Hello everyone, So we have a new server here in the office we're using as a webserver running Windows Server 2003. We are using a linksys VPN router RV082. Connected to the router is a WAN connection to our cable modem, a connection to the rest of the network, and a connection to the server. Currently, we are using port forwarding because we have a company setting up internet sales for us so we can have online orders. Not really the best setup, especially when considering security, since we have port forwarding, a hacker could potentially have much easier access to the rest of our network. So, we want to setup DMZ but we're having some issues. For the time being I have just a normal PC plugged into the WAN2/DMZ port for setup purposes, so basically all I need to do is switch the server from the 2nd port to the DMZ port, and perhaps change around a setting or 2 on the server. I can't seem to get it setup right though. Here are the current settings: LAN IP : 10.0.0.12 WAN IP : 69.***.**.115 DMZ IP : 192.168.5.1 Mode : Gateway DNS : 167.***.*.212 167.***.*.146 167.***.*.209 DDNS : Off DMZ Host : Disabled So currently, when I remotely connect to the WAN IP it sends me to the server, but that's due to port forwarding. If I try typing the WAN IP into my browser I am unable to connect, even with port 80 forwarded to the server. I don't know what to do, but we need to get this running somewhat soon. Please help! Thanks in advance. Platinum
The problem seems to be that your LAN segment has no route to DMZ segment, so the connection fails. That or your Linksys doesn't have a stateful firewall, and so is dropping the inbound packets from the DMZ segment to the LAN segment, even though there is an open session. Neither of these scenarios would be surprising, since Linksys isn't exactly business-grade, even if it's marketed that way. You might consider calling Linksys support to verify this, or if there's some setting on the box you can change to accomplish your goal. That said, you might just consider building an IPCop, pfSense, or m0n0wall firewall from a plain old PC to replace it. In the case of IPCop or m0n0wall, it doesn't need to be any faster than 500MHz or so, and 128-256mb RAM would be plenty. So all-in-all, a $50 PC with 3 or more NICs would be able to compete with mid to low-grade Cisco gear in terms of features and performance, at about 1/100th the cost. That's certainly what I'd do in your situation. I use an IPCop on my own network, where my Apache webserver sits in a DMZ. The IPCop provides a route from the LAN to the DMZ without problems, and yet the DMZ cannot route traffic to the LAN unsolicited, as expected. I also tie in to several IPSec VPNs, and have advanced ACLs setup so that everything runs the way I want. Also, intricate traffic shaping policies are in place to make sure that the network never feels congested, even if the bandwidth is near its very limits. All this from a firewall built from a 300MHz PC which has long been obsolete.
