Skip to main content

The front door

Everything that's reachable from the outside world passes through one VM: a pfSense firewall/router (10.100.100.1 inside, a public IP outside). It wears three hats:

  • Router/NAT — gives the private 10.100.100.0/24 VMs a way out to the internet, and is the default gateway for the whole subnet.
  • Firewall — decides what, if anything, gets in from outside.
  • Reverse proxy (HAProxy) + TLS — the single HTTPS front door for every web service, terminating TLS with one wildcard certificate.
         Internet
            |
   public IP 203.0.113.10
            |
        +---v---- pfSense ----+
        |  NAT + Firewall     |
        |  HAProxy (TLS)      |
        +---------+-----------+
                  | 10.100.100.1
        private subnet 10.100.100.0/24

Why we use this: one edge device means one place to reason about "what's exposed." Every public name, every certificate, every inbound rule lives here. That concentration is the point — the other ~15 VMs get to assume they're only ever reached from inside a trusted network.

Diagram

One public IP, many services: HAProxy routes by hostname

No comments to display

Back to top