  • How would I build DMZ home network lab with external and internal firewall using pfSense.
    Should I use two instances of pfSense or one instance can accomplish this.

  • No need for two routers for home use DMZ in my opinion.

    Use VLANS or different LAN interfaces on the router for your LAN & DMZ and two switches.

    If you use VLANS you'll need a switch that supports 802.1q.

    On the DMZ interface block traffic to the LAN interface addresses.

  • what is the disadvantage of deploying two instances. I find it to be straight forward

  • Just seems to be a bit of an overkill tbh.

  • You could also do this with three NICs and two switches.

    NIC 1 -> WAN
    NIC 2 -> LAN
    NIC 3 -> DMZ

    Set up your FW rules so that connections can go into the DMZ, nothing can initiate a connection out of it. Then you're done. You'll have the physical segmentation you're looking for, and it's relatively inexpensive and fairly simple to do this.

