Le 2013-08-08 11:33, Adam Thompson a écrit :
If you want to keep maximal separation but retain easy routability, connect the
lab firewall's WAN port to a dedicated OPT# port on your production firewall
and establish static routes on both firewalls.
Potentially turn off NAT on the lab firewall. It's possible to connect the two
firewalls on their OPTx interfaces with static routes *AND* connect the lab's
WAN port to either your main LAN or directly to your ISP... in which case you
will still need NAT on the lab firewall.
Keep your lab VLANs on a separate switch or switches; that's arguably even more
important than having a second firewall.
Remember that you then need to edit (usually) two sets of firewall rules to
allow traffic back and forth.
You'll probably want lab DNS integrated into your main DNS tree as a subdomain, that way you can
have a lab DNS server handle lab DNS while maintaining a contiguous namespace. (e.g.
"www.lubik.ca" vs. "www.lab.lubik.ca") Remember, though, if you want it to be
resolvable from the outside world the NS records for lab.lubik.ca have to point to a publicly
reachable IP address.
-Adam Thompson
[email protected]
Thanks a lot,
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
