What's new

2 Firewalls or 1

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

robertfontaine

New Around Here
I'm currently using pfsense as my firewall/router and thinking about setting up the DMZ.

If I understand correctly I can establish my DMZ as a VLAN using a single instance of pfsense OR I can have two instances of pfsense and firewall the internal network and the external network discretely.

In theory it seems to me that this works out to the same things but it also seems to me that in practice, theory and practice are not so...

What is current best/reasonable practice? Do you use 2 discrete firewalls or leverage the 1? or do you lose your mind entirely and put a router in front of every vlan that you have?

My own use case is SOHO/Lab and my data isn't terribly sensitive or private. This is mostly a question of what is considered good practice and why. I'm currently just enjoying learning the the tools and building out a network.

Thanks,
Robert
 
Well, if you have two instances of pfsense, ie two routers, then you have two physical lans. This is quite different than having two virtual lans (vlans) from a wiring perspective, but generally the vlans will work the same.

As far as best practice, it's all about why you need vlans or why you need physically separate networks. There's no general right or wrong.

To give you some more history, vlans were created to decrease the burden of managing more physical devices and cabling. But the drawback is that technically there are ways to hack across vlans, so if you really need to keep them separate, then the best thing to do is keep them physically separate.
 
I am looking into doing a similar thing due to pfsense's lack of a decent working IGMP setup for IPTV with sky on-demand. PF is always my first choice for routers but kills IPTV dead - It's IGMP hasn't been updated since 2005 and cannot be configured for this.

I was thinking of a second router through the dmz with a vlan (most basic routers cope with igmp without issue) and putting the skyq boxes on this.
 
am looking into doing a similar thing due to pfsense's lack of a decent working IGMP setup for IPTV with sky on-demand. PF is always my first choice for routers but kills IPTV dead - It's IGMP hasn't been updated since 2005 and cannot be configured for this.

Works fine - IGMP proxy, but you need to create the rule sets to make it work... but also consider that many IPTV services are handled via VLAN's on the same connection...

Should work fine, but if you're trying to break things out across two LAN/WLAN's, then you need to consider the appropriate VLAN tags, and also consider a managed switch behind the pfSense box, as pfSense is just a router, and some of this stuff is more Layer 2, which is best handled by a switch.
 
I'm currently using pfsense as my firewall/router and thinking about setting up the DMZ.

If I understand correctly I can establish my DMZ as a VLAN using a single instance of pfsense OR I can have two instances of pfsense and firewall the internal network and the external network discretely.

In theory it seems to me that this works out to the same things but it also seems to me that in practice, theory and practice are not so...

Keep things as simple as possible - adding complexity to a home network is a good opening for black hats to jump in and help out - perhaps not your intent...

Yes, you can create a DMZ on the primary router, and do whatever is needed inside that DMZ, but also just think about the question of WHY, followed by the should of SHOULD - just because one can does not mean one should...

Anything is indeed possible - some of this isn't available via the pfSense WebGUI for good reason, but under the hood, it's a full blown unix solution, and there - tweak away, just keep good notes so you can revert back if things break.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top