Network Advice; WAN, LAN, DMZ

fbeye · 10. Dezember 2023

Howdy, people.

So I was curious what your thoughts [facts] were on a network layout.

Currently I just do the WAN/LAN thing, and give/deny access to various hosts but was curious about DMZ implementation.

WAN - Duh?

But my network is thus;

LAN - Mixture of devices such as email server, web server, nas server, wifi [tv and game consoles, phones etc]. So everything, be it for fun or my legitimate servers are on LAN.

DMZ - What would go in the DMZ?

BlueCoffee · 10. Dezember 2023

I have a pfsense which runs as my firewall/router. I than have a few switches with an AP for wifi. I don't use DMZ and never will. I just have three ports open and need no more {80,443,44444). I have my network cams and IOT devices on Vlan going to pfblocker to remove all the bullshit they send for. everything else is on the lan. mobile devices are using wireguard.

fbeye · 10. Dezember 2023

That makes sense, I am more or less running same scenario though using OpNsense. I guess I was more just trying to learn what “would” a network layout be… What goes in the DMZ vs. the LAN?

gderf · 10. Dezember 2023

A typical use for a DMZ network (and by this I mean a real seperate network, not the typical 'toy' DMZ concept associated with cheap home NAT routers), is to allow the offering of publicly available network services into a machine that is not connected to the LAN. This protects the LAN from being compromised from the WAN should that exposed DMZ machine become taken over.

An obvious single use case example would be a mail server that handles email for a domain.

fbeye · 10. Dezember 2023

Again, a lot of my questions are half curious half how to implement.

I was looking at ipfire and noticed they had a 3 NIC setup, which I would assume is the more legitimate "real" DMZ using the 3rd nic, separate subnet. Then I started wondering what all would go in there, but as you said, those important things that are commonly accessible, but kept away from the LAN. Email servers and such... I kinda got confused cause I always remember seeing "put your xbox in the dmz" and i was like what an odd thing to have there.

gderf · 10. Dezember 2023

Zitat von fbeye

I kinda got confused cause I always remember seeing "put your xbox in the dmz" and i was like what an odd thing to have there.

Typical and common confusion seen when trying to mix serious networking business with inadequate 'toy' caliber hardware.

Steini · 10. Dezember 2023

That is a very general question and there are probably as many answers as users.

I have 4 separate VLANs:

a) management (network core devices, switches, router, voip)

b) private (omv, PCs)

c) IoT (all local IoT stuff, internet access only for explicit devices and ports, no access from other devices)

d) Guest (basically DMZ, everything I do not trust: Guest Wifi, IoT Devices which need to talk to the cloud, TV,..)

e) technically there is a fifth vlan just with my upstream manufacturer router and LTE failover

Routing is done with OpenWRT (for historical reasons)

Basically, in private (LAN) vlan I have only devices I trust, so no Windows, no MS Office, no closed source devices which talk to the internet.

Unfortunately, the vast majority of network devices still assume that the greatest danger comes "from outside". However, if a computer is infected, the attack continues from the inside. Everything that can be reached from this computer is then at risk. And then you have to think about what risks and what protection you are willing to take. If it's okay that all computers and the NAS are encrypted because my TV manufacturer doesn't make updates, then you don't need all that.

Jetzt mitmachen!