On 2020-03-30 Alberto Abrao wrote:
Doing it for a single external IP is manageable to me, the thing is the leap in doing it for multiple public IPs. I do know I have some heavy reading ahead, and I look forward to it. Any recommendations are very much appreciated.
That part is easier than you think. I haven't done it yet, mainly because I'm too cheap to spring for a plan with multiple statics, but I'm pretty sure you'll just set up your single interface to listen on multiple IPs. Then use routing and/or packet-mangling-de-jour methods to forward them to the correct internal boxes. After firewall-checks, of course.
Easy for statics, but you might not be able to do more than 1 of your DHCP dynamic on that interface, though?? Unless you can setup a 2nd "fake" MAC on the same interface? Others can chime in.
I used to do one-box-for-everything as well, mostly because I didn't have a lot of equipment to begin with. However, I see lots of people talking about security, and I can see having things on separate
I'm of the opinion that if you're a wizard it really doesn't matter if it's all one box or not. If they p0wn your firewall, chances are they'll then hop into whatever internal, less protected, box they want anyhow without much trouble. The key is to not get p0wned. I'm talking from a personal and micro-business standpoint: for corporate of course you'll want to throw money at separating everything.
It's hard enough, and expensive enough, trying to keep X quality (read: ECC) boxes going, let alone X+1 boxes (and more +1's for every new task). I'd rather have 1 boss ECC system that I know won't give me grief do everything than a handful of cheap / small / esoteric boxes (probably with no ECC). It's my philosophy. I understand it's not shared by the writers of best practices. YMMV.
If you've already learned OpenBSD and like it, of course stick with it, unless you've hit limitations. As for iptables vs pfsense, I've yet to run into a scenario tc/iptables/etc can't do, and I do some pretty wacky esoteric stuff on many boxes. However, here's a great example of why you'd like Fedora rather than CentOS: the newer, handy iptables features are generally bleeding edge and only to be found in distros that give you the bleeding kernel. If you're on the typical multi-year-old RHEL kernel then you may find that what you want to do isn't possible.