View Single Post
  #4   (View Single Post)  
Old 28th June 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,058

Hello, and welcome!

I have two firewalls, in two separate servers, configured for high availability with carp(4):

{Internet} - [fw1/fw2] - {local networks}

Another multi-firewall topology is to isolate tiers for different services, such as a tier for DMZ servers:

{Internet} - [fw1] - {DMZ servers} - [fw2] - {servers and workstations}

In this latter configuration, the innermost servers would only communicate with the servers in the DMZ - as an example, a database server only permitted to communicate with webservers in the DMZ tier.


Edited to add: for a tiered solution, the same physical router can be deployed as the firewall between different tiers, using a single PF ruleset - but only with unique pairs of NICs. VLANs can be deployed when the infrastructure includes an IEEE 802.1Q VLAN-capable switch. "Router-on-a-stick" or "Firewall-on-a-stick" solutions with a single physical NIC and 2, 4, or more vlan(4) NICs become possible.

Last edited by jggimi; 28th June 2019 at 03:15 PM.
Reply With Quote