How to get DMZ to work
-
I have the following ports:
WAN - Static X.X.X.X
LAN - 10.8.0.1 (255.255.255.0)
DMZ - 10.10.1.1 (255.255.255.0)The LAN works fine. I can access google and all sites without any issues.
The DMZ is not working. I cannot access any websites.How can I get the second port to work? I cannot get the server on the DMZ subnet to access any websites.
Thank you
-
Check the Outbound NAT rules.
Firewall/NAT/Outbound
You need a similar rule to WAN on your DMZ subnet like you have on your LAN subnet in that list./illern
-
Thank you for your assistance.
Per your recommendation I added the NAT:Outbound for 10.10.1.0/24.
I am still not able to:
nslookup google.com from a server in the DMZ
Search the web from a server within the DMZ
-
Excellent! A reboot of the router was able to resolve the issue.
Thank you for your time and assistance.
All the best!
Mike
-
Glad it worked out.
But you have too many rules in your outbound NAT now.The 2 first one is the same except for static port setting.
Same goes for the 2 last ones.As it is now you will have static port on 10.8.0.0 subnet and no static port on the 10.10.1.0 subnet.
That´s because they are used from the top down.You should decide if you want static port setting or not and remove the extra rule for each subnet.
/illern
-
I don't know why your calling it a dmz? You do understand that your dmz from your rules has full unfiltered access to your lan network as well as the internet.
And unless you need to do something really odd, the automatic setting for outbound nat will nat your other segments you create - there is rarely any reason to change to manual outbound nat unless you have to do something out of the norm.. Which having another lan segment or "dmz" as you want to call it is not out of the norm.
A "dmz" is normally a network segment between the public internet and the private secured network.. Or just a segment that has filtered access between the public networks and the private network.
In your above rules you have a firewall between your dmz segment and your "lan" segment - but your rule base is wide open.. Normally you allow traffic from your lan into your dmz, but you do not allow unsolicited traffic from your dmz into your lan - which is what your current rules are.
example my dmz segment can not talk to my lan or my wlan or networks via an alias that has those local networks in it. Unless the lan or wlan IP started the conversation.
