DMZ Question(s)

[EasyGoing1]

Hello,

Given a setup where OPNSense is running in a virtual machine on an ESXi box, I want to create a VM for off-lan use that I would want to be segregated into its own DMZ.

I've read discussions about this; some have recommended using two firewalls while others think one is fine, etc. And given the flexibility of having OPNSense in a VM, where adding NICs is not an issue or even installing another OPNSense VM, what would be the best implementation for a DMZ setup?

My thinking on it is that if I use an additional virtual NIC on a new subnet, then punch the port through to the device on that network, while establishing rules that would prevent that device from accessing any ports on the firewall that could be used to compromise it, then make sure that the only destination it can reach is the Internet ... it should be safe enough.

I'm looking for thoughts about that or any experience anyone has had with DMZs and OPNSense.

I realize it would be safer to set up a VPN endpoint in the firewall, but for this use case, that isn't a desired option, so I'm exploring the DMZ scenario.

Thank you,

Mike

[cookiemonster]

sure. Add a new virtual interface to the firewall VM. Set it up as normal with the required services like DHCP and by default it'll be on a separate network ie. lan 192.168.1.0/24 and newnetwork 192.168.10/24.
By default the new one can't get to the lan. Isolation there.
Then you do your NATing as needed from WAN to newnetwork VM.
Just what you said really.