Dual-Homed Firewall Configuration

[prodgers87]

Hi Community,
I am trying to set up a DMZ by creating a dual homed firewall configuration using two routers. I want to create a "secure" DMZ (not using the router's DMZ option) so that I can put a media server on the DMZ and access it remotely. I couldn't find any good tutorials on how to setup a dual-homed so this is what I have so far:

ISP
Router 1 (Netgear Running DD-WRT firmware):
LAN: 192.168.1.0/24
Vlans: 10.1.10.0/24 (DMZ) and 10.168.78.0/24 (Intranet)
DHCP and NAT enabled
Wireless disabled

Router 2 (PfSense): WAN port connected to DD-WRT LAN
WAN: 10.168.78.2
LAN: 10.201.10.0/24
DHCP and NAT enabled

Smart Switch:
LAN: 10.201.10.3

Wireless AP (Router3): Connected to Switch using Router 3 LAN port
LAN: 10.201.10.254
DHCP and NAT disabled

Questions:
1.) Is this the correct way of setting up this type of configuration?
2.) I can already tell that I am double NATting so any suggestions on how to work around this problem? I want router 1 and the DMZ to be isolated from my internal network, with my internal network handing out DHCP and all of my computers connected to the internal network
3.) If, lets say, I have Skype on my computer in the 10.201.10.0 network, since it's behind a second router would I have to port forward the Skype's ports to router 2, and then port forward from router 2 to my computer's IP?

Thanks for any advice anyone can give me!

 

[abailey]

What you want to do is going to be difficult using two routers like that. I am not sure about DD-WRT but PfSense can do what you want by itself (assuming you have enough interfaces in it, or you have a managed switch so you can do VLAN's. Is there a reason you don't want a single router doing all this for you?

 

[prodgers87]

What you want to do is going to be difficult using two routers like that. I am not sure about DD-WRT but PfSense can do what you want by itself (assuming you have enough interfaces in it, or you have a managed switch so you can do VLAN's. Is there a reason you don't want a single router doing all this for you?

Thanks for responding abailey,
I am trying to do this configuration because I am going to be going to school for IT next academic year, and want to learn how to create a enterprise network infrastructure (as close to it as possible) without messing up my girlfriend's access to the internet. I also want to deploy servers like FTP, Plex, email, ect. in the DMZ so that I can remotely access them outside my LAN. The PfSense box that I have only has 2 nics in it so I didn't want to just use it as the sole router in case my DMZ got compromised, I didn't want my internal traffic using the same interface as my DMZ. I also have managed switches at my disposal (should have called "smart switch" a managed switch). When you say it is going to be difficult could you explain why? I am totally down for a challenge since this is the field I want to get into, but guidance would be very appreciated.

 

[bill001g]

The fairly standard way to do this is with a single firewall. Now if you want to consider dd-wrt a firewall I don't really know. You likely can use it as a firewall but unlike a dedicated firewall it likely has option turned on by default that a firewall would have off.

If you have a managed switch all you need to do is connect it to a port on the WRT box and define it as a trunk port to carry all the vlans. You then in effect has as many port as you want on the router.

You would then setup the rules to isolate the vlans......this is the part that a actual firewall does by default. You would define what traffic could go between your zones...ie intenet,lan and DMZ.

 

[prodgers87]

The fairly standard way to do this is with a single firewall. Now if you want to consider dd-wrt a firewall I don't really know. You likely can use it as a firewall but unlike a dedicated firewall it likely has option turned on by default that a firewall would have off.

If you have a managed switch all you need to do is connect it to a port on the WRT box and define it as a trunk port to carry all the vlans. You then in effect has as many port as you want on the router.

You would then setup the rules to isolate the vlans......this is the part that a actual firewall does by default. You would define what traffic could go between your zones...ie intenet,lan and DMZ.

Thanks for responding bill001g,
When reading this article: http://searchsecurity.techtarget.com/tip/Choosing-the-right-firewall-topology-Bastion-host-screened-subnet-or-dual-firewalls it shows a screened subnet using two separate vendor's firewalls to isolate the DMZ from the internal network. Since the article said this type of configuration was the most secure, I wanted to try to set up my network using this approach if possible. What are the challenges I would face if I tried to go this route? Is one router secure enough if I wanted to deploy public facing servers? I appreciate your help!

 

[bill001g]

This is one of those design things that is looking to protect against almost impossible situations. Using 2 different firewalls is to protect against some form of compromise in the firewall itself. It is based on the assumption that you would have to find 2 different exploits for 2 different firewalls.

Now that is really good for papers and theory but the most common reason a firewall is bypassed is because the person configuring it makes a mistake. When you have complex designs you increase your chance of making a error, so in a world where the human is perfect 2 firewalls will be always be better.

 

[abailey]

This is one of those design things that is looking to protect against almost impossible situations. Using 2 different firewalls is to protect against some form of compromise in the firewall itself. It is based on the assumption that you would have to find 2 different exploits for 2 different firewalls.

Now that is really good for papers and theory but the most common reason a firewall is bypassed is because the person configuring it makes a mistake. When you have complex designs you increase your chance of making a error, so in a world where the human is perfect 2 firewalls will be always be better.

I completely agree with this. I am sure there are some very large companies that may use two firewalls like that but all the companies I have worked for use one firewall with a DMZ.
But if you want to do it like that article says then you can put one behind the other. You would have a double NAT but that is okay for browsing the internet. You would not port forward anything through both firewalls. Anything that needed to be accessed from the WAN would be in the DMZ, that's why it is there. You should not have anything behind the second firewall that would need to be accessed from the WAN, as that would compromise your network which you are going to great pains to make as "secure as possible".

 

[prodgers87]

Awesome, thanks for yours and bill001g's advice. I'll prob go your guys route since it seems like everyone is using that type of configuration. Thanks again for your guys help!