I've been trying to configure my WRT1900ACv2 with a DMZ for my WAN exposed nextcloud server. I followed these two guides, set up the VLAN, interface and firewall, and assigned a static DHCP lease to the server. It wasn't working and I found an answer on a *exchange question which explained that LuCi doesn't detect the correct switch ports so I configured them manually via SSH.
Initially the server was assigned the IP I selected, and I could access the server locally using the IP address but not reach it from the internet. I moved the DMZ DNS and DHCP traffic rules to the top of the list and applied, and now the server is not being assigned an IP at all. When I moved them back down it is still not working.
I don't know why the server isn't being assigned an IP, and I don't know what to change to fix it. Any help with this would be greatly appreciated
Thanks in advance
No need to do all of this.
You simply make a Port Forward rule to assign open all ports to the device. This would be your very last firewall rule. Simple.
EDIT: I realized that the OP provided that link already.
@L-Warlok ...please explain why you're making VLANs, etc., when the solution was to simply make a firewall rule???
Make this the last rule in the Port Forwards, at the bottom of /etc/config/network -
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '1-65535'
option dest_ip '192.168.xxx.xxx'
option dest_port '1-65535'
option name 'DMZ'
It depends on what you want. Some people might want a true DMZ. This is a zone where you have private IPs and yet the devices are accessible, but they are not able to access the rest of the LAN thereby preventing them from being a steppingstone to violating LAN security. If that's what you want, then the separate VLAN method is what you need.
Indeed, then you would change:
option dest 'lan'
option dest 'dmz'
Thanks for replying.
This is exactly what I want.
I understand how to make forwarding rules as I have been using the setup you described for the past year, but I would like to try and make my network more secure as I plan on hosting more services on my server.
Can you please explain how forwarding all ports on my router to the DMZ will assign an IP address to my device? I don't think it was clear in the OP but this is my main problem at the moment. I can't forward anything to my server as it does not have an IP address.
The issue is that DMZ means different things to different people. If you want an isolated server that receives certain forwarded traffic, then create a VLAN, put a DHCP server on this VLAN serving a different subnet than your regular LAN, give a static reservation to your server, put the vlan in a different firewall zone that can't forward to LAN, and then create a specific forwarding rule that forwards the specific port to your reserved IP for your server.