DMZ with RV042 - please help!!!

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by yasmin_k, Aug 14, 2007.

  1. yasmin_k

    yasmin_k LI Guru Member


    I've posted here a while and got some advice but... see below.
    I had questions about DMZ with the RV042.

    Becuse I have only one public IP address from my ISP, someone gave me the tip using the RV042 behind another router (which handles the DSL connection).
    So, I followed that and it worked so far - for the LAN side.

    The problem it with the DMZ side, I'm sitting here since 3 days to set it up, getting a mail server on the DMZ running, no way...:confused:

    It seems to be a forwarding issues with them.

    Just a few information:

    1. Router #1 (DSL) - Draytek, IP:
    2. Router #2 - RV042, connected to the LAN interface of Vigor, IP (LAN, WAN1:, WAN2/DMZ:, all
    3. Router/AP #3 - WRV200, IP:

    Router #1 is Gateway to Internet
    Router #2 acts as Gateway
    Router #3 acts as Router
    Clients in LAN has as Gateway Router #2
    DNS from ISP ok.
    Static IP from ISP, A & MX records done.
    Access from the clients to Internet ok, no issues.

    On the WAN2/DMZ on RV042 is a mail server connected, IP:, with Gateway

    Opened Port 25 for SMTP in Vigor, goes to

    Have only the default rules in the firewall tab on RV042.

    But, now comes the issue:
    - from the mailserver i can ping and but no (no route to host). So I can't go out to the Internet with the mailserver.
    - can ping and to Internet from the LAN side.

    Can someone please help me (based on my config) how to handle this, how to do the forwarding, firewall rules, open port ans so on.
    I'm very confused and dissapointed (have no mails since 3 days - waiting to get my mailserver running, mails are going no nowhere...)

    Thanks in advance,
  2. ifican

    ifican Network Guru Member

    The wan2/dmz port can be one or the other it cannot be both. So you either need to hang the server off of the modem with a 99.x address or hang it off the inside of the rv042 with a 1.x address. When you decide which you would rather do we can then concentrate on how to get the ip's setup correctly.
  3. yasmin_k

    yasmin_k LI Guru Member

    hi ifican,

    you didn't understand me.

    wan1 on rv042 goes to the first (draytek) router.
    wan2/dmz IS used as dmz and there is the mailserver connected.

    and the dmz is and should be on another subnet, 1.x is my (w)lan.

  4. ifican

    ifican Network Guru Member

    Well in your original explanation you said wan2/dmz is ip'd, this ip is not the correct range if it is working as a dmz. Is that ip correct?
  5. yasmin_k

    yasmin_k LI Guru Member

    yes, that's the ip-adress for the dmz-port.
    why is it not correct?
  6. ifican

    ifican Network Guru Member

    Because the dmz in that case in on the inside (lan side) of the RV, that address space is the space on the wan side. When the wan2 is acting as a wan port its on the outside of the network but when it is a dmz it is on the inside, though does not have direct access to lan side hosts, does still maintain a lan side ip.
  7. yasmin_k

    yasmin_k LI Guru Member

    not so clear, but anyway.
    didn't knew, that the dmz (when acting as dmz) will be part of the lan...

    well, how should i configure the stuff now?
  8. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    ifican: Maybe saying it another way would help: I noticed the same thing. The DMZ and the WAN should be on *different* IP subnets. They aren't.

    What you need to do yasmin is configure the DMZ interface (ie: the WAN2 interface) to with mask and the WAN interface (ie: WAN1) to with mask By changing both mask and IP of the DMZ and only the mask of the WAN interface you will put them on different subnets and the RV042 will now be able to route successfully.

    Make sure that you change the default gateway on your mail server to reflect this new configuration. The default gateway should now be since that is the new IP address of your DMZ interface and that is where the server resides.

  9. yasmin_k

    yasmin_k LI Guru Member

    Hello Eric,

    thanks very much for your reply!!!

    I will try this, but before I have a few questions more:

    - which IP should I give to the mailserver? Is it ok as example?
    - I have to route from the Draytek Vigor port 25 to the RV042. It can only route to the same subnet. So, should I route it to the WAN1 (in this case of RV042 (Vigor hangs there connected)?
    - other routes (static) are not needed, right?
    - and what about the firewall rules? I have only the default ones.

  10. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Yes. The mail server's IP needs to be on the subnet so is a good address.

    Yes. Forward port 25 to the *actual IP address of the mail server*... in your instance. It's a peculiarity of the RV042 that you cannot do one-to-one NAT between the DMZ and the WAN. You need to put a static route on your Draytek to tell it that is reachable by next-hop = the WAN IP of your RV042

    As to firewall rules, the RV042 will automatically expose the whole DMZ without any control. That is another pecularity of the RV042's DMZ. If you want to control what traffic is allowed to your DMZ, you need to create access rules to lock it down. I have a post here: Scroll down to the "What about a firewall with 3 interfaces?
    " section.

  11. yasmin_k

    yasmin_k LI Guru Member

    hi eric,

    ok, so i can ping out from the dmz to the internet, mail server is on 99.200.

    - forwarded port 25 in vigor to the server.
    - but why should i do a static route in vigor to 99.128 and not to 99.129 (which is the dmz port), don't understand that.
    so if i would do a static route in vigor to (or 129???), with who`s the gateway in this case? (the wan1 port on rv042) or itself the vigor ( and which interface? lan or wan? must be lan, right, because of the rv042 sitting there.

  12. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    The Draytek box needs to know how to get to the DMZ. If it's connected on a common subnet with the WAN port of the RV042, it only knows how to get to *that* subnet, ie: and not to That said, if you didn't want to put in a static route, you could "lie" to the Draytek and put its RV042-facing interface in the network. It would then assume that it would need to send packets there that are destined to address (your mail server) to its common subnet with the RV042. If you didn't put in a static route yet and you're able to ping to the Internet from your server in the DMZ, that is probably haven't yet changed the IP address on your Draytek to reflect the new /25 subnet. A happy coincidence!

    If you do decide to put in the static route to the network(I recommend this), the next hop gateway would be the WAN1 interface on the RV042,
  13. yasmin_k

    yasmin_k LI Guru Member

    Hi Eric,

    thanks again for you help!

    Well, put the as a static route in the Draytek, with as Gateway, it works!!!
    I've installed the mailserver, I can send out, can receive - some things are not 100% perfect but it works for the moment.
    I will check the rest later, have to travel to China.

    So far, port 25 is not blocked anymore, goes to where is should go.

    Have a nice day! And thank you!

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice