Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ bridged to WAN cannot reach LAN

    Scheduled Pinned Locked Moved General pfSense Questions
    25 Posts 5 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tim.mcmanus @Babiz
      last edited by

      @babiz said in DMZ bridged to WAN cannot reach LAN:

      @lalex86 yes, you are missed basic's of networking security? ๐Ÿ˜‰

      I totally agree with @johnpoz and @stephenw10 write , but if you want explore new ways for make firewall-ing concept to work, I advice you to add , first of all ...more NIC on your server, and reserve one nic for DmZ and other to Lan.

      By this way , you can handle connections of any kind , with a proper configuration for each one, meets firewall-ing standard concept in mind. ๐Ÿฆ‰

      More nic's more fun! hahah lool

      Please forgive me ๐Ÿ˜

      Oh, I disagree! Once you breach that one system, since it's on both networks, you now have access to both.

      BabizB 1 Reply Last reply Reply Quote 1
      • BabizB
        Babiz @tim.mcmanus
        last edited by Babiz

        @tim-mcmanus You are right!
        Anyway my next goal for next weeks is made like pfsense+xpenology virtualized together on linux based host and virtualbox!
        I have no idea if this is enough "secure", but I love more nics on my Xeon older E5 bare metal 16 core cpu! ghhh just starting with 16 gb of ram, also I love Xeon motherboard arch. It's for tough server stuff. ๐Ÿบ ๐Ÿบ
        Sorry for OT, I'm kiking out. ๐ŸŽƒ

        1 Reply Last reply Reply Quote 0
        • lalex86L
          lalex86
          last edited by

          Thx all but you are going over what i'm saying and asking :).

          You are writing referring to scenarios different from mine....:

          • there are 3 (virtual because is all on a Proxmox environment) NICs (wan,lan,dmz)
          • NAS is in the LAN
          • the LAN contains only some virtual desktops accessed remotly
          • the NAS has a share dedicated (with protocol and user credentials) to the host in the DMZ...
          • actually all the virtual infrastructure is protected from a VPN and only the SSH port is opened to the DMZ with authentications with certificates...
            Anyway the main purpose of this topic was to better understand about pfSense internals and routing.... not about security issues that I known.

          Thx
          Alessandro

          1 Reply Last reply Reply Quote 0
          • lalex86L
            lalex86
            last edited by

            Moreover ...

            Host in DMZ will run a git server and a owncloud server...

            Where shoud owncloud files (usually replicas of private data) live?

            thx
            Alessandro

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              I think the main point here is that the best practice is to store only the minimal amount of data required in the DMZ and limit access to anything on the LAN to only what is required.

              However you have to make some assessment of the risk. Is the git server going to be open to the world or only restricted source IPs?

              The term DMZ used here implies it is exposed and needs to be walled off from other subnets but that might not be the case. Or at least not in the traditional sense.

              Steve

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.