Pen-testing from DMZ (not 1:1 NAT) any good?

furom

Hi,
Would it make sense to set up a DMZ (not a 1:1 NAT) for a machine to do pen-testing of pfSense/my network?

Question I have with this is to begin with, the DMZ is still sort of inside the firewall right? Or is it to be considered WAN/internet? My other options is to get a cloud server somewhere, but rather not if possible.

Then if, using my SG-2100, will a VM in Proxmox on a VLAN be an OK way to set this up or are there good/better ways?

Thanks

Dobby_

@furom

A DMZ is for devices with a permanent or time to time
internet access like servers and so the LAN side becomes
not affected from this and stay save.

Pen testing is best done from outside of your network and/or
inside also, if you are in a company network with regulations.

You may pen testing your WAN side and your WiFi side to
"go in" or enter your LAN.

furom

@dobby_ Thanks, yes I know it is best done from outside, but have limited possiblity for that so wonder if the setup I suggested will be useful and secure for this or not.
But perhaps using another firewall in front of pfSense and a raspberry pi or similar in between to use as pen-tester would create the same effect... As pfSense is what I want to test, it should be sufficient, right? As long as just connecting to pfSense WAN, and using a dedicated monitor/tbg/mouse for the RPi...