[ale] Proper way to setup DMZ LAN

Jim Kinney jim.kinney at gmail.com
Sat Mar 25 17:09:44 EDT 2017


The DMZ is a zone. One box or many. It is directly connected to internet
and may or may not connect to the inside LAN. If it does, the firewall and
routing is very, very specific. And, yes, firewall between big bad
interwebs and DMZ.

The inside, trusted LAN doesn't connect through DMZ network to outside. It
connects to firewall/router and your internet demarcation line.

So 3 nic Linux box. Nic 1 goes to internet, 2 is DMZ and 3 is private lan.
Iptables on the box. LAN and DMZ are separate subnet with the box as their
gateway. DMZ often has internet routable IPs. LAN usually does not and is
NAT'ed. DMZ can be NAT'ed as well. If DMZ is not NAT'ed, nic 1 will need to
in bridge mode.

The terminally paranoid will add a second firewall box on the wire between
nic 3 and the internal LAN.

On Mar 25, 2017 4:42 PM, "Scott Castaline" <skotchman at gmail.com> wrote:

> So I would put the DMZ on the front or first LAN and then everything else
> on the back or second LAN? And also the DMZ is a single device and not the
> LAN itself? What if I have multiple DMZs on the first LAN can I do that?
>
>
> On 03/25/2017 12:30 AM, Alex Carver wrote:
>
>> On 2017-03-24 21:05, Scott Castaline wrote:
>>
>>> Okay I've had the cable pulled in my house I was able to unbrick an
>>> older ASUS router which is running ASUSWRT-Merlin which has the radios
>>> shutoff for the access part of it. Many years ago I remember setting up
>>> several dual LANs, the first LAN was unsecured and all of the web facing
>>> gear was on that. Then a second router with LAN to LAN interfaces which
>>> connected to LAN 1 and LAN 2 was off of this router and was a secured
>>> network. I thought this what a DMZ was, but on google searching DMZ
>>> structure I'm finding that the DMZ is a single server by itself. The
>>> other thing that I'm finding is that the secured LAN is on LAN 1 and the
>>> DMZ is on LAN 2. That doesn't make sense to me.
>>>
>>> Can anyone enlighten me with what would be the correct way of doing this?
>>>
>>>
>>> You can make up a DMZ using a three port router or you can daisy chain
>> two routers with the link between them being the DMZ.  Your LAN would
>> hang off the back router farthest from the WAN.
>>
>> Either way you're just setting up a bunch of packet filter and routing
>> rules.  The advantage of the dual router approach is that it would
>> theoretically be harder to break into your LAN because two routers would
>> need to be compromised.
>>
>> A single router approach needs a router that can handle all traffic.
>> The dual router approach only needs enough horsepower on the front
>> router to handle the traffic.  The back router, in theory, sees less
>> traffic.
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> --
> Sent to you and NSA, CIA, FBI, SS, DHS and GOD only knows who the hell
> else...
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20170325/0c18a806/attachment.html>


More information about the Ale mailing list