DMZ router

Discussion in 'Tomato Firmware' started by _wb_, May 11, 2014.

  1. _wb_

    _wb_ Networkin' Nut Member

    Is is possible to put a router on DMZ? I mean a secondary router.
    I have my main router running Tomato and I would like to access another Tomato router I have from the Internet on port 22 (ssh).

    I have tried setting the second router with a different subnet, connecting lan of the primary router to secondary router's wan, connecting secondary router to lan, nothing seems to make the second router accessible from the outside.

    Anyone know how I can put this secondary router on a DMZ so that I can access it via ssh and web gui?
  2. _wb_

    _wb_ Networkin' Nut Member

    This seems like a basic thing to do but I am unable to ping or ssh to the secondary router. Any help would be appreciated. Thanks
  3. Grimson

    Grimson Networkin' Nut Member

    darkknight93 likes this.
  4. _wb_

    _wb_ Networkin' Nut Member

    @Grimson I can put them on different subnets but how do I connect the physical ports from primary and secondary routers? LAN to WAN or LAN to LAN?
  5. tbjerret

    tbjerret Network Guru Member

    LAN to WAN. The connection type in second router is static IP (the DMZ-IP from the first router). Then you dont have to forward anything - and the first router is still funcioning on its own and different subnet.
  6. _wb_

    _wb_ Networkin' Nut Member

    @Grimson The problem was the port forwarded matched the first router. Now that the second router is on DMZ, if I ssh to it from outside I can still access my internal LAN. My wanted to make this DMZ router completely inaccessible internally. Any idea how to prevent the second router from "seeing" the internal LAN subnet?
    The WAN on the second router has an internal IP of the first router but LAN IP is on a different subnet. What am I missing here?

    Thanks @tbjerret !!
    Last edited: May 15, 2014
  7. _wb_

    _wb_ Networkin' Nut Member

    Does anyone know how to block this secondary router from accessing the internal LAN? I only want it to access the WAN.
  8. koitsu

    koitsu Network Guru Member

    ifconfig eth0 down? ;-)
  9. _wb_

    _wb_ Networkin' Nut Member

    @koitsu well, what's the point of a DMZ then...
  10. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

  11. _wb_

    _wb_ Networkin' Nut Member

  12. _wb_

    _wb_ Networkin' Nut Member

    @Marcel Tunks that was a good link. I ended up blocking access based on mac address:
    iptables -I INPUT -m mac --mac-source 00:XX:XX:XX:XX:XX -m state --state NEW -j DROP
    iptables -I INPUT -m mac --mac-source 00:XX:XX:XX:XX:XX -p udp -m multiport --dports 53,67 -j
    Marcel Tunks likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice