1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DMZ Woes on RV016

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by grizzjeeper, Nov 21, 2006.

  1. grizzjeeper

    grizzjeeper LI Guru Member

    This is what I am trying to do, I want a Ras server connected to the DMZ port. I want only ports 80 and 3389 from the WAN to the DMZ open. And I want TCP ports 6990-7007 open both ways from DMZ to LAN. Sound spretty simple but I cant get the stupid DMZ to work right and Linksys documentation has me scratching my head. Wan1 has a public static 66.x.x.227. On the setup screen I placed a public static under DMZ interface 66.x.x.228 with the appropriate subnet. The next screen is DMZ host and gives you a private address on your LAN which I assume would be the same IP that you assign the server that will be plugged into the DMZ, only if that is set to sat 10.10.10.4 and I try and static my server to that I get an IP conflict (which there isnt unless its conflicting with the DMZ host address I put in.) What gets me is the statement in the Linksys documentation "Each of the servers on the DMZ will need a unique, public Internet IP address" giving me the impression I need another static IP for the actual server plugged into the DMZ. So I try that I put 66.x.x.229 in there and from that box I can get out and from the WAN I can get to .229. (Although if I type the IP of the DMZ on the router I get the router config page, just like if I used the router WAN IP..)

    So now from my LAN I try to get to the DMZ LAN address 10.10.10.4 and nothing, cant ping etc. I could get to the DMZ server by public IP from the LAN but cant get to it by private or by name. I called linksys and support has said that the documentation is wrong and I would put the private .4 in both the host and on my server and a public on the DMZ and since I am getting the IP conflict (with no real conflict) that the DMZ port is bad and they want to ship me a new one. What do you guys think?
     
  2. Toxic

    Toxic Administrator Staff Member

    you are misguided.

    The WAN2/DMZ is a Real DMZ Ports are NOT controlled by the RV016's firewall on the DMZ (WAN2)

    The "DMZ Host" setting is to open ALL ports, on one IP address on your LAN.

    You RAS has a public IP address. and is NOT on your lan.

    tbh the real DMZ is used for a Public Mail or Webserver.
     
  3. grizzjeeper

    grizzjeeper LI Guru Member

    So Linksys tech support is wrong then? If they are not controlled by the firewall why on earth would you be given the option to configure the firewall with the DMZ as a drop down option from source and destination? You have replied this same information in a previous post by someone else and It just doesnt look like that. So what you are saying is this DMZ is not the same as every DMZ on every "real" Cisco router? I thought that was one of the selling points on the 16 was Linksys finally created a seperate interface for this exact reason, its not a software DMZ like all the little Routers. Do you have a 16? Do you know what the config page looks like? If so you couldnt say
    this
    "Subnet: If select Subnet, DMZ and WAN will be at different Subnet.
    Specify DMZ IP Address: Enter the DMZ IP Address and Subnet Mask. If DMZ is selected, the WAN Connection type of DMZ will be Static IP option only.

    Range: If select Range, DMZ and WAN will be at the same Subnet.

    IP Range for DMZ port: Enter the IP Range for DMZ port."
     
  4. Daschound

    Daschound Network Guru Member

    Grizzjeeper:
    The DMZ Port and DMZ Host are two separate functions. If you have your RAS server connected to the RV016 physical DMZ port, you do not have to configure the DMZ Host function. You were correct with your initial DMZ port setting, you will need to assign a public IP for WAN1 IP (66.x.x.227), a public IP for DMZ interface (66.x.x.228), and for the RAS server a public IP (66.x.x.229), you do not need to assign the RAS server with a private IP (10.10.10.4).
    The DMZ drop down selection in Firewall/Access rule is referring to DMZ port only, not DMZ Host.
    So, try the setup again without the DMZ Host, and for the port 80 & 3389….limitations, use Access rule to Deny all traffics first and set Allow rules for the ports you will to allow through Firewall.
     
  5. grizzjeeper

    grizzjeeper LI Guru Member

    Ok I will try that, so for machines that want to get to this box from the LAN they would type in the public IP of the box because there is no virtual ip assigned to that port?

    So name resolution wouldnt work via DMZ from the LAN correct?
     

Share This Page