• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Trying to understand router and security

B

Bglad

Golden Member
I'm running a Linksys router and have some experience with other routers and software sharing solutions. In the past, I ran some tests with other solutions trying to get certain apps to work like servers, video conference, chat, etc. Many of them would not work at all. Even if I was running no firewall and opened all ports or put it on DMZ or equivalent. Apps could not negotiate the NAT from the WAN IP to the local LAN IP. Seems incoming packets often didn't know which machine on the lan they were supposed to go.

With the Linksys however, when I put a machine on DMZ everything seems to work. The IP address of machines on the LAN are set to static local lan addresses. Is the Linksys forwarding everything to the DMZ machine automatically? Is this because it would normally block everything if there were not a machine on DMZ?

I'm trying to understand what's going on in terms of controlling security. I try to DMZ only when necessary and run a software firewall when I am DMZ. But I want to understand what is happening here. Can anyone shed some light on this for me?

Thx.
 
Yup, they would know if NAT was implimented properly and more than one IP host was using the same port (program).

A standard NAT (in summary) strips off the original sending header (internal) and replaces it with its own. So if multiple users are playing the same game and packets come back, the NAT function doesn't know who it should go to, which is why you need to use the DMZ if multiple people are playing the same game via your local LAN broadband router to the internet game server.

There are also some multi-user NAT's now, don't know how they work, but they must have some way of varying different sender header ID info from the NAT to differentiate between multiple users using the same port.
 

i am not exactly sure either, but i know there are some security gurus out there who can help you out.

from what i know...

if you do not put a machine on your LAN in the DMZ, then everything will be firewalled.
if you have different computers running different services, then you can use port forwarding to redirect to different local machines.
if you have one computer running all of the services, you should put that on the DMZ... make sure that computer is secured.

the problem with this is that u are bypassing the firewall when ur computer is on the DMZ... and there really isnt a way to trace in case your computer gets compromised.

the purpose of machines in a DMZ is to provide public services, such as WWW, FTP, voice conferencing, etc... so it is good that you are running the software firewall on the machine, otherwise you wouldnt really know how to monitor the machine's activity...

from my experience with linksys, they claim to be a firewall/router... but they are really mainly a router. the firewalling they are talking about just disallows certain ports to be forwarded unless the user specifies... so basically everything is being blocked.

that is why you have the two different scenarios when you put a machine on the DMZ and when one isnt on there...

hope this helps, and if i am not correct, please let me know too... 🙂
 
See I thought with NAT there really wasn't a firewall unless you have some packet filtering. They just call it a firewall because the byproduct of nat is a similar result to that of a firewall. I thought it just didn't forward any incoming packets because it didn't know where to send them unless they had been asked for by a machine on the lan or you set port forwarding.
 
So I guess my question is as follows.

When you are in DMZ mode, are all ports automatically forwarded to the DMZ machine? i.e. If someone were trying to get into the network, would they get right into the DMZ machine despite the fact that it has a local lan (192.168.xxx.xxx) address? Is the NAT giving any protection at all to a machine on DMZ and if so what?
 
Computer in DMZ (Demilitarized zone) is in front of the Firewall has no protection; it sits expose on the Internet.

However, since a good software firewall is much more flexible then the Router's Hardware Firewall. You can install Software Firewall, and open only the ports, and or port bands that are needed for your adventures on the Internet.
 
But I'm still not understanding exactly how this is working.

How is it exposed because its 192.168.xxx.xxx ip address is not exposed. That must mean that everything is forwarded to the DMZ machine all the time.

Someone must know or know of a resource I can research myself.
 
The linksys manual says when you place a PC in DMZ mode, it DOES automatically forward all the ports for that one PC at the same time. This means you were correct. When you do port range forwarding, you are allowed only a maximum of 10 ranges of ports.

I don't think you can access the local ip directrly (192.168.xxx.xxx). In order to gain access to that PC on the DMZ mode, they would have to use the public ip assigned to you by your ISP. They could then start hitting all the different ports. It sounds like when they do this, it would automatically be forwarded to the PC in DMZ mode.
 
The basis of a Router is NAT (Network Address Translate). The NAT mediates between the External IP (i.e. The ISP IP address assigned to you) and your Internal Network (i.e. your 192.168.XXX.XX) Addresses.

While directing the traffic the NAT inspects the entire packets traffic, and controls the flow to the computers Ports (open some, close some, and block most.

DMZ disable any such intervention the NAT directs every thing from and to the computer in the DMZ without any intervention, beside address translation.
 

both namux and jackMDS are correct in what they are saying

think of it this way.

when you put a computer on the DMZ, even though it has the local IP address of 192.168.xx.xx, it's external IP address is that of the one given by your ISP. that is the whole purpose of putting that computer on the DMZ. otherwise, you can achieve the same thing just by port forwarding to other computers.

now the firewall issue works like this. the box on the DMZ is still physically connected through the router, but it is actually publically accessible. so that is why we say that that computer is "in front of the firewall." this is why a software firewall would be important on this machine.

additionally, i am not too sure because i never futzed around with the linksys router's DMZ yet, but i am pretty sure if you try to access the DMZ's computer using both the internal AND external addresses, it should work. someone please double check me on this.

i hope this helps 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top