[ale] Proper way to setup DMZ LAN

Scott Castaline skotchman at gmail.com
Sun Mar 26 00:46:06 EDT 2017 

So you're saying that my 2 router configuration won't work? If that is 
the case what brand besides Cisco makes a 1 WAN to 2 LAN router? I say 
besides Cisco because the only one I worked with many years ago were 
Cisco 2600 series routers, which I loved at the time just not the price.

On disability pay it's sort of off budget. What I was planning on doing 
was taking one ASUS router and putting a NetGear 16 port switch off of 
that to drive my DMZ LAN then the 2nd ASUS router would be off of the 
front LAN to create the back LAN which would be the private LAN also 
with a 2nd NetGear 16 port switch. The DMZ will have 2 game consoles, 
and 2 media streamers and 2 smart tvs. But then I ran into articles on 
that say complete reverse of what I had planned also using 2 routers. 
One of the articles endorses 3rd party firmware from Russia, but I'm a 
little leery of that these days.


On 03/25/2017 05:09 PM, Jim Kinney wrote:
> The DMZ is a zone. One box or many. It is directly connected to 
> internet and may or may not connect to the inside LAN. If it does, the 
> firewall and routing is very, very specific. And, yes, firewall 
> between big bad interwebs and DMZ.
>
> The inside, trusted LAN doesn't connect through DMZ network to 
> outside. It connects to firewall/router and your internet demarcation 
> line.
>
> So 3 nic Linux box. Nic 1 goes to internet, 2 is DMZ and 3 is private 
> lan. Iptables on the box. LAN and DMZ are separate subnet with the box 
> as their gateway. DMZ often has internet routable IPs. LAN usually 
> does not and is NAT'ed. DMZ can be NAT'ed as well. If DMZ is not 
> NAT'ed, nic 1 will need to in bridge mode.
>
> The terminally paranoid will add a second firewall box on the wire 
> between nic 3 and the internal LAN.
>
> On Mar 25, 2017 4:42 PM, "Scott Castaline" <skotchman at gmail.com 
> <mailto:skotchman at gmail.com>> wrote:
>
>     So I would put the DMZ on the front or first LAN and then
>     everything else on the back or second LAN? And also the DMZ is a
>     single device and not the LAN itself? What if I have multiple DMZs
>     on the first LAN can I do that?
>
>
>     On 03/25/2017 12:30 AM, Alex Carver wrote:
>
>         On 2017-03-24 21:05, Scott Castaline wrote:
>
>             Okay I've had the cable pulled in my house I was able to
>             unbrick an
>             older ASUS router which is running ASUSWRT-Merlin which
>             has the radios
>             shutoff for the access part of it. Many years ago I
>             remember setting up
>             several dual LANs, the first LAN was unsecured and all of
>             the web facing
>             gear was on that. Then a second router with LAN to LAN
>             interfaces which
>             connected to LAN 1 and LAN 2 was off of this router and
>             was a secured
>             network. I thought this what a DMZ was, but on google
>             searching DMZ
>             structure I'm finding that the DMZ is a single server by
>             itself. The
>             other thing that I'm finding is that the secured LAN is on
>             LAN 1 and the
>             DMZ is on LAN 2. That doesn't make sense to me.
>
>             Can anyone enlighten me with what would be the correct way
>             of doing this?
>
>
>         You can make up a DMZ using a three port router or you can
>         daisy chain
>         two routers with the link between them being the DMZ. Your LAN
>         would
>         hang off the back router farthest from the WAN.
>
>         Either way you're just setting up a bunch of packet filter and
>         routing
>         rules.  The advantage of the dual router approach is that it would
>         theoretically be harder to break into your LAN because two
>         routers would
>         need to be compromised.
>
>         A single router approach needs a router that can handle all
>         traffic.
>         The dual router approach only needs enough horsepower on the front
>         router to handle the traffic.  The back router, in theory,
>         sees less
>         traffic.
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org <mailto:Ale at ale.org>
>         http://mail.ale.org/mailman/listinfo/ale
>         <http://mail.ale.org/mailman/listinfo/ale>
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
>         <http://mail.ale.org/mailman/listinfo>
>
>
>     -- 
>     Sent to you and NSA, CIA, FBI, SS, DHS and GOD only knows who the
>     hell else...
>
>     _______________________________________________
>     Ale mailing list
>     Ale at ale.org <mailto:Ale at ale.org>
>     http://mail.ale.org/mailman/listinfo/ale
>     <http://mail.ale.org/mailman/listinfo/ale>
>     See JOBS, ANNOUNCE and SCHOOLS lists at
>     http://mail.ale.org/mailman/listinfo
>     <http://mail.ale.org/mailman/listinfo>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Sent to you and NSA, CIA, FBI, SS, DHS and GOD only knows who the hell else...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20170326/3e2ca68f/attachment.html>

More information about the Ale mailing list