jakerade
@rade.net
|  [wired] RV082 DMZ Port
I have a RV082 and want to use the WAN2/DMZ Port (NOT DMZ host or 1 to 1 NAT) to host about 5 servers all with public IP addresses then use the firewall filter to limit access on various ports to these particular servers.
I'm on my second RV082 now as the first one went a bit mental after 3 days and losts its admin system and would not respond to a master reset.
However my first attempt at configuring the DMZ was only partially successful as i could only view the DMZ boxes from the local LAN and not the Internet. Additionally the DMZ boxes would not connect to the Internet.
I'm hoping that this problem was due to the box going wrong but wondered if anyone else had experienced similar problems or even configured a DMZ successfully. Linksys were not much help when i rang them! I am wondering if the IP address range needs an entry somewhere?
Regards
Jake |
|
Citezein
join:2002-02-16
Washington, DC
| I can't offer you any suggestions about using the DMZ, but I can say that the One-to-One NAT would work for you. Can you post your specific rules that you have in place for us to look at? I'm working on an FAQ for this router, and am collecting issues and solutions right now.
I thought the way the DMA was supposed to work was that you couldn't see the DMZ boxes from the local lan. Isn't that the whole point of a DMZ? It sounds like something is amiss. |
|
second2003
join:2003-12-22
San Jose, CA | It seems that want to use different subnet for DMZ & WAN port.
In my environment, it work well with this assumption.
What's your configuration ? |
|
jakerade
@rade.net
| Hi
The rules are set as standard for my test purposes as per the manual in that:
The LAN can access everything
The DMZ can access the WAN but not the LAN
The WAN can access the DMZ but not the LAN
The point of having a DMZ is to segregate publicly accessible servers from your LAN to avoid port forward or one to one NAT because if someone does gain access to an unpatched server they gain access to your entire network - thus the LAN needs to be able to access the DMZ but the DMZ can't access the LAN
I have a public IP range of x.x.x.224 to x.x.x.239 on a subnet of 255.255.255.240
My Leased line router is x.x.x.225
The WAN Port is x.x.x.226
The DMZ/WAN2 Port is x.x.x.227
And servers start at x.x.x.228
LAN is the default 192.168.1.x on 255.255.255.0
One thing i have noticed is that if you run the basic set up wizard for a DMZ it sets up the default WAN rule that the WAN can access 0.0.0.0 - 0.0.0.0 on 255.255.255.255. If you go into the network tab and save the WAN and DMZ settings again without changing them it updates the rule to the public range of x.x.x.224-x.x.x.239 on 255.255.255.240 - wierd!
This is my second RV082 and it still doesn't work - I haven't updated my firmware to the latest - I'm on 7 rather than 11 - as 11 didn't work last time so i thought i might as well try it straight out of the box
1 to 1 NAT is my fall back though as the router has the DMZ facility i would like to get it working as i think it is a better system.
Linksys arn't much help - they have asked me to confirm whether our leased line router has static DNS - can't see what that do but i can confirm that if i plug a box in straight behind the leased line router, it can see the internet and be seen by the internet so sounds like its the RV082 - it really would help if Linksys would document how this feature works rather than making us rely on the force!
Thanks
Jake |
|
jakerade
@rade.net
| I've got this working now and it does work well. Our ISP had to add an ARP entry for each IP address tieing it to the MAC address of the router and it now just works! Also the gateway for the DMZ needs to be the IP address of the router eg .226 and not the IP address of the DMZ
I've added a rule to deny the WAN access to everything to remove the default access then added entries for each IP address to allow access to Port 80 etc.
As long as it keeps working i'll be happy as this is the equivilent of a £1500 firewall for £180!
Jake |
|
second2003
join:2003-12-22
San Jose, CA
| You can cut the subnet ISP gave into two different subnet.
Then you don't need ISP modify anything for you.
Change to following --->
My Leased line router is x.x.x.225
The WAN Port is x.x.x.226/255.255.255.248
(WAN side can use 225-230)
The DMZ/WAN2 Port is x.x.x.233/255.255.255.248
(DMZ side can use 233-238)
And servers start at x.x.x.234
LAN is the default 192.168.1.x on 255.255.255.0
I try it & work. |
|
Citezein
join:2002-02-16
Washington, DC
| reply to jakerade
I guess I'm a little confused about a DMZ. How can it be that the lan can access the DMZ, but not the other way around? If I have a web server on the DMZ and a database server on the LAN, would the web server not be able to access the db server? Or, say my web server is also an email server. Can the people behind the LAN check their email?
Thanks,
Brian |
|
jakerade
@rade.net
| Brian
The people on the LAN can access the email server but if you go to the desktop of the email server on the DMZ you will not be able to see or reach the LAN. If you had a web mail facility on your email server you could then open port 80 to allow remote users to access it without any threat to your LAN.
To access your data server from your web server you could set a rule for the web server on the DMZ to access port 1433 on the IP address of your Data server on the LAN or alternatively put your data server on the DMZ and block external access to it - you have to weigh up the pros and cons
Thanks for the tip Second2003
Jake |
|
Fr0zen
join:2002-10-22
Chicago, IL | reply to jakerade
Is the DMZ port totally firewall free. ? |
|
jakerade
@195.92.x.x | no - you restrict it anyway you like by adding a rule:
deny the WAN access to the DMZ
then add rules to:
Allow the WAN access to a port on an IP on the DMZ |
|
Fr0zen
join:2002-10-22
Chicago, IL | reply to jakerade
I see |
|
jakerade
@195.92.x.x
| My DMZ disappeared this morning for no apparent reason - not visible from the web or the lan but could talk amongst servers on the DMZ
After trying to restore configs, factory resets etc to no avail, i discovered that the servers could not ping the dmz port.
I removed the dmz port IP address by giving it a new one then changed it back and it started working ok. Will keep an eye on it but the whole think is starting to look a little flakey... |
|
rsd-17
@yorkton.com
| reply to jakerade
I've got this working now and it does work well. Our ISP had to add an ARP entry for each IP address tieing it to the MAC address of the router When you refer to MAC address, do you mean the DMZ's MAC address as shown on the status page or do you mean the WAN MAC address?
..John R |
|
