Dual firewall DMZ virtualized on single hypervisor

Wrecked Em

Supreme [H]ardness
Joined
Sep 14, 2004
Messages
7,009
I recently decided to try out Nextcloud and have been playing around with it a bit. It's currently running on my main unraid box, behind a single untangle router. Seems to be working great.

I'm a networking noob, but sort of latched onto the idea of a dual firewall, mostly because wikipedia says it's better. I was wondering if I could accomplish this in a single box. My router is a qotom i5 machine with 4 nics.
Would running this all under a single proxmox instance, as shown below, provide any benefit at all, or would it just be a bunch of extra effort for nothing? The end goal would be to have nothing on the LAN externally accessible.

In my head, this seems like a nice elegant setup, but can't seem to find any instance of someone even mentioning it, so I'm assuming there's some obvious flaw that I'm overlooking.

1611276647919.png


If this seems reasonable, then the next question is how to get rid of the external switch?
-------edit---------- I think this is how it would look.

1611352271551.png
 

Attachments

  • 1611276799561.png
    1611276799561.png
    117.1 KB · Views: 0
Last edited:

Wrecked Em

Supreme [H]ardness
Joined
Sep 14, 2004
Messages
7,009
Did some more research. Apparently this is called a Fully Collapsed DMZ. Looks like it's an accepted standard setup , but doesn't seem to be very common for home use.

Since this is a complicated solution to a problem I don't have, I might need to build up my courage a bit more before attempting it.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,875
Why do you think a dual firewall is better?

In a perfect env what you have is your perimeter device = pfsense. You then have a layer 3 device behind that which handles your "routing" VLANS / DHCP /DNS, if your not using other devices.

Dual firewalls is a pain in the butt.

By default Pfsense blocks ALL in bound traffic, so unless you create NAT rules and open the firewall, nothing externally can get to your LAN side.

if you want to block LAN devices from going out, you use the firewall and create rules / ACLs to block that traffic.

If you only want to use the web filtering and other goodies of the Untangle vs PfSense and pfblocker and other add-ons, you could do that but what will handle your DHCP. you now want 2 different subnets between your untable and your pfense.
 

Wrecked Em

Supreme [H]ardness
Joined
Sep 14, 2004
Messages
7,009
By default Pfsense blocks ALL in bound traffic, so unless you create NAT rules and open the firewall, nothing externally can get to your LAN side.

I think the logic is that in order for nextcloud to work, I have to have a NAT rule to open the nextcloud machine to web traffic, that makes it more exploitable. Since it's hypothetically my weakest link, I was trying to move it off of my LAN.

I'm not particularly attached to any feature set of untangle or pfsense. Just following a suggestion to make both firewalls different, in case a vulnerability is discovered in one.

But yes, the more I research, the more it looks like a pain in the ass. I'll look into separating nextcloud on a vlan behind my single firewall for now.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,875
VLANS - best way to do it, then set up your rules on pfsense to block that VLAN from seeing other networks, and vice versa. I have 7 VLANs on my pfsense with strict rules of what can see or access what.

if this is ALL virtualized, you can either use 1 NIC for all VLANS for your VMs, since traffic will stay internal on the PFSense
 
Top