1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WRV54G - DMZ

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by MrSquid, Apr 4, 2006.

  1. MrSquid

    MrSquid LI Guru Member

    Hello,
    I am considering the purchase of a WRV54G. My biggest concern with personal routers over the years was needing to open a port into my private network to host a small website or ftp server. Linksys seems to have addressed this issue with this router, but I would like to confirm the following:

    1) I can have all of my computers on the internal private segment (Say 192.168.1.2 through .6) access the internet from behind a NAT

    2) I can have a server on the DMZ sit on a network seperate from my internal network (Say 192.168.2.2) with port 80 open inbound from the internet and have this server access the internet from behind the same NAT as item#1.

    3) All computers on my internal network can access the server on the DMZ.

    4) The server on the DMZ cannot access the computers on my internal segement.

    5) I can do all of the above with just a single IP address from my ISP.

    6) When a user VPN's into this router from the public internet he will not disrupt any of the above (with the exception of maybe a small performance hit).

    Thanks!!!
     
  2. TazUk

    TazUk Network Guru Member

    Yep.

    Nope, the DMZ would be on the same network as the local LAN i.e. 192.168.1.x in your example.

    Yep.

    Nope, see answer to #2

    Yep.

    Yep.
     
  3. MrSquid

    MrSquid LI Guru Member

    Thanks for the reply.

    Beside's a Cisco PIX or other professional level firewall, does anyone know of a device that will allow port forwarding to a seperate DMZ segment that does not have access back to the internal private segement?

    This seems like such basic security requirement.
     
  4. TazUk

    TazUk Network Guru Member

    From looking at the online manual the D-Link DFL-200 appears to do what you want :)

    Actually I'd say it was beyond the scope of a SOHO router. I would have expected the RV's to do it though :unsure:
     
  5. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Hey Taz.

    I have had my WRV54G setup with the DMZ interface (switch port 1) on a separate subnet. When you activate the hardware (vs. sofware) DMZ feature on the WRV, it automatically increments the 3rd octet in your LAN interface's IP address, and puts the DMZ on that new subnet.

    For example, of your LAN interface is on 192.168.1.1, the DMZ interface becomes 192.168.2.1 DHCP server does not run on the DMZ, so devices that are in the DMZ must be configured with static IP addresses, using the WRV as their default gateway.

    When you do this, devices in the DMZ *cannot* initiate connections to the LAN, but devices in the LAN *can* initiate connections to the DMZ. Similarly, devices on the Internet *can* initiate connections to the DMZ (with port fowarding rules of course), and devices on the DMZ *can* initiate connections to the Internet.

    This is a neat feature, as it turns the WRV54G into a 3-interface firewall (ie: WAN, LAN1, and LAN2+3+4). As you point out, you usually have to go much higher in the foodchain to get this functionality!

    /Eric
     
  6. TazUk

    TazUk Network Guru Member

    Thanks for that Eric, I've had mine for nearly two years and never come across that feature :oops:
     
  7. ccbadd

    ccbadd Network Guru Member

    Many of the Draytek routers allow you to set up two different IP networks and you can DMZ one from either range. There is only one DHCP server and no VLAN, so all your dynamic clients get ip's on the same subnet, and you give your machines on the second subnet static ip's. They also have built in IPSec, PPTP, and L2TP servers for VPN access. I would use them more if they were easy to get here is the states. I have never seen one in a retail outlet, but I have heard they are very common in Europe.
     
  8. MrSquid

    MrSquid LI Guru Member

    Eric,
    Thanks for this information. Only one question left,

    Can both the DMZ and Internal segements be hidden behind the single NAT given to me by my ISP? Or do I need a 2nd IP?
     
  9. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    One IP address is all that you need. Just port forward to the IP address of your server in the DMZ as needed.

    /Eric
     
  10. TazUk

    TazUk Network Guru Member

    Yep they're common here in the UK but tend to be 2 to 3 times more expensive then other manufacturers products. Most of their product range is for ADSL too.
     
  11. MrSquid

    MrSquid LI Guru Member

    Thanks again for the help.

    I just placed my order for an order for a WRV54G. My plans are for a NAS attached FTP server on the DMZ for file access anywhere I am. Nothing confidential will be kept there of course.
     
  12. DocLarge

    DocLarge Super Moderator Staff Member Member

    I'd considered a NAS at one point (still am) but in the interim, I set up an FTP server application (WS FTP Server) on one of my servers and I've been fine. I haven't used the encryption with it yet (128 bit SSL)j because I've been lazy but it's there if I need it...

    Doc
     

Share This Page