DMZ to second router

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all

i need some advice.

I have two OpenWRT routers.

One is connected to modem and gets public IP.

To that router is connected powerline adapter.

To powerline adapter there is connected one PC and second OpenWRT router.

What i would like to achieve is create DMZ to that second router.

I know that there are at least two types of DMZ I can create. One by VLAN and one simply by setting up port forwarding.

My questions are:

  1. If i will create just port forwarding (for all ports) to that second router (by its IP) is there any security implications that may expose network of the first router?

  2. In my case is that the proper way of creating DMZ?

  3. Creating DMZ in my case, will it limit in any way internet access (not working services etc.) or people using first router will have no implications at all?

Thank you for any replies.

2

Using the second OpenWrt device as router complicates your setup for no reason.
Configure the second OpenWrt device as dumbAP and do all necessary port forwards on the first one.

3

May they are running open-port services behind the to-be-DMZ'd router that they don't want to expose on their main network.

DMZ will forward all unsolicited inbound traffic to the other router, unless the device has port forwarding rules in place. For example, if you DMZ router2, but have port 4000 on your main router going to a PC on your network, port 4000 won't be subject to the DMZ afaik, but everything else will.

There should be no network or security implications to your main router from the OUTSIDE (since your main router is just forwarding the packets it would normally reject/drop). If they get into the DMZ'd router or systems behind it, well.. you've got problems..

4

Thank you for your knowledge.

So simple port forwarding rule of all ports to second router is the proper way of setting up DMZ in my case? Am I right?

Also when i setup that kind of rule via LUCI should i leave port fields empty or rather set there 0-65535 value?

5
1 Like
6

Thanks everyone!

7

@lleachii interesting. It seems luCi is failing to put the dest_port range by default (luCi shows a default as any (and didn't put a option dest_port line), but the forward didn't actually work until I manually put that in.

Thank you for the Guide reference!

8

Huh???

Are you saying you had difficulty entering the rule via the web GUI?

:+1:

9

Edit - Yes, I know I forgot to do the drop-down to pick a dest host

When you use luCi to setup the Forward, if you're setting up the DMZ, the Destination port is pre-filled defaulted as 'any', but it doesn't actually put the dest_port range in the changes. At the very least, it's misleading if it isn't a bug outright. This wouldn't pop up for a ranged forward of course because you are directing those specific ports.

So, @4k3or3et probably DID it correctly in luCi but it wasn't working because luCi wasn't putting the dest_port?

Screenshot from 2020-05-22 03-19-36
Screenshot from 2020-05-22 03-19-361191×506 40.6 KB

Screenshot from 2020-05-22 03-19-56
Screenshot from 2020-05-22 03-19-561196×340 37.1 KB

Screenshot from 2020-05-22 03-28-31
Screenshot from 2020-05-22 03-28-31977×212 17.8 KB

10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.