1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DMZ with RV042

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by yasmin_k, May 28, 2007.

  1. yasmin_k

    yasmin_k LI Guru Member

    Hello all,

    I'm getting crazy setting up an DMZ with the RV042...:mad:
    Maybe can someone help me to get this DMZ config working.

    So, I need one DMZ to set up an mail server.

    Have following config:

    1. first (DSL) Router is the RV042, static IP from ISP (217.xxx.xxx.xxx), the router has the LAN IP 192.168.1.1

    2. set the DMZ port to "subnet" (192.168.2.1) - or should it be "range"? I only have ONE static IP adress from my ISP, how should I handle this?

    3. second (WLAN) Router is the Netgear DG834GTB, connected to the LAN port of RV042,, DSL is off, IP is 192.168.1.250, serves DHCP to 192.168.1.30 to 192.168.1.40. Set a static route to RV042, NAT is disabled on this router.

    So, can one tell me if this DMZ config is correct (especially the IP's), if yes, how can I reach the admin website of the RV042 from an WLAN client? I get everytime an access denied (login window pops up) and I have no Internet access from the WLAN clients (seems an DNS problem) - BTW the RV042 doesn't act as an DNS-Proxy.

    What rules should I set up? Already set "allow" from 192.168.1.250 to 192.168.1.1.

    The RV042 is a Version 1.1 can't find it on the US site. And the firmware is 1.3.7.4

    Thanks in advance!

    Yasmin
     
  2. Toxic

    Toxic Administrator Staff Member

    AFAIK, if the WAN1 is using a public IP Address then the DMZ port (WAN2) has to have a second public IP address. the only way around this is to have the RV042 behind another router for that WAN1 and WAN2 on the RV can then use private IP addresses. Eric Stewart had this setup and it worked well. I dont know however if setting a subnet on the DMZ would work, you may need to setup the Multiple Subnet feature as well.
     
  3. yasmin_k

    yasmin_k LI Guru Member

    That means that I have to get a second static IP adress from my ISP?

    Hmmm...don't know if I will get a second one...

    Well, if I put the RV042 behind another router, do I have to get a third router? I need the WLAN part for the clients... How should this all look like?
     
  4. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I saw your post. Here's how my home network (was) setup with the RV042 as of December of last year. (picture attached). Note that I had to put the RV042 in behind my PIX 501 since I only had one static IP address from my ISP. Now the PIX is my "ISP" and I can do full NAT (one-to-one translation) and use whatever IP addresses I want on the WAN1 and WAN2 interfaces.

    Take a look at the attachment and PM me or post here if you have questions. Looks like if you put your Netgear in front of your RV042 (ie: where my PIX is) you will end up with a very similary solution.
     

    Attached Files:

  5. yasmin_k

    yasmin_k LI Guru Member

    Thanks very much for your answer.

    So, that means that's the only solution (3 routers)?
    Why can't one use the DMZ port as is? Does really the DMZ port has to be configured with static (ISP) address?

    Thanks!
     
  6. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    The DMZ port is configured with a static IP address on the Linksys. Similarly, boxes on the DMZ will have to be configured with static IP addresses, using the RV042 as their default gateway. Also, you will have to manually configure the DNS servers for the boxes on the DMZ since they won't be able to obtain that information from the RV042 via DHCP and the RV042 can't act as a DNS proxy in any case. You might also want to consider setting up rules on the RV042 such that devices on the DMZ cannot initiate connections to the inside LAN except where the rule permits it. For some reason this isn't the default logic on the RV042. It at least partially defeats the purpose of having a DMZ.

    I only have 2 firewalls in my diagram (Cisco PIX 501 and Linksys RV042) so I don't know why you ask why 3 would be needed, unless you're wondering what box might provide wireless access to clients in the LAN?

    This is the price you pay for setting up your network like an enterprise network. ;-)

    /Eric
     
  7. yasmin_k

    yasmin_k LI Guru Member

    So, that's clear.

    I was just wondering why the DMZ port really need a second ISP (public) IP address and it doesn't work with a private one.
    This is also stated in the handbook.
    And in most cases the people have just one public IP address :-(

    BTW, I will try to set up the same config as you.

    About the 3rd router, I mean not really a router, just need an AP for the Wlan clients.

    Brgds,
    Yasmin
     
  8. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    You can take comfort in the fact that, while a little awkward, you will end up with a network designed around two perimeter firewalls. I have a post here that you find interesting: http://www.breezy.ca/?q=node/121

    /Eric
     
  9. yasmin_k

    yasmin_k LI Guru Member

    Thanks, Eric.

    Well, tried last weekend to "simulate" your config with a Draytek Vigor router as a primary (DSL), RV042 as the second (DMZ) router, but I was not able to get any connection to the DSL-router from behind the RV042 :-(

    Played with the rules but somehow it won't work. Maybe I'm doing something wrong there.

    Have to look further to it.

    Yasmin
     
  10. yasmin_k

    yasmin_k LI Guru Member

    Well, after a few experiments, I still have problems with the config.

    Here's how I setup up my devices (similar to Eric's example):

    - 1st (DSL Router), Draytek Vigor, IP: 192.168.99.1
    - 2nd Router RV042, IP: 192.168.0.2, WAN1: 192.168.99.2, DMZ: 192.168.99.100, DMZ-Server: 192.168.99.101.
    LAN-Clients in range of 192.168.0.x, will setup an AP too, but tried wired directly first.

    Standard rules enabled, RV042 setup as a gateway (didn't worked in router mode - was not able to ping/ connect from the LAN side).

    So far, I can ping/ have internet access from the LAN side, but NO ping/ internet access from the DMZ side. Tried to setup up rules (allow 192.168.99.101 to the LAN, allow 192.168.99.101 to RV042 and Vigor, no chance.
    BTW, the DMZ-Server has as gateway the 192.168.99.1, but also tried 192.168.99.2

    Does anybody know/ can help me with this issue? What's wrong in this setup?

    Thanks in advance,
    Yasmin
     

Share This Page