What to use with WRT54GS to get secure LAN and DMZ?

Discussion in 'Networking Issues' started by hossfeathers, May 5, 2008.

  1. hossfeathers

    hossfeathers LI Guru Member

    I need to have a server or two in a DMZ and I've read that it's best to have them in a separate IP range from the LAN. I had a working setup a while ago that used a DLink DFL-200 for the connection to cable modem, DMZ servers and a WRT54GS (very early version) for the LAN. It all worked for a while and then I 'lost control' of the DLink; I just can't get it into the right arrangement again. I doubt it's broken, I think it's a software issue; I find the DLink software totally opaque compared to the Linksys software for the WRT54GS.

    Some of my travails are documented here:

    Right now I don't have a dmz; I simply use the WRT54GS as my firewall and router. I'd be willing to buy another router to take the place of the DFL-200, which was supposed to be a better firewall than the WRT54GS. Can anyone suggest a unit? I've spent so much time with the DFL-200 I just want to get on with things.

    So, #1 it's true that the planned two router config would be more secure than using only the WRT54GS with it's DMZ capability?

    And, #2 what unit would be a good replacement for the DFL-200, not too expensive, relatively secure, and easy to configure for a home office user?
  2. mstombs

    mstombs Network Guru Member

    You do realize that your 'old' WRT54GS will actually be one of the better WRT54Gs with 8Mb flash/32Mb ram and lots of choice of 3rd party firmware, it runs a pretty full Linux netfilter packet filter - I'm sure its as good a firewall as you need. I don't understand what you mean about multiple computers in DMZ. You specify one IP as DMZ in the WRT54GS, and any new incoming connections that are not specifically routed elsewhere will be sent to it, completely bypassing the WRT54GS firewall.
  3. hossfeathers

    hossfeathers LI Guru Member

    Yes I had some memory that my WRT54GS was considered a good one.

    You're suggesting that I use the DMZ facility of the WRT54GS and settle at that. I am sure that would work. But I'm not sure it'd be very secure. I was using smoothwall for a while and in that crowd it's considered essential to have DMZ on a separate IP address. That's why I went to the trouble to use the DFL.

    Simple is good though...I'd like to know how weak it'd be to use the plain WRT in comparison with a more elaborate setup. I just don't know enough on the subject.

    I will have two servers in the DMZ, ideally, or more.
  4. mstombs

    mstombs Network Guru Member

    I personally would not use DMZ for this purpose, it means the machine that is allocated DMZ must have its own firewall as it will be open to attack on all ports from the internet. If that machine is on the same local network as your other machines then your whole local network can be compromised. I only use DMZ for test purposes, or for default forwarding to a non-existent address to make ports appear 'stealthed'.

    It would be better to to clearly identify what services you want to run on which server and explicitly port forward only those ports needed (ie port 80 for web, 22 for ssh or custom for any).

    The purists will point any that a nat router is not a proper firewall, it is only a packet filter and only does what is configured to do - generally it allows all outgoing connections and any replies to these.

    With dd-wrt your WRT54GS can support vlans through the web gui (with Tomato this could only be done from the command line/ script) . This would be most secure - you can separate the 4 LAN ports, and have different local address ranges for each port.

    How many public IP addresses do you have? What sort of servers do you want to run? How many different machines? I'm pretty sure there are folk here who already have a similar setup!
  5. hossfeathers

    hossfeathers LI Guru Member

    Two servers, one ubuntu and the other windows 2003. Each would be running a specific service like apache or iis, with known ports. Both are essentially test servers and will be up 50% of the time max. As I understood it from the smoothwall community exposure that I had, best to have separate ip address for those, as you have confirmed.

    If I understood you correctly, dd-wrt would be an improvement over my updated linksys software. A vlan is a virtual lan?

    Is dd-wrt simple to configure? I don't want to spend as much time on configuration as I did with the dlink...which is likely all I need if only I could fathom it's software.

    Remember I'd be happy to buy some addtl hardware if it's make my setup safe and remains simple to configure.
  6. hossfeathers

    hossfeathers LI Guru Member

  7. mstombs

    mstombs Network Guru Member

    A vlan is a virtual lan, implemented by custom driver/switch hardware. The switch in a wrt54gs is a 5 port switch normally divided into 2 Vlans, a 4-port lan vlan0 and 1-port wan vlan1. The switch acts as a 'hub' in hardware so lan traffic within a vlan i.e. vlan0 doesn't go via the linux kernel. The vlan configuration can be changed by nvram vars, and this configures the hardware switch to do what you want.

    dd-wrt can do almost anything, but I'm currently running Tomato because it does enough. There are many flavours of dd-wrt and the latest version is taking forever to progress from release-candidate to final. It now supports many different hardware platforms and has lots of new functions and when stable maybe I'll take another look!

    So sure dd-wrt can do what you want, I've seen the vlan config in the web gui, but not used it - and you may need to add scripts to tailor the use. Flexiibility + configurability = complexity?
  8. hossfeathers

    hossfeathers LI Guru Member

    Thanks that's good info.

    But it does sound rather more complex than I was hoping for. If setting up the WRT54GS so that by itself it provides a secure network like I need (including dmz) takes a lot of tweaking, I'd rather start over with some other firewall/router.

    Can anyone recommend a solution? What I'm looking for (firewall, LAN, real DMZ) must be an incredibly common need...surely some company has created a product that fits without requiring a full on network admin to config?
  9. hossfeathers

    hossfeathers LI Guru Member

    No solution that out of the box provides the simple needs I have?
  10. hossfeathers

    hossfeathers LI Guru Member

    Well...dd-wrt looks a bit complex for my needs, but can't really tell.

    Would anyone care to guess if the ZyXEL ZyWALL 2 PLUS might be approx what I'm looking for? Is it's type of dmz more secure than what the wrt54gs offers with linksys firmware?

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice