Best practice to expose public services

  • Hi, im wondering if there is some doc on best practices to expose public services to internet, i mean, im not sure if i should configure the server with private ip's in OPT1 net, create virtual ip in WAN and manage all traffic via NAT? (this is the cisco's ASA way)
    Or it is better practice to configure a public subnet in OPT1 and configure the servers with public ip's and pfsense will just route (no nat) the traffic between WAN and OPT1.
    I have several (40+) servers, running a great mix of services in everyone (web,ftp, smtp, pop3, etc), i believe that managing so many virtual ips will be a PITA, and im not sure about the pfsense's translation and states limitations
    Any hint will be greatly appreciated

  • Depends on your environment, for hosting networks you usually want public IPs directly on the systems, though you may prefer using private IPs for various reasons. Either/or will work fine. If you use CARP that is a lot of addresses to enter.  Usually when I design colo networks using pfSense they use a /29 on the WAN side and have the provider route a second public IP block to one of the CARP IPs and use the public IPs directly assigned on the internal servers.

Log in to reply