I’ve had a single LAN for ages, one router/firewall and the rest of my machines behind it. This is alright, but I’ve meant to set up a DMZ. The DMZ is now in place, and it resides on a virtual network using an etherstub in SmartOS.
The etherstub
An etherstub is a virtual switch which can be used (among other things) to connect VMs on a virtual network that only exists on the hypervisor. This creates an etherstub called dmz0 on the SmartOS hypervisor.
dladm create-etherstub dmz0
Add the following to /usbkey/config to configure the etherstub at boot:
etherstub="dmz0"
Now a VM can be created (or changed) to use this network instead.
Using the etherstub in a VM
To use the etherstub as the network for a NIC in a VM, use this json-code:
{
"update_nics": [
{
"nic_tag": "dmz0",
"mac": "d2:82:c5:70:62:70"
}
]
}You can add a new IP etc. too if needed. If you want to create a new VM using this network, just use the dmz0 nic tag.
pfSense configuration
Add the new DMZ interface in pfSense and set IP address(es).
The default setting will be for you to reach everything on the DMZ, but the DMZ VMs can’t initiate connections to any other network. I’ve added a rule so that machines on the DMZ can access all networks except my LAN. This means they can download updates etc, which can be useful.
Since I’m using a tunnel for IPv6 I had to add rules to allow services (HTTP(S), SMTP and IMAPS) to the machines on the DMZ plus I had to change my port forwarding rules to the new IPs the machines got when they changed network.
