DMZ (vs bridge mode). Risks, good practices?

I live in a country where sadly (and since a few years) ISPs don't let you configure your own network. They normally just provide you with a phone service or maybe an app or web interface to configure your WiFi SSID, password, etc, and not much more. Restricting internet to certain devices, fix a certain private IP address for a device, open ports, etc is something their support normally doesn't even know, not to mention more complex stuff (or they force you to pay upgrades or "enterprise solutions" in the best case). They use Huawei modem/routers and don't share the admin credentials.

I'm really curious to know why (infrastructure limitations? costs? or maybe being a bit more skeptical, selling or controlling things they shouldn't?), but it's not the main purpose of this thread :).

I want to be able to forward ports to a home server, have better control over which devices can have access to Internet, maybe even isolate certain devices (HomeAssistant/Smart devices, guest network, etc), configure a VPN server while having my network as secure as possible. I bought a TP Link router planning to set the Huawei modem in bridge mode and install OpenWRT in the TP Link device, just to find out it's not that easy with my ISP...

What they are offering me now (in fact, as one of these "enterprise solutions") is to set a DMZ (I read many users even connect an AP there, I wouldn't like to do that). I don't have much knowledge about networks, but I understand that's a different (and more dangerous?) thing and I wouldn't be actually routing my own traffic. I would be able to "forward" ports (or actually have them ALL open), but expose all my devices unnecessarily. Is my understanding so far correct? Is it really that insecure? Is there any good practice for this case, in which I could connect a router and have better control while still being able to connect from Internet relatively securely?

Thanks!

Usually the DMZ is an intermediate zone separated from the LAN where servers reside and connections from WAN are allowed. It is not as terrible as it may seem, if the servers are properly set up. To answer your question, you could connect the OpenWrt router in the DMZ and have all the incoming ports forwarded to OpenWrt. By default OpenWrt doesn't allow any incoming connections, so you can open only what you need. The downside I see is the double NAT, but it seems to be inevitable in your case.

2 Likes

If the router running OpenWRT is the only device connected to the ISP router and everything else is connected OpenWRT putting the ISP router in Bridge mode or setting DMZ does not pose a risk assuming nobody does anything stupid to OpenWRT firewall rules

Regarding DMZ vs Bridge mode, bridge mode is preferred as it will disable NAT on ISP router. Using DMZ can cause double NAT issues on clients connected to OpenWRT

4 Likes

Thank you both! I kind of hadn't considered using it in router mode exactly because of double NAT issues. I understand from your messages that it wouldn't be "that bad", then? As I said, I read all ports would be always open so I think forwarding them from OpenWRT would work, but wouldn't I get other issues with services or apps? I had read of "solutions for double NAT issues" which basically involve setting the router in AP mode, which I don't want for security reasons.

I suspect there would be a way of requesting bridge mode, but I think they force you to get a static public IP address, which once again costs like twice the price (and otherwise I don't need, I'm comfortable with a DDNS). So if a DMZ + OpenWRT router (in router mode) works ok I think it could be the way to go.

Thanks a lot!

1 Like