How to setup a dmz (not physical one)



  • So like how do you setup a standard dmz? Like not one that is on it's own nic. I mean just like a standard dmz that all the others pcs are connected to as well, like any other router. I'm not sure on how to do this and I really need to.



  • What are you trying to do.

    A dmz IS another interface.
    Do you want to expose just every port of your public IP on the wan to a specific computer?
    –> Create a normal NAT forward for ports 1-65535



  • I think Linksys devices have a sort of pseudo DMZ setting for people who don't really understand that this is a bad idea.  Perhaps this is what the OP is referring to.  If so, the answer is simply "you can't"



  • Wait wait wait how come? I mean my old dlink dgl 4300 let me, and my linksys let me. Why would this be a bad idea? My server has a firewall, that I block on all ports and programs except the ones I check box, this makes my life a lot easier. So why is such a useful feature not implemented? I really hate having to open ports… Like if I theoritically wanted a physical DMZ I would have to attach another NIC card and make my server run directly into that? But what's the point? I mean, why would that be better? I still want my server to be able to access the other computers. If someone would just elaborate what the point of that is, I'd be grateful.

    Also if I open each port, won't the router warn me that I have conflicting ports? Like dmz thru 1-65000 but won't that conflict with another pc on port 80 if it's hosting a web site. Like if I tried opening port 80 on 2 pcs on my old dlink, it wouldn't let me. ( I can't test this I'm at school)



  • A DMZ should be a physically capsuled network which can be infected with viruses and other stuff, and should not influence your users.
    (aka it is firewalled against the users).
    If you have a "DMZ" "server" inside your client subnet this kind of defeats the purpose of having a DMZ.

    Most cheap soho devices refer to "forward everything to a single computer and open up the firewall" as "DMZ" even if it isn't really a DMZ.

    Yes you cannot forward the same port multiple times.
    This is the nature of NAT…
    Why do you even want to use a DMZ?
    Why not just forward the ports you need?



  • Please make sure you understand the points made by GruensFroeschli in depth.

    The "DMZ" feature of such FWs has nothing to do with a DMZ. It should be called something else, surely some users are fooled by the terminology thinking it helps the internal security somehow.

    That type of feature exists primarily to fix otherwise hard to fix port forwarding cases, with some applications that needs to open ports dynamically in ways that these SOHO FWs have a hard time to deal with (even though many of them - incl. DLink - have specific "application" type of feature to at least try try to deal with it). If your having problem getting all traffic to the service needing them make sure all traffic hits the "DMZ host" - that's the kind of idea behind that type of feature.

    So basically this is a convenience feature in those SOHO FWs and the result of using them has nothing to do with what people otherwise would relate to using a "DMZ"; being a specific shielded-off network segment for high risk services/HW typically reached from the Internet and that is not being reached by other users unless specifically routed and firewalled to do so.

    This also indirectly answers your question why pfSense doesn't have such a feature. Having such a feature and calling it "DMZ" or even something remotely similar, would be regarded as unprofessional and misleading and grossly non-standard and being a professional grade FW package that is targeted also at business and enterprise customers that would simply not fly.

    Cheers,



  • Ok I sort of understand. But this brings me to antoher quesiton why wont my forwarded ports work :P I'll create another thread to ask that.


Locked