Dmz setup for dummies

Hostname OpenWrt
Model Linksys EA9500
Architecture ARMv7 Processor rev 0 (v7l)
Target Platform bcm53xx/generic
Firmware Version OpenWrt 24.10.0 r28427-6df0e3d02a / LuCI openwrt-24.10 branch 25.014.55016~7046a1c
Kernel Version 6.6.73

isp settings on original linksys settings is > internet (trunk) under vlan,
id 10,
tagged,
priority 0

i've tried many different instructions but cannot get dmz working, can someone please explain to this newbie how it's done in simple terms?

your router with this version of Openwrt is already in DSA (at most check first)...
exec:

if grep -sq DEVTYPE=dsa /sys/class/net/*/uevent; then 
  echo "You have DSA"
fi

preamble:
you found many different instructions, because creating a "dmz" network obviously depends on your specific needs (which you did not specify) ...

answer to the question asked:
hoping I didn't forget anything here's what you need to do:

  1. remove an ethernet port from "br-lan" to create a new "br-dmz"
    ps: as long as it's one of those not connected to anything...

  2. create an empty bridge called "br-dmz" and add the ethernet port removed from "br-lan"

  3. create a new interface "dmz" with the ip addresses of the dmz network

  4. create a zone in the firewall called "dmz"

ps: obviously these are the first steps, then you need to evaluate your specific needs...

reference document:

additional documents to consider (based on your needs):

yours router:

1 Like

sorry i want a single ip exposed to the internet

a public ip address? not a CGNAT or similar...
How many IP addresses did you get from your ISP?

https://whatismyipaddress.com

example:

yes i have static, 1 ipv4 and /56 /64 ipv6 which allows internet acces to an internal private ip for 1 computer which runs various servers

until now i thought dmz allowed only 1 computer to be accessed via ip or domain, which is what i currently have setup using the linksys dmz option under security

so when the ip's or domains are used the router forwards those requests to the server

thank you for your help ncompact :slight_smile:

Instead of a complete "DMZ" where all ports are forwarded to the host in question, it is far better (i.e. safer/more secure) to only port forward the specific ports that are in use by services that are intended to be exposed to the internet.

Do you have a list of services/ports that you want to expose?

Also, as an aside, if this is for personal access to your machine while away from home, it is actually easier (and safer) to setup a VPN server on your router instead of opening ports. In this context, you'll have a VPN client on your remote device(s) like computer/phone/tablet or even a travel router and that will connect back to your home network. If, on the other hand, you are serving to the internet in general (i.e. anyone may visit your site/services), port forwarding is the way to go.

1 Like

i prefer to bypass the router completely and have all traffic go to the server

You are certainly welcome to do that, and i will explain how, but I want to reiterate that doing so may be very dangerous because it will effectively expose your host directly to the internet, thus making literally every service/port on that device a potential attack vector. This includes network services that run on the host that you don't intend or need to expose to the internet. Any vulnerability in any one of those services (or the configuration thereof) will mean your host will be compromised, which can result in your entire network and your router also being compromised.

That said, if you still want to do this, despite the dangers I have described:

  • Create a port forward with:
    • source zone wan
    • source destination port 1-65535
    • protocol TCP+UDP or even protocol any/all
    • destination port 1-65535
    • destination zone lan
    • desination < IP address of server >

This will mean that your computer is 100% exposed to all of the internet. And to drive the point home one last time, I'll reference the title of this thread "Dmz setup for dummies" -- doing a true "DMZ" like this is about as dumb as it gets on the modern internet.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.