next »

[josb]

Hi,

I have been reading the forums and documentation for days now, but I can't seem to figure out how to get a working configuration for my setup.

I currently have  a working firewall using debian linux and shorewall which consists of four interfaces:

1: LAN (192.168.1.x)
2: DMZ (192.168.2.x) (two servers)
3: Databases (192.168.3.x) (currently only one server)
4: WAN

Only the networks on interface 2 and 3 access the internet through the wan link.
The servers on interface 2 are accessible through the WAN link (DNAT)
Servers on interface have access to the machines on interface 3 (only MSSQL ports open)
The machines on interface 1 have access to machines on interface 2 and 3

This has been working fine for years now, but WAN access for the LAN is through an adsl modem/router directly hooked on to the network. I'm not really happy with that since I have to configure static routes for every machine on the LAN be able to use the internet and have access to the servers. Besides of course not being able to monitor/filter the LAN internet traffic.

I would like to rebuild it using pfsense and also to incorporate this adsl link into the firewall, so that all traffic to and from the internet will be done through this machine. Besides that I would like to use a dedicated card in the firewall for each server in subnet 192.168.2.x. I guess this results in a complex firewall and router, having six interfaces in total:

1: WAN: fibre, having multiple fixed IP's on same segment)
2: WAN: connected to adsl modem which functions as a NAT device, accessible through 192.168.1.1. I can not turn this off, nor directly use the public IP of this modem (restrictions of the ISP)
3: LAN: 192.168.3.x
4: LAN: 192.168.2.x (cross-over cable directly to another box)
5: LAN: 192.168.2.x (cross-over cable directly to another box)
6: LAN: 192.168.1.x

Meaning that interface 2 and 6 are on the same segment (192.168.1.x) besides the fact that the NAT process is done by the router. Interface 4 and 5 will also be on the same segment (192.168.2.x)

This is how it should end up like. Sorry for being in paint, I don't have Visio or an equivalent available at the moment



With the routes for being able to access the internet, so people can browse and the servers can get their updates


Showing the routes through which the machines on the LAN access the servers


The route through which the servers connect to the db server


And lastly showing that the webservers are only accessible through the fibre link:


I would really apreciate any tips and hints on how to accomplish this.  Thanks for reading my post!

[podilarius]

Some might not like it, but you can bridge 2 and 6 in bridge0 and then bridge 4 and 5 into bridge1. You can then setup proper routing and rules based on where you want traffic to go. You can also put each NIC into its own subnet and then firewall/route/NAT based on source and destination, this is probably the direction I would go.

[josb]

Thanks, I'll try that!

Is it still possible to let squid transparently filter and cache the traffic from interface 6 to 2 that way?

The reason I'd rather not change the subnet of 4 and 5 is that they form an Active Directory (only between them). I tried changing the subnet of the internal network, but for some reason I could not get it to access the internet via the adsl modem that way. I prefer the firewall not doing any NAT for traffic going from 6 to 2 since the adsl modem also performs NAT. Pretty crappy situation, I know

[podilarius]

It might not be ideal, but sometimes that is the hand we are dealt. Thankfully pfSense is flexible and can work for both solutions.