Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ 1 firewall vs DMZ 2 cascaded firewalls

    NAT
    2
    3
    713
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bambos
      last edited by

      Hello Everyone,

      I'm thinking how to implement DMZ (exposed) network + Private LAN on same pfsense box, or with 2 different hardware firewalls.

      I'm aware that in theory we can set rules on DMZ interface and LAN interface to have appropriate security and isolation, but i wanted to ask if there is any difference on implementation when 2 cascaded firewalls are used.

      Does pfSense treat all interfaces the same ? What's the technical difference between WAN and LAN interfaces? WAN has all blocked by default, LAN has anti-lockout rule and allow all rule on LAN by default. It seems to me that some operations are not the same between WAN and LAN, so i'm wondering if there is any benefit of having the 2nd configuration setup.

      Any suggestions appreciated.

      0c4a0aff-2883-4d99-a3e8-dff516d222da-image.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Bambos
        last edited by

        @bambos There is really zero reason to do 2 other than more complication, etc..

        All interfaces are default deny, all!! of them - its just out of the box lan has a allow rule pre created is all. And yes an anti lockout rule - which both of which can be changed/disabled.

        The really only difference with wan, is outbound nat is set to that interface.. And it blocks bogon and rfc1918 - again both of which could be turned off if so desired.

        I see no reason to do with 2 what you can do with 1 device - more complication, more power, another thing that could fail, etc..

        Reasons for downstream router/firewall are many - but creating a "dmz" wouldn't be a good one if you ask me..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        B 1 Reply Last reply Reply Quote 0
        • B
          Bambos @johnpoz
          last edited by

          @johnpoz thank you, is clear.

          im expecting a 6 port device to arrive for this configuration. If i have any questions i will post again. Thank you.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.