Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pen-testing from DMZ (not 1:1 NAT) any good?

    Firewalling
    2
    3
    257
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      furom
      last edited by furom

      Hi,
      Would it make sense to set up a DMZ (not a 1:1 NAT) for a machine to do pen-testing of pfSense/my network?

      Question I have with this is to begin with, the DMZ is still sort of inside the firewall right? Or is it to be considered WAN/internet? My other options is to get a cloud server somewhere, but rather not if possible.

      Then if, using my SG-2100, will a VM in Proxmox on a VLAN be an OK way to set this up or are there good/better ways?

      Thanks

      Dobby_D 1 Reply Last reply Reply Quote 0
      • Dobby_D
        Dobby_ @furom
        last edited by

        @furom

        A DMZ is for devices with a permanent or time to time
        internet access like servers and so the LAN side becomes
        not affected from this and stay save.

        Pen testing is best done from outside of your network and/or
        inside also, if you are in a company network with regulations.

        You may pen testing your WAN side and your WiFi side to
        "go in" or enter your LAN.

        #~. @Dobby

        Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
        PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
        PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

        F 1 Reply Last reply Reply Quote 0
        • F
          furom @Dobby_
          last edited by

          @dobby_ Thanks, yes I know it is best done from outside, but have limited possiblity for that so wonder if the setup I suggested will be useful and secure for this or not.
          But perhaps using another firewall in front of pfSense and a raspberry pi or similar in between to use as pen-tester would create the same effect... As pfSense is what I want to test, it should be sufficient, right? As long as just connecting to pfSense WAN, and using a dedicated monitor/tbg/mouse for the RPi...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post