RV042 VPN via RV042 DMZ

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by fred3, Apr 24, 2007.

  1. fred3

    fred3 Network Guru Member

    I have a site-to-site VPN working using 2 RV042s. Yay!
    To summarize how they're set up:
    There is a firewall rule in each RV042 that allows All Traffic between the two subnets / outside the tunnel. This seems to be necessary.

    OK. Now I want to move these two RV042s onto the DMZ port of two more RV042s - as had been recommended.
    I figured that doing this would be as simple as plugging them in (as long as the two new RV042s were set up OK).

    In my earlier tests I had the *gateway* entry on each VPN device pointing to the public IP address of the other end of the VPN (as right now there is no ISP gateway to point to for these public addresses). This worked fine.

    Now I'm wondering where to point the gateway settings - or if the original method isn't OK? If that's the problem?

    I'm also wondering if there are some firewall settings on the RV042s that need to be changed?

    I have the DMZ port of the "internet" routers connected to the Internet port of the VPN routers.....



  2. fred3

    fred3 Network Guru Member

    I should have added:

    The "internet" RV042 has public IP address
    It identifies the DMZ address as
    The VPN RV042 has a WAN IP address of
    Is that last part right or should the entered WAN address on the VPN device be something else. If so, what?


  3. fred3

    fred3 Network Guru Member

    Now I see in the manual that the DMZ address must not be selected as Subnet because that forces the DMZ and the WAN to be on separate subnets. In my case they are on the same public IP subnet.
    So, I selected "Range" and specified the range to be the one IP address for the VPN device WAN.
    Still doesn't work tho....

  4. ifican

    ifican Network Guru Member

    I dont own rv's so I can only speak to this in general terms. If you have the same subnet on both sides of the router it will not work, now the rv may do something a little different from real world standards but as a whole each interface that is routed, needs to be on a seperate subnet. What happens if you give the RV in the dmz a static ip from the RV dhcp pool it is connected too and then setup your tunnel as normal? As long as your border RV is not running a tunnel it should work ok. The other thing you could do since you have multiple ip's is to put a switch between your RV's and your isp. Then you can ip them the way you like and have them all be endpoints.
  5. fred3

    fred3 Network Guru Member

    The subnets on each side of the router *are* different.
    While I know I could put the routers on a switch at the internet interface, others here have suggested it's better to put one router at that interface (the one I call the "internet" router) and use its DMZ port for a VPN router. So, I'm trying to make that happen and had these questions about how to point things / make the right settings at that interface.

    What I'm doing looks like this:

    internet > "internet" router > LAN ports ............................,>|
    | + >>>>LAN
    >DMZ port> VPN router >LAN port>|

    I read things that might be conflicting or just a matter of my not understanding yet:

    - it appears that one can put a particular machine(s) that's on the LAN at a LAN address that is identified as being the DMZ machine(s) and then assign a public IP address to it.
    That apparently would look like this:

    > DMZ machine on LAN
    internet > "internet" router > LAN ports>.................> other LAN clients
    >DMZ port>(empty)
    Here the DMZ machine is accessed by routing in the "internet" router. This doesn't seem right because the DMZ traffic would be on the LAN and the DMZ port isn't used.

    - one can put a particular machine(s) physically on the DMZ port rather than on the LAN.

    If a machine is on the DMZ port, is it intended for it to: (?)

    1) have a public IP address on its WAN port that's on the same public subnet as the one entered for DMZ - but a different one? That seems a waste of a public IP address. Example:

    internet WAN and LAN
    internet DMZ
    connected to
    WAN of DMZ/VPN machine With VPN LAN

    2) have an address from the LAN subnet on its WAN port - that is identified as the IP address for the DMZ in the "internet" router - and is also assigned the public IP address corresponding to the DMZ machine?
    internet WAN and LAN
    internet DMZ ?????????? (like a switch port? with no IP?)
    connected to
    WAN of DMZ/VPN machine accessible through
    with VPN LAN

    3) have the same public IP address assigned to its WAN that's entered into the router whose DMZ port is being used / that its WAN is connected to?
    (I don't see where an IP address is assigned to the DMZ port otherwise so I wonder what *it* is?)
    internet WAN and LAN
    internet DMZ ???????? (like a switch port w/no IP)
    connected to:
    WAN of DMZ/VPN Machine with VPN LAN

    In the end, either the WAN port of the DMZ machine has the public IP address assigned or perhaps a rather arbitrary IP address. Which is it? That's what I'm asking here.


  6. fred3

    fred3 Network Guru Member

    Oh! bad diagram...
    What I'm doing looks like this:

    internet > "internet" router > LAN ports ............................,>|
    .....................................|..............................................| + >>>>LAN
    .....................................>DMZ port> VPN router >LAN port>|
  7. ifican

    ifican Network Guru Member

    Having took a quick look at the documentation for the RV042, the DMZ port can be used as that a dmz port (inside but protected port) or as an internet port (outside isp connected port). Now there are lots of things that can be done with the "internet dmz" but the documentation shows that when the dmz port is being used as an internet port it is connected to an isp. I suppose you could put the vpn on the dmz port but it would need an ip from the internet facing RV and then you would have to port forward all the ike stuff to that router in order to get it to work as a dmz endpoint.
  8. fred3

    fred3 Network Guru Member

    In the information in the files inside the RV042 itself it says:
    "Each of the servers on the DMZ will need a unique publishable internet IP address"
    "each" and "unique" means different from the IP address of the other router.
    We have a small subnet of public IP addresses available. So, that's no problem.
    Presumably, with a public IP address, there's no need to do any port forwarding.

    The "internet port (outside connected port)" that you refer to I believe is when this same physical port is used as a 2nd *WAN* port. That's a different mode than DMZ mode I believe. The setting choices are: Dual WAN and DMZ (implying Single WAN / Single DMZ). I'm only interested in this "DMZ" mode.

    So, with that as background, I posed the earlier questions about how to configure both the "internet" RV042 and how to configure the one connected to the DMZ port being used in DMZ mode.

    The questions are all about which IP address on the 2nd unit and how to point to it properly.

    Thanks for bearing with me!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice