Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Does this setup make sense?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 880 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • _
      __init__
      last edited by

      This is what I currently have:

      • Two servers directly connected to the internet on a switch, each with a /27 subnet.

      I'm thinking about the following setup:

      • A switch that is connected directly to the internet with VLAN support.
      • A box running pfSense with 2 NICS. One for WAN connected to the switch, one on VLAN connected to the switch.
      • Two servers connected to the switch with VLAN that get firewalled by pfSense.

      Essentially, I'd like go all traffic to the servers to go through pfSense. I'd assign both of the subnets to the pfSense box and then NAT 1:1 them to the servers. The servers would keep their current network configuration setup with the addition to the VLAN ID but would be protected by the firewall.

      Does this makes sense?
      ![Screen Shot 2015-12-04 at 20.51.09.png](/public/imported_attachments/1/Screen Shot 2015-12-04 at 20.51.09.png)
      ![Screen Shot 2015-12-04 at 20.51.09.png_thumb](/public/imported_attachments/1/Screen Shot 2015-12-04 at 20.51.09.png_thumb)

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        What's the requirement to have the switch in front of the firewall?

        1 Reply Last reply Reply Quote 0
        • _
          __init__
          last edited by

          @KOM:

          What's the requirement to have the switch in front of the firewall?

          I don't own the network, I have to live what the data center has to offer. Theoretically they'd install a switch between the pfSense box and my servers for me, but the price tag is to hefty.

          1 Reply Last reply Reply Quote 0
          • G
            GomezAddams
            last edited by

            I'm unclear on two things:

            1. Are the two current /27 Internet subnets on separate VLANs inside the switch, or are they on one VLAN? If they are on two, then there is no problem getting them into pfsense. If they are are one, I think you could add the two subnets to one physical interface, but I've never tried that. It would be much cleaner if the two Internet /27 subnets were on separate VLANs.

            2. Are you thinking you don't have to change the IP addresses on the servers? You will need to do this. There isn't any way (that I know of) to keep the same IP addresses on the Internet side and the private side.

            Providing your pfsense server's NIC can handle VLANs, you may not even need multiple pfsense interfaces, just trunk all the applicable VLANs into pfsense on one interface.

            One caveat: The accepted security best practice is that VLANs are not a secure boundary. If you are subject to any sort of security audits, you will get nailed on having Internet and private traffic on the same switch.

            Next caveat: I've never used VLANs on pfsense. I use them day in and day out on Cisco equipment, and I know what Cisco can and can't do with VLANs. But I'm only assuming when I extend that knowledge to pfsense.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.