RV042 Firewall: block DMZ Host from LAN?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ca_picker, Nov 14, 2007.

  1. ca_picker

    ca_picker LI Guru Member

    I am working on really locking down my wireless setup...what I would like to do is isolate the Wireless Router traffic from the rest of the LAN, and require a VPN or other secure connection from wireless -> LAN (and other VPNs, etc.).

    LAN is, RV042 has several different VPN tunnels to other sites, at,, and

    I had the idea to designate the wireless router (it is an AirPort router, not just AP) as the DMZ Host (different from the DMZ Port) and set up some firewall rules as:
    1) Allow DMZ Host -> RV042 PPTP via LAN (to allow a PPTP VPN connection from wireless clients to the RV042 on the LAN interface)
    2) Deny DMZ Host -> ~ all traffic via LAN (deny any other traffic from DMZ Host to the LAN and VPNs on the LAN interface).

    While this setup does prevent wireless clients from getting to my other VPN tunnels (, ~, it does not prohibit traffic to/from the physical LAN ( I am guessing this is some kind of built-in rule in the RV042 to guarantee that anything on the LAN always has access to the router? Or maybe I'm just doing it wrong.

    How does one go about locking down the DMZ Host better?
  2. ca_picker

    ca_picker LI Guru Member


    Well I think I figured out a solution, using the Multi-Subnet feature of the RV042.

    I had my original network, I modified this to be, then added a second subnet, I then set up the wireless router with a Manual IP (no DHCP) address on the second subnet. Last, I have the following rules in my firewall:

    - allow PPTP on LAN interface, from the wireless IP (single IP only!) to the first subnet router IP (again, single IP only). This allows establishing a PPTP VPN from the wireless back to the router. No DMZ Host.
    - deny all traffic from any interface, from the wireless IP to any local LAN or VPN IP ( ~, overkill, but easy).

    This works very well; my wireless IP serves up a totally separate IP range (10.0.x.x), the only potential hole is that the wireless router is pingable using the address; I don't think that's such a giant problem because one would have had to gain access to the wireless net in the first place, and that is protected with WPA2 and a strong password.

    Even if someone were to get past that, they would need to know that a local VPN exists, is PPTP, and would have to nab another strong password for that before getting to the sensitive stuff.

    (this is all in addition to my other firewall settings mentioned in a separate thread).

    I think this is a very secure setup; would appreciate any comments esp. if there are gaps I may be overlooking.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice