Denny,
We currently use a 3-NIC, bridged DMZ setup for our firewall here. This
solution works very well for the large number of Internet facing
servers. The benefits are exactly what you mentioned and there is no
performance issue at all. LAN clients can access the DMZ servers
without any additional configuration and its really a pretty slick setup.
The only real caveat here is that CARP and bridge mode do not work
together. Thus, with this setup, you will not be able to build a
redundant firewall cluster using CARP. If this isn't a deal breaker for
you, I'd advocate the bridged DMZ setup.
-Gary
Denny Page wrote:
Hello all,
I'm looking for advice regarding choosing a Bridge or 1:1 NAT for a
DMZ with pfSense.
The address space from the ISP is 111.111.111.8/29 within
111.111.111.0/24. In other words, I get addresses 8-15 within the
class c network. 7 of the 8 address are in use. The current
deployment is using Shorewall running under Linux.
The hosts in the DMZ are currently using public addresses (.9 through
.14), and the firewall is using .8. The WAN nic on the firewall is
configured as 111.111.111.8/24 and the DMZ nic is configured as
111.111.111/32 (yes, same IP, different masks). The hosts in the DMZ
are presented to the WAN interface via ProxyArp. Hosts in the DMZ
need to be accessible both from the LAN and from inbound WAN.
From brief reading and experimentation, it would appear this type of
configuration is not an appropriate choice with pfSense. The
alternatives that appear to be available are moving the DMZ to private
addresses (192.168.2.0/24) and use 1:1 NAT, or to configure the WAN
and DMZ as a filtered bridge.
Going the 1:1 NAT approach, I will have to re-IP the hosts in the
DMZ. This is painful, but doable. I will also have to redo the
internal dns maps for the DMZ. Annoying, but minor.
Going the bridging approach feels very much like the current ProxyArp
approach, and allows me to avoid the re-IP. However, most of the
discussion I've read in the mailing lists seem to be rather negative
on this approach. Usually referring to LAN access (no longer an
issue?) and to shaping problems (still an issue?).
Is there a performance impact with either approach?
I would appreciate any guidance that anyone can offer.
Thanks,
Denny
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
