[ale] Proper way to setup DMZ LAN

Alex Carver agcarver+ale at acarver.net
Sun Mar 26 01:26:21 EDT 2017


I disagree about the LAN not going through the DMZ to get to the
outside.  That's exactly how many places (including my workplace) have
things set up.  There's a middle ground because in theory the LAN and
the WAN both need to access the DMZ.

Two routers chained together will work.  It's just a different set of
rules and it simply makes the second router a "host" on the DMZ but you
put more restrictive rules in place (no port forwarding) for anything
beyond it.

Now, there's technically a way to do a single router with your consumer
routers as long as you replace the firmware with something that is
smarter such as OpenWRT/Tomato/DDWRT, etc.  As an example, I have an old
Linksys WRT54G running OpenWRT.  It has a five physical ethernet ports
and the wireless card inside.  The built-in Broadcomm SoC can actually
VLAN all five of those separately (through internal VLAN tagging).  So I
could turn it into a five-zone firewall (WAN, LAN 1-4, and WifiLAN).

You might be able to do the same if your Asus is supported by OpenWRT or
similar.  You get the ability to reconfigure the SoC switch inside to
create zones, the benefit of iptables, and advanced routing that the
stock firmware just doesn't have.

On 2017-03-25 21:46, Scott Castaline wrote:
> So you're saying that my 2 router configuration won't work? If that is the case 
> what brand besides Cisco makes a 1 WAN to 2 LAN router? I say besides Cisco 
> because the only one I worked with many years ago were Cisco 2600 series 
> routers, which I loved at the time just not the price.
> 
> On disability pay it's sort of off budget. What I was planning on doing was 
> taking one ASUS router and putting a NetGear 16 port switch off of that to drive 
> my DMZ LAN then the 2nd ASUS router would be off of the front LAN to create the 
> back LAN which would be the private LAN also with a 2nd NetGear 16 port switch. 
> The DMZ will have 2 game consoles, and 2 media streamers and 2 smart tvs. But 
> then I ran into articles on that say complete reverse of what I had planned also 
> using 2 routers. One of the articles endorses 3rd party firmware from Russia, 
> but I'm a little leery of that these days.
> 
> 
> On 03/25/2017 05:09 PM, Jim Kinney wrote:
>> The DMZ is a zone. One box or many. It is directly connected to internet and 
>> may or may not connect to the inside LAN. If it does, the firewall and routing 
>> is very, very specific. And, yes, firewall between big bad interwebs and DMZ.
>>
>> The inside, trusted LAN doesn't connect through DMZ network to outside. It 
>> connects to firewall/router and your internet demarcation line.
>>
>> So 3 nic Linux box. Nic 1 goes to internet, 2 is DMZ and 3 is private lan. 
>> Iptables on the box. LAN and DMZ are separate subnet with the box as their 
>> gateway. DMZ often has internet routable IPs. LAN usually does not and is 
>> NAT'ed. DMZ can be NAT'ed as well. If DMZ is not NAT'ed, nic 1 will need to in 
>> bridge mode.
>>
>> The terminally paranoid will add a second firewall box on the wire between nic 
>> 3 and the internal LAN.
>>
>> On Mar 25, 2017 4:42 PM, "Scott Castaline" <skotchman at gmail.com 
>> <mailto:skotchman at gmail.com>> wrote:
>>
>>     So I would put the DMZ on the front or first LAN and then everything else
>>     on the back or second LAN? And also the DMZ is a single device and not the
>>     LAN itself? What if I have multiple DMZs on the first LAN can I do that?
>>
>>
>>     On 03/25/2017 12:30 AM, Alex Carver wrote:
>>
>>         On 2017-03-24 21:05, Scott Castaline wrote:
>>
>>             Okay I've had the cable pulled in my house I was able to unbrick an
>>             older ASUS router which is running ASUSWRT-Merlin which has the radios
>>             shutoff for the access part of it. Many years ago I remember
>>             setting up
>>             several dual LANs, the first LAN was unsecured and all of the web
>>             facing
>>             gear was on that. Then a second router with LAN to LAN interfaces
>>             which
>>             connected to LAN 1 and LAN 2 was off of this router and was a secured
>>             network. I thought this what a DMZ was, but on google searching DMZ
>>             structure I'm finding that the DMZ is a single server by itself. The
>>             other thing that I'm finding is that the secured LAN is on LAN 1
>>             and the
>>             DMZ is on LAN 2. That doesn't make sense to me.
>>
>>             Can anyone enlighten me with what would be the correct way of
>>             doing this?
>>
>>
>>         You can make up a DMZ using a three port router or you can daisy chain
>>         two routers with the link between them being the DMZ. Your LAN would
>>         hang off the back router farthest from the WAN.
>>
>>         Either way you're just setting up a bunch of packet filter and routing
>>         rules.  The advantage of the dual router approach is that it would
>>         theoretically be harder to break into your LAN because two routers would
>>         need to be compromised.
>>
>>         A single router approach needs a router that can handle all traffic.
>>         The dual router approach only needs enough horsepower on the front
>>         router to handle the traffic.  The back router, in theory, sees less
>>         traffic.



More information about the Ale mailing list