Does this setup make sense?



  • This is what I currently have:

    • Two servers directly connected to the internet on a switch, each with a /27 subnet.

    I'm thinking about the following setup:

    • A switch that is connected directly to the internet with VLAN support.
    • A box running pfSense with 2 NICS. One for WAN connected to the switch, one on VLAN connected to the switch.
    • Two servers connected to the switch with VLAN that get firewalled by pfSense.

    Essentially, I'd like go all traffic to the servers to go through pfSense. I'd assign both of the subnets to the pfSense box and then NAT 1:1 them to the servers. The servers would keep their current network configuration setup with the addition to the VLAN ID but would be protected by the firewall.

    Does this makes sense?
    ![Screen Shot 2015-12-04 at 20.51.09.png](/public/imported_attachments/1/Screen Shot 2015-12-04 at 20.51.09.png)
    ![Screen Shot 2015-12-04 at 20.51.09.png_thumb](/public/imported_attachments/1/Screen Shot 2015-12-04 at 20.51.09.png_thumb)



  • What's the requirement to have the switch in front of the firewall?



  • @KOM:

    What's the requirement to have the switch in front of the firewall?

    I don't own the network, I have to live what the data center has to offer. Theoretically they'd install a switch between the pfSense box and my servers for me, but the price tag is to hefty.



  • I'm unclear on two things:

    1. Are the two current /27 Internet subnets on separate VLANs inside the switch, or are they on one VLAN? If they are on two, then there is no problem getting them into pfsense. If they are are one, I think you could add the two subnets to one physical interface, but I've never tried that. It would be much cleaner if the two Internet /27 subnets were on separate VLANs.

    2. Are you thinking you don't have to change the IP addresses on the servers? You will need to do this. There isn't any way (that I know of) to keep the same IP addresses on the Internet side and the private side.

    Providing your pfsense server's NIC can handle VLANs, you may not even need multiple pfsense interfaces, just trunk all the applicable VLANs into pfsense on one interface.

    One caveat: The accepted security best practice is that VLANs are not a secure boundary. If you are subject to any sort of security audits, you will get nailed on having Internet and private traffic on the same switch.

    Next caveat: I've never used VLANs on pfsense. I use them day in and day out on Cisco equipment, and I know what Cisco can and can't do with VLANs. But I'm only assuming when I extend that knowledge to pfsense.


Log in to reply