What is the difference between DMZ and LAN?



  • Hi

    I'm new to pfsense, eager to learn and just looking for a bit of newbie advice. : D

    I've seen this term DMZ before and I've done a bit of savaging online and found out that, DMZ is a separate sub net from your Local area network that has all ports open and is vulnerable to attack from the internet. Correct me if I'm wrong : )

    Of course as a casual home user with about 8 users on my home network. I most likely wouldn't have a file, email or web server for me to create a DMZ with. Though, a few days ago I came across this post on Pfsense and it had me concerned.
    https://forum.pfsense.org/index.php?topic=95324.0

    In the post, as he is setting up his firewall rules for his DMZ subnet, he basically creates all his rules based on the ones that are setup in LAN.
    So, if he basically copy and pasted the settings from LAN for his new interface what makes this new interface different such that it is a DMZ rather than another separate subnet?

    Upon setting up PFsense for the first time, does your LAN upon first setup default to all ports open? Is that why the guy mentioned his second interface as a DMZ.

    Hey, Thanks for making it this far though my post, Hope I haven't bored you with all my simple questions that is probably common sense for PfSense veterans.

    Thanks in advance,
    Michael L.



  • Ummmmm…  Night and day?

    DMZ is all exposed to the net and LAN is usually not exposed at all.


  • Netgate



  • @FroToast:

    I've seen this term DMZ before and I've done a bit of savaging online and found out that, DMZ is a separate sub net from your Local area network that has all ports open and is vulnerable to attack from the internet.

    I'd say that normally (there may be special cases) only stupid or very lazy people have a DMZ deliberatly wide open.

    Just like with every other network, a DMZ should only be as open as is required for the necessary services to run. The definition of a DMZ to me is that it contain the server(s) exposed to the outside world and therefore need to have at least some service(s) open.

    Also with outbound rules, I'd say that it makes much sense to have very restrictive rules on a DMZ.



  • So, my guess as to what a DMZ was correct. However, what I dont understand why the Poster of this Thread indicated his Second interface to be a DMZ. He has setup his firewall rules to be based on the ones in the LAN. Whats the difference here?
    https://forum.pfsense.org/index.php?topic=95324.0

    I'm assuming PFsense automatically setups the LAN in the way that it would block and allow the appropriate ports. <– By default upon first setup and installation.



  • @FroToast:

    However, what I dont understand why the Poster of this Thread indicated his Second interface to be a DMZ. He has setup his firewall rules to be based on the ones in the LAN. Whats the difference here?

    I couldn't bother to read the thread carefully (it's detailed and to me uninteresting) but as far as I can tell from a glance he copied the LAN default allow rule, so no restrictions whatsoever on outgoing traffic. The big difference with the DMZ is that in addition to not having any outbound rules, one host is also wide open from the outside. So yes it's a very unsafe DMZ.

    The rest of the thread discusses that he should have used UPnP instead. I don't like UPnP either but if it is absolutely necessary for the application, UPnP on a DMZ is much, much better than what he did.

    I'm assuming PFsense automatically setups the LAN in the way that it would block and allow the appropriate ports. <– By default upon first setup and installation.

    The LAN by default allows everything going out. It's a default setting that could be questioned but I guess the thinking is that the default should be the same as on all home routers, to lower the learning threshold for those moving up from that simple environment. Its' very easy for all those that have a clue about security to remove the default allow rule and thereby get the recommended default deny. Of course traffic initiated from the outside (WAN interface rules) is by default denied.

    But defaults are only that, something to start your own configuration from. It's not what you use.


  • Netgate

    There is also confusion about the term DMZ.

    Consumer router manufacturers use DMZ to mean the inside IP address to which all unsolicited traffic into WAN is forwarded.

    That is completely different from what an actual firewalled DMZ network segment is.



  • What is the difference between DMZ and LAN?

    Often administrators get in a trap because they have servers that must have contacts to the Internet
    but by opening port they will be unsecured their entire LAN, that is then reachable from the Internet
    and to work around this case, they let the LAN side untouched and create a so called DMZ where they
    can place their Servers in and opening ports and forwarding them to this servers that they can work
    like they were made for. There are three main versions of a DMZ and many many hundred or perhaps
    thousands of subversions.

    • Exposed host = pseudo DMZ
    • Real & dirty DMZ = One device with an dedicated or hardware realized DMZ Port
    • Real & clean DMZ = Two devices (Border & LAN firewall) and between them is the so called DMZ

    I've seen this term DMZ before and I've done a bit of savaging online and found out that, DMZ is a separate sub net from your Local area network

    It is the subnet with all devices inside that have a directly or indirect contact to the Internet
    what can harm the entire LAN and to separate this devices and the security point from the LAN
    mostly a DMZ is a real good choice or for an administrator.

    that has all ports open and is vulnerable to attack from the internet. Correct me if I'm wrong : )

    You will be mostly wrong with this statement for sure! In some rarely cases it would be good to have all ports
    opened if you run a "honey pod" or you test out some things for a longer time in a lab.

    Creating a DMZ is much easy, but to defend and secure this DMZ then with all servers inside is the real
    goal for admin guys as I see it right. So I even want to set up an DMZ to place some devices inisde that must
    be reached from the outside or through the Internet, likes NAS, iTV, gaming console, Internet radio, ect…..
    so no Ports most be opened but all devices can be easily reached via VPN and their are not disturbing the
    entire LAN traffic or causing there some issues. So with no opened ports at the WAN interface a home
    user is not in the situation to secure or defend his DMZ against somebody.



  • @Derelict:

    Consumer router manufacturers use DMZ to mean the inside IP address to which all unsolicited traffic into WAN is forwarded.

    Yes unfortunately that marketing lie is what most people think is a DMZ. That's probably also the reason so many think a DMZ must/should be wide open…



  • I'd have to agree with some other here. A DMZ is simply a fully open zone that allows all inbound traffic to a said subnet.

    It differs from a normal subnet because a normal subnet would be firewall protected and only allows inbound traffic via rule sets. However a DMZ simply says "fuck it I'm lazy" and allows all inbound traffic to said subnet and devices in the subnet.

    The only two reasons I would ever recommend using a DMZ is for troubleshooting, such as NAT issues with the Playstation. Playstation could be placed on a DMZ to get full NAT, troubleshoot which ports are used etc…

    Or for a honey pot. Which is basically just a device you set out to the open world to allow attackers to attempt to hit it to record their information and report them or for penetration testing reasons etc...

    Other then that. I'd never recommend using a DMZ. Instead use a firewall protected subnet and make rule exceptions as needed to that subnet.



  • @AndroBourne:

    A DMZ is simply a fully open zone that allows all inbound traffic to a said subnet.

    Just not correct.

    But that was discussed two years ago so it's probably not really useful to revive this old thread.



  • @jahonix:

    @AndroBourne:

    A DMZ is simply a fully open zone that allows all inbound traffic to a said subnet.

    Just not correct.

    But that was discussed two years ago so it's probably not really useful to revive this old thread.

    I'm a network engineer. I do this type of stuff for a living.

    Every firewall vendor defines a DMZ differently. Watchguard for example, is simply another isolated subnet, however, still secured by firewall and not completely open to the internet. A Sonicwall is a totally different story. It is as I described. An isolated open subnet that allows all inbound traffic to said host.

    In either way its defined. A DMZ is a lazy mans method. You are better off creating a secondary secure subnet\interface and controlling the traffic properly with port triggering\forwarding.

    Also there is nothing wrong with reviving an old thread if it is still relevant. There is actually no reason in restarting a thread on the same topic if it has already been covered… it is also on top of searches within pfsense forums and still an open thread.

    Just for your knowledge...

    https://www.draytek.com/en/faq/faq-connectivity/connectivity.lan/whats-the-difference-between-dmz-host-and-dmz-subnet/

    "Setting up a DMZ host will open a single host completely to the WAN, and all packets will be forwarded to this single host"

    and then follows exceptions. Such as set port forwarding rules or policies etc…



  • In the former days, pending on many different network layouts or constructions or plain based on many different needs,
    late in the 70th and earlier 80th, at SANS USA were defined to have three main types of demilitarized zones (DMZs) and
    one separation of one of them. And until theses days "we" will all able to speak about the same thing if we are saying
    we have this or that one of DMZ. That makes things much easier and we don´t talk about something on the right site
    and all peoples or listeners are looking to left site! So is why I am talking about that in this direction, others may have
    also other opinions and knowledge on this and for sure I don´t want to bother with them, but that's how I know it right.

    DMZ 1 - A real DMZ (Dual homed or bastion host)
    Two routers or firewalls behind each other (router cascade)

    DMZ 2 - "Pseudo DMZ"
    It is an "exposed host" that lets all traffic unfiltered through

    DMZ 3 (a) - Unreal DMZ (One device with a DMZ Port)
    One firewall or router with a dedicated port that homes the DMZ subnet, ports can be opened and protocols can be forwarded

    DMZ 3 (b) - Unreal DMZ (One device with a own and dedicated hardware DMZ port)
    The same as variant (a) but the DMZ port is not connected to the internal switch chip or CPU as the other ports

    There will be for sure hundred till thousand  other available constructs and possible ways to march, but they can all and even
    pointed to one of that three main types of DMZs. So that we are all talking about the same thing!

    If I set up a unreal DMZ, I don´t must open all ports and allow all protocols, I need only to open and forward what the servers
    inside of the DMZ are offering as a service, nothing more. And this can be inspected by DPI or usually here in that case with an
    IDS/IPS system. Also a proxy can be between the servers and the internet that no one has directly contact to that servers to play
    with.

    A DMZ is a lazy mans method.

    And now the master question here, about what kind of DMZ you are talking here in that case?

    You are better off creating a secondary secure subnet\interface and controlling the traffic properly with port triggering\forwarding.

    If you someone is demanding a bigger security requirement then others perhaps have a firewall with a dedicated DMZ port is the
    base line he should walk on.