Netgate Store

Author Topic: DMZ with two FWs and one server  (Read 102 times)

0 Members and 1 Guest are viewing this topic.

Offline jraschke11

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
DMZ with two FWs and one server
« on: December 19, 2017, 07:14:41 am »
Hello, sorry I am inexperienced with certain parts of setting up a new network.

I am going to purchase a Netgate SG-3100, it has 2 ports for WAN/WAN or WAN/LAN and then a 4-port LAN switch.

I am going to have one internet-facing firewall with a public IP and port forwarding to my web server, one web server with a private IP on #DMZsubnet, and a second firewall behind the web server protecting my internal LAN.

Would it be correct to use the WAN port on FW#1 for the internet, and then plug both the web server and the WAN port of FW#2 in to one of the four LAN switchports?

This setup is for a factory with 48 machines on the floor, and those 48 machines are feeding information to the web server. I know normally the FW#2 protecting the LAN doesn't allow any incoming traffic from the DMZ, only outgoing from the LAN, but that's not possible in this setup because I have to have two-way communication between the web server and the machines. But I still want to make it as secure as possible.