Primary perimeter firewall. Enforces policy, segments internal networks, protects DMZ. Receives all upstream traffic from pfSense.
- WAN: 10.10.1.2/30 (P2P to pfSense 10.10.1.1)
- LAN (Corp): 10.10.0.1/24
- VLAN10 (Admin-LAN): 10.10.0.129/28
- VLAN20 (Client-LAN): 10.10.0.1/26
- VLAN30 (Domainservices-LAN): 10.10.0.65/27
- VLAN40 (Application-LAN): 10.10.0.97/27
- VLAN99 (Mgmt-LAN): 10.10.0.145/28
- DMZ: 172.16.10.1/24
- Outbound NAT: enabled (automatic) for Corp/DMZ/Client VLANs → WAN
- Default gateway: pfSense 10.10.1.1
- Internal routing between Corp/DMZ/VLANs handled locally (no NAT between internal nets)
I'm aware that this is not the final, secure design, it's an initial approach to start. In the future I will implement security zones that have to be secured more (or less). Also a fallback router is in planning.