Currently I have the internet connected to a Router/firewall/DHCP server (all in one combo), connected to a switch which connects all servers and VMs. Everything is working fine but I would like more security and put a web server in a DMZ and the rest behind another firewall->switch into a private LAN consisting of the Servers and VMs described.
I currently have a ubiquity Edge Router Pro and 24 Port to-link TL-SG1024D switch. This is the post I would like to follow https://danielmiessler.com/study/dmz/
My questions mainly relate to the private LAN:
How would I set up the default gateway (router) settings on the switch in the private LAN given its now in a different LAN (192.168.1.1/24) - the DMZ, and is not accessible. I still want be able to make outbound internet calls from the private LAN via the Router, just not receive inbound which is protected by the firewall
Would I need a L3 switch for the DHCP server for the address allocation to VMs and PCs in the private LAN (192.168.2.1/24) or can I some how use the Router to achieve this?
There are several issues that you’ve touched upon that I’d like to respond to. First of all, using two firewalls like a sandwich as described in the post you shared is indeed an acceptable and workable solution. However, most networking professionals consider a “sandwich” topology to be “old school” and has been deprecated. Today, using a single firewall with a DMZ similar to that in the following lesson is also acceptable, and often preferred, and the risk that it introduces is minimal to non-existent.
I won’t go into the details of my claim at this point, but I’ll focus on your specific question.
I’m going to approach this assuming we’re using Cisco ASA devices, since I am not familiar with the specific firewalls that you’re using. You can then interpret this for use with your hardware.
In such a case, the default gateway for the private LAN would be the inner firewall, that is, the one that is directly connected to the private LAN. You would have to configure the inside and outside interfaces with the appropriate security levels to allow for traffic flow from the private LAN to the DMZ. You must also arrange for proper routing from the inner firewall to the outer one so that such traffic will be directed correctly. The outer firewall must also be configured appropriately to allow for such traffic to flow outward, again with the appropriate security levels on the interfaces.
You could set up the internal firewall to perform DHCP for all of the devices in the private LAN as well as in the DMZ, since it has direct access to both networks.
One question
The internal switch (LAN) can be a L2 device only right? As it is connecting to the firewall also on the internal LAN (ie no need for routing)
I would only need a L3 switch if there was no FW and I needed to route to the DMZ? Also assuming the L3 device has DHCP server built in.
To answer your question directly, the internal LAN does not need any L3 functionality in order for your topology to work. You can have the whole subnet connect to the firewall port. The firewall will act as the default gateway for the private LAN to route traffic appropriately between the LAN and the DMZ, as well as between the LAN and the Internet.
The kind of network topology you have on your private VLAN, whether you employ only L2, or if you want to include additional subnets internally on your network, is independent of the configuration of your firewall setup. As long as you route traffic from your internal network to the appropriate port on the firewall, you can set up whatever internal topology you like.