain database, security and other storage servers in the inner most DMZ subnets.

      Zone 3:Internal

      I would like to create separate subnets for groups of real/virtual machines, in most cases isolating each subnet from all others.

      Exception where traffic may need to travel from one subnet to another may be established by either opening relevent ports for specific subnets OR by creating a secure tunnel for specific ports and specific machines and/or subnets.

      In all cases I will be using low cost consumer network equipment and where possible a number of Virtual Machines or in limited cases, a physical server. The majority of my Laptops/PC's/Servers will be either be running CentOS7/Scientific Linux7/Oracle Linux7, or in some cases Windows. Some of all of these machines will also each be hosting 1 or more Virtual Machines using VirtualBox, KVM or ESXi.

      I realise that the layout described above may be unorthodox, possibly, even in part it may be unfeasible, however I would like to find out how to achieve as much of the above as possible.

      I would appreciate any constructive guidance that you can provide, and any pointers to relevant information or similar configurations.

      Thankyou.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        What kind of switch do you have?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P Offline
          PFSenseNovice
          last edited by

          I only have unmanaged Network Switches including Netgear GS105.

          Any solution I create would have to be configured through PFsense without the benefit of external hardware.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Surry, but you're going to have a tough time doing all that without at least a "web smart" switch.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P Offline
              PFSenseNovice
              last edited by

              Tough but not impossible?

              It isn't possible to define multiple DHCP/NAT'd subnets and define rules for subnet to subnet traffic between each subnet?

              I assume that is the minimum to create a basic version of what I am attempting to do?

              I currently have DHCP/NAT from my firewall Router, and NAT on each machine with VirtualBox/KVM. All I really want to do is move all these disperate mechanisms onto a pfsense server so I can manage them more effectively.

              I would not also object to improving security between subnets, so I can be reasonably happy that my network would be much harder to penetrate.

              If it is necessary to use separate instances of pfsense for each subnet, then while this is less impressive, it is something I might consider.

              Please understand I am not a business, I don't have a budget for additional hardware. I have to make the best of what I have.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Not really possible. Sorry. Layers 1, 2, and 3 are not to be conned.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.