Return to Level1Techs.com

Dmz?


#1

Hey all!

I’m wondering how I can create a test domain at my home network.
I have a pfSense router/firewall, which acts as my DHCP service - but I want to create a separate network which would have a single server, that would be my domain controller, wds/mdt server, hyper-v & DHCP server…

Am I in the right train of thought that I would need to create a DMZ from my pfSense router / firewall?

Thanks.


#2

Either create a vlan for the dmz or if you have a physical interface open, you can define a new dmz subnet on that interface.

Worth noting that a dmz is traditionally between the edge router/firewall and the lan router/firewall, but for your case, an isolated subnet is what you want.


#3

Awesome. Thank you for that info!
In this scenario I have 2 of 4 ports open on pfSense box, one of the open ports would be used to create a new DMZ Subnet.
Would I then need another switch for that DMZ for my server to connect to as well as other devices within this DMZ?


#4

You can use an additional switch or use a vlan on your existing switch.


#5

Great. Thanks!


#6

If it’s only one server you can connect it directly to the port on the pfsense machine, you’d only need another switch of you wanted more devices on that network.


#7

I’d want more devices in the DMZ (correct me if I’m not using the correct terminology /understanding).
In your opinion would be easier to create a DMZ from a port on my pfSense box, connect that to a separate switch and then my server and other devices on that test domain? Or is that just over complicated…

The background to this is that I need to stand up a Windows Server that acts as my imaging server as well as DHCP server. I then want to test several devices on that network.


#8

DMZ isn’t what you’re describing, a DMZ is a network between the local networks and the Internet where you put the web facing servers like Web or mail servers, so it’s a local network but it’s treated as insecure like the Internet.

What your talking about is just another subnet/network.

You can use two separate physical sets of network hardware or a single set using VLANs, it’s the same difference either way, you’ll have two separate networks connected via a router.

If you want this dhcp server to serve devices on another network you will need some kind of dhcp relay to forward the traffic between networks as broadcast traffic isn’t routed. I think pfsense has a dhcp relay built in.


#9

I concur with everything @Dexter_Kane has said.


#10

as above @dexter_kane is on the money.

As to terminology…

a DMZ is from military terminology (probably specifically korea) - De-militarised zone. North and South Korea have stretch of land between them called the DMZ, which is basically like no man’s land between the two countries.

Basically network-wise, its a place (VLAN or different physical switch) behind your firewall that is somewhat protected from the internet, but allows specific traffic through to hardened edge servers that you want to have outside your protected network (but not directly on the internet).

its a halfway house, if you will for semi-trusted machines that you want outside of your “inside” network in case they get hacked. Anything in the DMZ should be hardened as much you are capable of, as these machines are still partially exposed to the internet. anything in the DMZ should also not be a server that permanently stores any sort of data (in the case of a mail relay, it is store and forward to the internal server, only in flight data sits on it while it is being processed).

so, things like domain controllers, etc. do not belong there. they’re too vulnerable and not hardened. they permanently store large amounts of private information that you don’t want to be stolen.

think: hardened DNS servers, hardened mail relay servers, reverse web proxies, malware scanning proxy servers, etc. all those sorts of things belong in your DMZ. The idea is that even if these machines get hacked via some protocol exploit for the service they host, they have limited ability to get back into the fully protected “inside” network to act as a launchpad to hack that.

Active directory, mailbox servers, etc. should be on your inside network, either on the same network as your clients or ideally (if you can afford the complexity) on a server network that is protected somewhat from your users (modern stance is that even inside network users are untrustworthy bastards who may either get hacked (web exploit, home internet connection, internet cafe, etc.) or try to hack your stuff themselves).


#11

Very good. Thank you for all the info everyone.


#12

In short: If you don’t know what a DMZ is or does, you really don’t want to put one in your network.
I’m not judging. Network security is a complex and big subject, with a plethora of inconspicuous details.

It’s super easy to practically bypass any firewall security, if you need some DMZ service to access something on your local network, unless properly configured and hardened.