Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Security with Bridge/DMZ before pfSense box, potential for vulnerability ?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 788 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      srytryagn
      last edited by srytryagn

      Spoke to pfSense team, they told me DMZ mode from a modem/router combo to Pfsense box is a security risk.

      1. Does there exist a potential vulnerability when running a modem/router combo in BRIDGE mode into a pfSense box ? Is Bridge this safe or a does it create a weak point in the network that can be exploited?

      2. If DMZ and Bridge mode are not secure, is my best option to seek out a modem that has no capability other than BEING A MODEM to connect to pfsense box ?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Yes, something that is only a modem is what you should be aiming for. It passes the public IP directly to pfSense and has no further part in traffic routing. That means the modem device is not exposed to the internet since it has no public IP and cannot restrict traffic to/from pfSense.

        Some sort of bidge mode is usually close to that but the modem/router may still have an IP that's accessible depending on what the ISP does.

        In DMZ mode the router sends all traffic to pfSense but the public IP remains on the upstream router meaning it's own firmware must be maintained and secure. And in DMZ mode since it is basically running a 1:1 NAT it still has to pass all the traffic so yo are limited by it's routing and state tables which are usually far smaller than what can be configured in pfSense.

        Steve

        1 Reply Last reply Reply Quote 0
        • AndyRHA
          AndyRH
          last edited by

          I am going to agree/disagree.
          My ATT router only gives me the choice of DMZ mode for pfSense. Because I cannot stop it from having a routable address I have not increased my attack surface by using the DMZ mode.

          o||||o
          7100-1u

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Indeed I would agree it's no less secure that running the upstream device in standard router mode.

            But I would argue it's less secure than just having a modem that's not addressable.
            What vulnerabilities exist in your modem/router. Do you have any way of finding out? And if you did is there anything you can do about it?

            Steve

            S 1 Reply Last reply Reply Quote 0
            • S
              srytryagn @stephenw10
              last edited by

              @stephenw10 At this juncture I am looking for a simple ADSL modem, rather than a combo router device, to plug directly into pfSesnse; which is what is recommended.

              Based on the previous comments it appears that I need to make sure it is not-addressable; now how you do that I do not understand at all. Would you please let me know what you mean?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Anything that is just a modem will not be addressable outside it's own segment.
                It might have a management interface but it will be using a non-routable private IP address.

                What sort of DSL service are you connecting to?

                Steve

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.