DMZ Gateway Interface Causes Internet Issues



  • I have a DMZ gateway which has been working just fine.

    I decided to add a Gateway Interface under  DMZ Inerface and my internet connection completely went down.

    I was able to ping devices on the LAN but not on the internet.

    Restoring an older backup profile resolved the issue but I am not sure what caused the issue in the first place.



  • Normally the "DMZ" is just another ordinary LAN, that happens to have some servers to which public port/s are forwarded from WAN1, WAN2…
    The DMZ does not have an upstream gateway to the internet on its own subnet. The upstream gateways are on WAN1, WAN2... through which the internet is reached.
    So do not put a gateway on the DMZ interface.
    You cleaned it up by going back to a previous config - that works! For others, if you do not easily have a good previous config, remove the gateway specified in the DMZ interface, then go to System->Routing, select the real WAN as the default gateway and delete the DMZ_GW.
    General rule:
    If an interface is to an internal LAN (i.e. usually with private IPs) then do not put a gateway.
    If an interface has an upstream device that is the way out to the internet, then it is a WAN and should have a gateway set.



  • @phil.davis:

    Normally the "DMZ" is just another ordinary LAN, that happens to have some servers to which public port/s are forwarded from WAN1, WAN2…
    The DMZ does not have an upstream gateway to the internet on its own subnet. The upstream gateways are on WAN1, WAN2... through which the internet is reached.
    So do not put a gateway on the DMZ interface.
    You cleaned it up by going back to a previous config - that works! For others, if you do not easily have a good previous config, remove the gateway specified in the DMZ interface, then go to System->Routing, select the real WAN as the default gateway and delete the DMZ_GW.
    General rule:
    If an interface is to an internal LAN (i.e. usually with private IPs) then do not put a gateway.
    If an interface has an upstream device that is the way out to the internet, then it is a WAN and should have a gateway set.

    Phil,

    Sound good! I did see a DMZGW listed under GATEWAYS but I did not find a way to remove it. I will definitely keep this in mind.

    Thanks for the quick response and heads up!