Setup Virtual DMZ and Trust Zones with PFSense

I. Setup Route at Core Router

1. Configure subnet, ip helper address, and default route
---------- Example --------------
HQ Enterasys SecureStack

router
enable
configure
interface vlan 200
ip address 192.168.200.1 255.255.255.0
ip helper-address 10.10.10.2
ip helper-address 10.10.10.3
no shutdown
ip ospf cost 1

ip route 192.168.200.0 255.255.255.0 10.10.1.1 1

router ospf 1
network 192.168.200.0 0.0.0.255 area 0.0.0.0

---------------- Phoenix Enterasys SecureStack -------------
router
enable
configure
interface vlan 200
ip address 192.168.200.2 255.255.255.0
ip helper-address 10.10.10.2
ip helper-address 10.10.10.3
no shutdown
ip ospf cost 1

ip route 192.168.200.0 255.255.255.0 10.10.2.1 1

router ospf 1
network 192.168.200.0 0.0.0.255 area 0.0.0.0

---------------- Florida Enterasys SecureStack C3 -------------

router
enable
configure
interface vlan 200
ip address 192.168.200.3 255.255.255.0
ip helper-address 10.10.10.2
ip helper-address 10.10.10.3
no shutdown
ip ospf cost 1

ip route 192.168.200.0 255.255.255.0 10.10.3.1 1
-----------------------------------------------------------------------------

II. Create Edge Firewall
1. Set up as normal with WAN IP from CPE
2. DHCP on Internal Subnet
3. Routing
Gateway: make Intranet gateway pointing to Trust Firewall's external interface
Routes: match all internal subnets to the Intranet gateway
4. Virtual IPs: set IP Aliases on the WAN port
5. NAT 1:1 from virtual IP to internal IP
6. Rules
WAN: Allow port 80, 443 to all | allow specific port toward matching server IP destination
LAN: LAN net to Intranet, force Gateway traffic toward Trust Firewall (Intranet)

III. Create Trust Firewall
1. Interfaces
* 
WAN Interface with IP address that is on the same subnet as the Edge Firewall Internal interface (e.g. 192.168.200.2)
* 
LAN Interface should be an unused IP from the inside subnet (e.g. servers subnet)


2. Configure 1:1 map on the trust from external to internal interface
* 
Web GUI >> Interfaces >> WAN >> Enable Interface
* 
Firewall >> NAT >> 1:1 tab >> press "+" to add interface >> Interface = WAN, External subnet IP = IP of external interface, Internal IP = any, destination = any, Description = Mapping from Trust to DMZ, NAT reflection = default
* 
Optional: Firewall >> Virtual IPs >> "+" >> type = other, Interface = OPT2 (the name of virtual interface or WAN), IP address = IP address of external or OPT2 interface, Description = Virtual IP for 1:1 mapping
* 
Firewall >> Rules >> WAN or OPT2 tab depending on which interface is being mapped >> "+" >> Destination type = single address, IP address = ip address of internal interface, destination port = any, description = "WAN to LAN Mapping"


3. Routing
WAN_Gateway: pointing to Edge Firewall's external interface
LAN_Gateway: pointing to internal network core router
Routes: match all internal subnets to the LAN_Gateway
4. Force obvious Intranet traffic inward such as an example of known Active Directory ports below:
* 
IPv4 Source 192.168.200.0/24 (DMZ subnet) to use LAN_Gateway


* 
TCP/UDP 389
* 
TCP 636
* 
TCP 3268-9
* 
TCP/UDP 88
* 
TCP/UDP 53
* 
TCP/UDP 445
* 
TCP 25
* 
TCP 135
* 
TCP Dynamic: RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
* 
UDP 123
* 
TCP/UDP 464
* 
UDP 138
* 
TCP 9389
* 
UDP 67
* 
UDP 2535
* 
UDP 137
* 
TCP 139

IV. ESX Server Configuration
For fail over, (2) ESX servers are recommended. Below is the virtual network setup
1. WAN: 1 NIC connecting to the "untrusted" switch that is connected to the internal interface of the CPE router
2. DMZ: 1 NIC on each ESX server to connect to the other server's NIC directly
3. Intranet: multiple NICs with static LAG configured on the connected "core" switch
4. Management Network: ESX management network and vMotion network, combined