DMZ on ER605
Hi ER605 Users!
I'd like to add one host to DMZ on my ER605. All hosts are within the same LAN. Questions I have:
1) is it enough to add the local host IP to the DMZ setting page (in NAT section)?
2) shouldn't it work in the way that I can reach the host in DMZ from any hosts in my LAN, but I shouldn't be able to reach to any hosts from the host in DMZ? Just for security reasons: if anybody hacks into my host in DMZ he will not be able to reach further?
3) or maybe I need to add the rules in the firewall to block the traffic from DMZ towards other hosts in LAN?
Unfortunately I can't find any reliable description, especially in the instructions of ER605.
Thanks for support!
Maciej
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
From the WAN side of the ER605, any port not explicitly forwarded to specific host on the LAN side, will get forwarded to the IP that you specify as the DMZ. In short you are fine.
Imagine you have two webservers running on port 80, let's call the A and B. Initially, you set A as your DMZ with no other custom settings. Anyone trying to connect to your WAN public IP on port 80 will connect to port 80 on A. Now imagine you set a forwarding rule, specifically for TCP port 80 so that port 80 now goes to B. In this case, outside requests will now go to B only. Regardless, all hosts on the LAN can continue to access either A:80 or B:80 normally regardless of whether a DMZ or forwarding rules are in place.
- Copy Link
- Report Inappropriate Content
@d0ugmac1 you are always supportive! Much appreciated. I will have some follow-up info and I'll describe the setup and particular questions to it.
Thank you!
- Copy Link
- Report Inappropriate Content
Looking forward to your questions. To be super clear, DMZ is only from WAN-to-LAN, it does not prevent any LAN-to-LAN activity, so yes, so if your DMZ host is compromised, it can be used to attack any other host on your LAN.
If the above scenario is of concern, then the DMZ host should be in a separate subnet, with suitable ACLs applied to prevent any DMZ-host initiated communication to the rest of your LAN subnet(s), and this may involve adding a switch to your solution get stateful ACLs (Omada gateway ACLs are limited).
- Copy Link
- Report Inappropriate Content
@d0ugmac1 I think you have already cleared out, what I really wanted to understand. From generic descriptions about DMZ I always understood hosts within DMZ should not be able to directly talk to LAN hosts. I thought ER605 does it "automagically", but it seems the only difference between NAT-DMZ and Virtual Servers is that I don't need to specify any particular ports to be forwarded. All of them will be, correct?
My setup looks like this:
What I would like to achieve is:
- WWW-server is available from the outside
- Laptop1 and Laptop2 can reach WWW-server within LAN
- WWW-server cannot reach Laptop1 and Laptop2
As all machines are within same LAN connected via switch I believe ER605's DMZ is not play any role in this setup, correct?
Then questions:
1. how to configure the best the desired setup on the ER605?
2. should I use VLANs if I have all devices connected to one switch? Or it's better to define new LAN connected to particular port
3. if VLAN setup is advised: should I configure it on ER605 or TL-SG1016PE?
4. is there any more detailed documentation for ER605?
And bonus questions (my curiosity) regarding your example with WWW servers A and B (previous reply): if I put 2 hosts with WWW server running into NAT-DMZ without any specific forwarding rules, reaching WAN:80 will redirect me to which hosts?
Thank you!
consmast/Maciej
- Copy Link
- Report Inappropriate Content
What I would like to achieve is:
- WWW-server is available from the outside
- Laptop1 and Laptop2 can reach WWW-server within LAN
- WWW-server cannot reach Laptop1 and Laptop2
As all machines are within same LAN connected via switch I believe ER605's DMZ is not play any role in this setup, correct?
CORRECT
Then questions:
1. how to configure the best the desired setup on the ER605?
I WOULD SUGGEST CREATING TWO LAN SUBNETS ON THE ER605. ONE WILL BE THE DMZ SUBNET, THE OTHER WILL BE YOUR NORMAL LAN SUBNET, EACH WILL HAVE THEIR OWN VLAN ID ASSIGNED. KEEP VLAN1 FOR THE LAN AND CREATE VLAN10 FOR THE DMZ. CONFIGURE ONE OF THE ROUTER PORTS TO BE NATIVE TO VLAN10 AND PLUG THE SERVER INTO THIS PORT.
2. should I use VLANs if I have all devices connected to one switch? Or it's better to define new LAN connected to particular port
YOU ASSIGN VLAN10 TO ONE OF THE ER605 LAN PORTS AND DIRECTLY CONNECT YOUR SERVER TO THIS.
3. if VLAN setup is advised: should I configure it on ER605 or TL-SG1016PE?
ER605
4. is there any more detailed documentation for ER605?
NOT REALLY. HOWEVER I THINK (HAVE NOT TESTED) WE WILL USE THREE FEATURES OF THE ER605. THE FIRST ONE WILL BE TO CREATE A ROUTER ACL TO BLOCK VLAN1 FROM TALKING TO VLAN10. THIS BLOCKS THE ENTIRE SUBNET AND IS NOT STATEFUL AND WILL PREVENT THE SERVER FROM REACHING OTHER DEVICES ON YOUR LAN SUBNET. THE SECOND FEATURE IS THE WAN IP REFLECTOR, SO WHEN LOCAL DEVICES WANT TO REACH THE SERVER, THEY DO NOT USE ITS LOCAL LAN IP, THEY USE THE PUBLIC WAN IP (OR DNS ADDRESS IF YOU HAVE THAT SETUP) OF THE ER605, AND THE ER605 WILL HAIRPIN THIS CONNECTION TO THE SERVER BECAUSE THE DMZ IS POINTING IT THERE. THE THIRD FEATURE IS TO CONFIGURE THE ER605 DMZ TO BE THE IP OF THE SERVER.
And bonus questions (my curiosity) regarding your example with WWW servers A and B (previous reply): if I put 2 hosts with WWW server running into NAT-DMZ without any specific forwarding rules, reaching WAN:80 will redirect me to which hosts?
THE ER605 DEFINES A DMZ IP, NOT A DMZ SUBNET, SO YOU CAN ONLY SPECIFY 1 HOST WITHOUT SPECIFIC FORWARDING RULES.
- Copy Link
- Report Inappropriate Content
@d0ugmac1 Perfect! I think I got it. Now experimenting with configurations. In the meantime I looked into my switch VLAN configuration and I think I can additionally connect more servers to the same VLAN10 on ER using separate VLANs on the switch.
Thank you very much!
Btw. Do you know how this equipment work from experience or you have more insights from TP-Link directly? ;-)
- Copy Link
- Report Inappropriate Content
Just personal experience with the gear :)
Yes you can trunk VLAN 10 through the switch too for bonus points, but you will want to test your isolation.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 1122
Replies: 7
Voters 0
No one has voted for it yet.