I am looking for some networking tips on how to set up a DMZ in Pfsense and place some virtual servers in that DMZ. Right now my network looks like:
Uverse (Static IPs) -> Pfsense -> WAN -> (Virtual IPs/CARP/NAT 1:1 to virtual server's internal IP address)
With Uverse I have to setup virtual IPs/CARP to bring external static IPs through the WAN.
This configuration works great, my virtual servers (Web Server and Exchange Server) are getting their respective external IP addresses. I also have setup their respective firewall rules only letting the ports needed to be open.
What I want to be able to do is put these virtual machines in a DMZ to best protect my internal network. My virtual machines are running on ESXI 5.0. My Pfsense server (2.0.1) is physical with 4 NICs. Right now 2 of the 4 are being used; 1 WAN, 1 LAN.
Any help/guidance on how to set up BOTH Pfsense and ESXI/VSphere to put these virtual machines in a DMZ also allowing me to connect to them from my internal network, but at the same time protecting my internal network from these servers should they become corrupt. My ESXI host has 2 physical NICS.
Best Answer
I did this with pfSense, Xenserver, and some procurves.
I added a tagged vlan to the lan interface of my pfSense box.
Then I added the tag to my switch for the ports that go from my router/FW to my Xenserver pool... which because I had multiple hosts on the pool meant the tags were on all the ports that the pool had access to.
Then, in Xenserver, I created a new network with the tag. Then I made VM's that only had access to the DMZ vlan.
In PFsense I allowed the DMZ vlan (which is a full interface, just like any other) to the outside world, and blocked all to the LAN.