DMZ setup

Platinum1211 · 26-07-2007, 02:10 PM

Hello everyone,
So we have a new server here in the office we're using as a webserver running Windows Server 2003. We are using a linksys VPN router RV082. Connected to the router is a WAN connection to our cable modem, a connection to the rest of the network, and a connection to the server. Currently, we are using port forwarding because we have a company setting up internet sales for us so we can have online orders. Not really the best setup, especially when considering security, since we have port forwarding, a hacker could potentially have much easier access to the rest of our network. So, we want to setup DMZ but we're having some issues. For the time being I have just a normal PC plugged into the WAN2/DMZ port for setup purposes, so basically all I need to do is switch the server from the 2nd port to the DMZ port, and perhaps change around a setting or 2 on the server. I can't seem to get it setup right though. Here are the current settings:

LAN IP : 10.0.0.12
WAN IP : 69.***.**.115
DMZ IP : 192.168.5.1
Mode : Gateway
DNS : 167.***.*.212 167.***.*.146 167.***.*.209
DDNS : Off
DMZ Host : Disabled

So currently, when I remotely connect to the WAN IP it sends me to the server, but that's due to port forwarding. If I try typing the WAN IP into my browser I am unable to connect, even with port 80 forwarded to the server. I don't know what to do, but we need to get this running somewhat soon.

Please help! Thanks in advance.

Platinum

Anti-Trend · 27-07-2007, 08:31 PM

The problem seems to be that your LAN segment has no route to DMZ segment, so the connection fails. That or your Linksys doesn't have a stateful firewall, and so is dropping the inbound packets from the DMZ segment to the LAN segment, even though there is an open session. Neither of these scenarios would be surprising, since Linksys isn't exactly business-grade, even if it's marketed that way. You might consider calling Linksys support to verify this, or if there's some setting on the box you can change to accomplish your goal.

That said, you might just consider building an IPCop, pfSense, or m0n0wall firewall from a plain old PC to replace it. In the case of IPCop or m0n0wall, it doesn't need to be any faster than 500MHz or so, and 128-256mb RAM would be plenty. So all-in-all, a $50 PC with 3 or more NICs would be able to compete with mid to low-grade Cisco gear in terms of features and performance, at about 1/100th the cost. That's certainly what I'd do in your situation.

I use an IPCop on my own network, where my Apache webserver sits in a DMZ. The IPCop provides a route from the LAN to the DMZ without problems, and yet the DMZ cannot route traffic to the LAN unsolicited, as expected. I also tie in to several IPSec VPNs, and have advanced ACLs setup so that everything runs the way I want. Also, intricate traffic shaping policies are in place to make sure that the network never feels congested, even if the bandwidth is near its very limits. All this from a firewall built from a 300MHz PC which has long been obsolete.

26-07-2007, 02:10 PM	#1 (permalink) Top
Platinum1211 Geek Trainee Join Date: Jul 2007 Age: 20 Posts: 14 My Mood: Psychadelic Status: Offline	DMZ setup Hello everyone, So we have a new server here in the office we're using as a webserver running Windows Server 2003. We are using a linksys VPN router RV082. Connected to the router is a WAN connection to our cable modem, a connection to the rest of the network, and a connection to the server. Currently, we are using port forwarding because we have a company setting up internet sales for us so we can have online orders. Not really the best setup, especially when considering security, since we have port forwarding, a hacker could potentially have much easier access to the rest of our network. So, we want to setup DMZ but we're having some issues. For the time being I have just a normal PC plugged into the WAN2/DMZ port for setup purposes, so basically all I need to do is switch the server from the 2nd port to the DMZ port, and perhaps change around a setting or 2 on the server. I can't seem to get it setup right though. Here are the current settings: LAN IP : 10.0.0.12 WAN IP : 69.*..115 DMZ IP : 192.168.5.1 Mode : Gateway DNS : 167.**..212 167.**..146 167.**..209 DDNS : Off DMZ Host : Disabled So currently, when I remotely connect to the WAN IP it sends me to the server, but that's due to port forwarding. If I try typing the WAN IP into my browser I am unable to connect, even with port 80 forwarded to the server. I don't know what to do, but we need to get this running somewhat soon. Please help! Thanks in advance. Platinum

27-07-2007, 08:31 PM	#2 (permalink) Top
Anti-Trend Nonconformist Geek Join Date: Oct 2003 Age: 27 Male Posts: 4,880 Times Helpful: 536 Status: Offline My Computer	The problem seems to be that your LAN segment has no route to DMZ segment, so the connection fails. That or your Linksys doesn't have a stateful firewall, and so is dropping the inbound packets from the DMZ segment to the LAN segment, even though there is an open session. Neither of these scenarios would be surprising, since Linksys isn't exactly business-grade, even if it's marketed that way. You might consider calling Linksys support to verify this, or if there's some setting on the box you can change to accomplish your goal. That said, you might just consider building an IPCop, pfSense, or m0n0wall firewall from a plain old PC to replace it. In the case of IPCop or m0n0wall, it doesn't need to be any faster than 500MHz or so, and 128-256mb RAM would be plenty. So all-in-all, a $50 PC with 3 or more NICs would be able to compete with mid to low-grade Cisco gear in terms of features and performance, at about 1/100th the cost. That's certainly what I'd do in your situation. I use an IPCop on my own network, where my Apache webserver sits in a DMZ. The IPCop provides a route from the LAN to the DMZ without problems, and yet the DMZ cannot route traffic to the LAN unsolicited, as expected. I also tie in to several IPSec VPNs, and have advanced ACLs setup so that everything runs the way I want. Also, intricate traffic shaping policies are in place to make sure that the network never feels congested, even if the bandwidth is near its very limits. All this from a firewall built from a 300MHz PC which has long been obsolete. __________________ See My Desktop \| Try Linux \| Install Linux \| Visit My Server \| Support Hardware Forums \| Easily rip DVDs in Linux \| Remember Everything

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
is this setup ok?	Dwarfer	CPU, Motherboards and Memory	3	18-07-2007 07:57 PM
Better setup?	Jack McDonald	New Build / Upgrade Advice	3	20-06-2007 01:54 PM
weird setup	German	Storage Devices	2	17-01-2006 11:09 PM
new setup not working	wompshmack	CPU, Motherboards and Memory	4	16-12-2005 08:50 PM
My Setup :P	ProcalX	Old Gallery (no posts allowed)	12	17-02-2005 02:34 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)