Setup Virtual DMZ and Trust Zones with PFSense

I. Setup Route at Core Router

1. Configure subnet, ip helper address, and default route
---------- Example --------------
HQ Enterasys SecureStack

router
enable
configure
interface vlan 200
ip address 192.168.200.1 255.255.255.0
ip helper-address 10.10.10.2
ip helper-address 10.10.10.3
no shutdown
ip ospf cost 1

ip route 192.168.200.0 255.255.255.0 10.10.1.1 1

router ospf 1
network 192.168.200.0 0.0.0.255 area 0.0.0.0

---------------- Phoenix Enterasys SecureStack -------------
router
enable
configure
interface vlan 200
ip address 192.168.200.2 255.255.255.0
ip helper-address 10.10.10.2
ip helper-address 10.10.10.3
no shutdown
ip ospf cost 1

ip route 192.168.200.0 255.255.255.0 10.10.2.1 1

router ospf 1
network 192.168.200.0 0.0.0.255 area 0.0.0.0

---------------- Florida Enterasys SecureStack C3 -------------

router
enable
configure
interface vlan 200
ip address 192.168.200.3 255.255.255.0
ip helper-address 10.10.10.2
ip helper-address 10.10.10.3
no shutdown
ip ospf cost 1

ip route 192.168.200.0 255.255.255.0 10.10.3.1 1
-----------------------------------------------------------------------------

II. Create Edge Firewall
1. Set up as normal with WAN IP from CPE
2. DHCP on Internal Subnet
3. Routing
Gateway: make Intranet gateway pointing to Trust Firewall's external interface
Routes: match all internal subnets to the Intranet gateway
4. Virtual IPs: set IP Aliases on the WAN port
5. NAT 1:1 from virtual IP to internal IP
6. Rules
WAN: Allow port 80, 443 to all | allow specific port toward matching server IP destination
LAN: LAN net to Intranet, force Gateway traffic toward Trust Firewall (Intranet)

III. Create Trust Firewall
1. Interfaces
*
WAN Interface with IP address that is on the same subnet as the Edge Firewall Internal interface (e.g. 192.168.200.2)
*
LAN Interface should be an unused IP from the inside subnet (e.g. servers subnet)


2. Configure 1:1 map on the trust from external to internal interface
*
Web GUI >> Interfaces >> WAN >> Enable Interface
*
Firewall >> NAT >> 1:1 tab >> press "+" to add interface >> Interface = WAN, External subnet IP = IP of external interface, Internal IP = any, destination = any, Description = Mapping from Trust to DMZ, NAT reflection = default
*
Optional: Firewall >> Virtual IPs >> "+" >> type = other, Interface = OPT2 (the name of virtual interface or WAN), IP address = IP address of external or OPT2 interface, Description = Virtual IP for 1:1 mapping
*
Firewall >> Rules >> WAN or OPT2 tab depending on which interface is being mapped >> "+" >> Destination type = single address, IP address = ip address of internal interface, destination port = any, description = "WAN to LAN Mapping"


3. Routing
WAN_Gateway: pointing to Edge Firewall's external interface
LAN_Gateway: pointing to internal network core router
Routes: match all internal subnets to the LAN_Gateway
4. Force obvious Intranet traffic inward such as an example of known Active Directory ports below:
*
IPv4 Source 192.168.200.0/24 (DMZ subnet) to use LAN_Gateway


*
TCP/UDP 389
*
TCP 636
*
TCP 3268-9
*
TCP/UDP 88
*
TCP/UDP 53
*
TCP/UDP 445
*
TCP 25
*
TCP 135
*
TCP Dynamic: RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
*
UDP 123
*
TCP/UDP 464
*
UDP 138
*
TCP 9389
*
UDP 67
*
UDP 2535
*
UDP 137
*
TCP 139

IV. ESX Server Configuration
For fail over, (2) ESX servers are recommended. Below is the virtual network setup
1. WAN: 1 NIC connecting to the "untrusted" switch that is connected to the internal interface of the CPE router
2. DMZ: 1 NIC on each ESX server to connect to the other server's NIC directly
3. Intranet: multiple NICs with static LAG configured on the connected "core" switch
4. Management Network: ESX management network and vMotion network, combined

Leave a Reply

Your email address will not be published. Required fields are marked *