Hi,
I can't make up my mind about how to design my home network:
Currently, I have a DSL router providing internet access through an integrated firewall, which routes into a DMZ, where OPNsense picks it up, firewalls it again and sorts the traffic into VLANs where my devices live. This gives me two firewalls: One inside the DSL router and one in OPNsense. The DMZ is not used for anything else (I have no servers placed there.)
Next will be changing my internet access from copper DSL to fiber. With that transition, the DSL router will be exchanged for a fiber modem. Now I could ...
a) connect the fiber modem directly to OPNsense, using the OPNsense firewall and directly route into my VLANs or
b) have a second, dedicated OPNsense box that takes the place of the DSL router, does nothing but "run" the fiber modem, provides the first firewall and routes into the DMZ as before. The other OPNsense would then tap into the DMZ and route into VLANs just as it does now.
I just can't decide what to do:
- Just having my OPNsense/main router handle the fiber modem would be the least hassle with configuration, best performance (no unnecessary hops) and best efficiency (no unnecessary devices consuming energy.) But it would only be "one stage" of firewall.
- Keeping the DMZ would be a more complicated setup, with two stage firewalls, at "first instinct" hightening security. But with it would come the drawbacks already mentioned and I'm not sure there even would be a gain in security: If one firewall can be bypassed by an attacker, why can't two? And if I route traffic inbound through the DMZ anyway, what does it matter if it has to pass two OPNsense or just the one? Additionally, the DMZ is not used for placing servers anyway, it's just a pass-through network that serves no other purpose than being a "buffer zone".
What do you think? Do you think a DMZ would actually improve security in this case, or am I just kidding myself?
Regards
Quote from: 150d on March 27, 2026, 11:30:58 PMb) have a second, dedicated OPNsense box that takes the place of the DSL router, does nothing but "run" the fiber modem
There is a huge chance that your new "Fiber ISP" will provide you either a XGS-PON ONT that will function as a "Bridged Modem" or if you are unlucky some kind of "All-in-One" Modem/Router/WiFi device that has a built-in XGS-PON ONT and does not have a Bridged Mode at all.
So having OPNsense with some kind of built-in NIC for XGS-PON Fiber isn't going to work sadly ;)
They do exist, but there is also a huge chance your ISP does not want to support them on their network!
Yes, DMZ's make sense.
If you have IoT , Wifi, etc, you dump them off into the DMZ network so that they dont have open access to your more private/sensitive stuff internally, and, you can create specific outbound rules for each device as needed. This is the safer approach.
A 2nd DMZ is also good when say you want to stand up a VPN server for remote access. Park the VPN server/device there.
The general model is to have anything that has a connection to internet (public) do so from a DMZ. Meaning your internal network stuff should use a proxy in the DMZ, this way the proxy is doing the actual connecting to public and not your internal stuff.
Seeing routable IP in a "netstat -na" is cringe-worthy. But, since vendors like to market things as easy P&P UTM etc they do not properly convey a good secure configuration.
Just need one OPNsense fw with multiple nics to make the secure setup work. WAN DMZ1 DMZ2 LAN.
@150d: What you characterize as a DMZ is actually something different, namely a double-firewall setup. Thus, you mix up two questions here.
I would argue that a "real" DMZ, in the notion of having some (potentually exposed) devices on a separate network in order to keep them out of your internal LAN makes complete sense. By doing that, an attack could not proliferate to your LAN. This would only presume one leg (either physical NIC or VLAN) of one OpnSense to be separated.
What you propose instead has two disadvantages the way you decribe it:
1. This is a router-behind-router scenario with double NAT and all of its complications, e.g. port-forwarding must be configured on both firewalls. I would avoid it for the average setup.
2. It does not even have the benefit that some enterprise setups would try to reach by doing such a thing nonetheless: By using two cascaded firewalls of different kind, you could potentially harden your infrastructure against attacks to known vulnerabilities of one or the other. This is not the case with two cascaded firewalls of the same kind.