Hello everyone....many times community helps me....so it's time help others.Configuration for DMZ zone with out need of CLI at all.
A DMZ (demilitarized zone) is a method for separating untrusted traffic from a trusted network. One of the most common implementations of this would be for supporting a publicly accessible server (such as web) on a local internet connection or your gaming console (Xbox,PS4). The server sits in the DMZ and can be accessed from the Internet, but it cannot access the trusted network.
Physical devices
My router has these physical interfaces:
-
eth0 (WAN)
-
eth1 (LAN)
-
wlan0 (wireless card)
The eth0 device maps to the physical WAN port on the back of the router. It’s important to note that the physical interfaces may differ from router to router, depending on the chipsets.
The Switch
The switch (eth1) includes a number of ports, including the four physical ones on the back of the router,
The switch supports VLANs (virtual LANs), and by default OpenWRT puts all of those ports into VLAN 1. This means that physical connections in those four ports at the back are on the same virtual switch and are able to communicate with each other. You can imagine that if I changed the VLAN of one of those ports to VLAN 10, that the device plugged into that port would no-longer be able to communicate with other devices on the switch. This is the basis for our DMZ.
That VLAN 1 actually creates a new interface on the router:
- eth1.1 (VLAN 1)
The configuration of the switch (including the mapping of ports to VLANs) is available under the switch menu, Network -> Switch
Note: The port numbers on the switch in OpenWRT do not necessarily map in the right direction to the back of the router.
Creating a new VLAN
The first thing we want to do is create VLAN 10 and then assign one of the ports to that VLAN, removing it from VLAN 1.
-
Browse to Network -> Switch
-
Click Add to make a new VLAN entry
-
Set this new entry’s VLAN ID to 10
If your set up in Wan is DHCP set VLAN as this picture....
If your set up in WAN is PPPoE like mine set up VLAN as this picture...
As you can see i remove LAN1 from current LAN interface (off)...
In VLAN 10 (DMZ) i set LAN1 untagged and attach it LAN eth1 (tagged) as separate network.
Note: Setting VLAN to untagged tells the switch to add the appropriate VLAN tag to each ethernet frame as the traffic exits that port. The setting tagged means that the switch should expect that traffic leaving the port has already been tagged, perhaps by the operating system running on the device which is attached to the port.
LAN 1 (port 1 on the back of the router) is now in VLAN 10, while the remaining three ports are in VLAN 1 and so it is now isolated from the others. The CPU (eth1) is also in VLAN 10, else we would not be able to pass any traffic to LAN 1.
That new VLAN 10 creates a new interface on the router:
- eth1.10 (VLAN 10)
Interfaces
In OpenWRT you create virtual network interfaces which map to physical devices on the router. These are available under the Network -> Interfaces menu.
For example, my router has:
-
LAN (for my internal local area network)
-
WAN (for the external Internet connection)
One or more physical devices are attached to these zones, for example in my case:
-
LAN (bridges VLAN 1 eth1.1 and wlan0 together)
-
WAN (eth0.2)
The LAN bridge creates a new interface on the router:
- br-lan (bridged LAN)
Creating a new interface
Once we have created our new VLAN, we want to create a new interface for the DMZ. In the same way that the VLAN 1 device, eth1, is attached to the LAN interface, we will attach VLAN 10 device, eth1.10, to our new DMZ interface.
Browse to Network -> Interfaces
-
Click Add New Interface to make a new DMZ zone
-
Set the name of the new interface to DMZ
-
Leave the protocol of the new interface to static
-
Ensure bridge over multiple interfaces remains unchecked
-
For the interface, select only VLAN Interface: “eth1.10”
-
Click Submit
You should be presented with a new configuration screen for this interface.
-
Set IPv4 address to something in a new range different to LAN, e.g. if your LAN is 192.168.1.1 then set DMZ to 192.168.0.1
-
Set IPv4 netmask to 255.255.255.0 if you want different type of network see the following picture as an example.
Leave the rest of the settings blank, you do not need to set routes, or IPv6 if you don’t want to.
Click on the Advanced Settings tab
Ensure Bring up on boot is ticked
If you don’t want IPv6, untick Use builtin IPv6-management
Click on the Physical Settings tab, should already be set to eth1.10
Click on the Firewall Settings tab
Under Create / Assign firewall-zone select unspecified -or- create and type dmz
Click Save and Apply
(I have already done...but look in columm "create"...here write "dmz".)
If you want to run DHCP on your DMZ, then under DHCP Server click Setup DHCP Server button, leave default settings
We now have a new interface or zone called for the DMZ that’s set to use out DMZ VLAN. It has a new firewall policy assigned to it, dmz, which we now need to configure.
Firewall
Now we need to configure the firewall to do a few things:
-
Allow the DMZ to talk to the WAN zone, so that devices can access the Internet.
-
Allow the LAN zone to talk to the DMZ, but not the other way around.
Let’s do zone settings first.
-
Browse to Network -> Firewall
-
Under the Zones section on General Settings page, edit the dmz zone.
-
Leave the name set to dmz.
-
Set input to accept, so that we accept all incoming packets by default.
-
Leave output as accept, although you could set this to reject by default but you’ll require specific outgoing rules as required.
-
Leave Masquerading and MSS clamping disabled.
-
Under Covered networks ensure that only dmz is selected.
.
Under the section Inter-Zone Forwarding, ensure Allow forward to destination zones is set only to WAN.
Ensure Allow forward from source zones is set only to LAN.
Click Advanced Settings tab
If you don’t want IPv6, you can set Restrict to address family to IPv4 only.
****Tick Enable logging on this zone,if you want to see what’s happening.
Now let’s do port forwards.
-
Click on the Port Forwards tab
-
Under New port forward section, give a name, such as DMZ
-
Set Protocol to TCP+UDP
-
Set External zone to WAN
-
Set Exteranl port to 1-65535
-
Set Internal zone to DMZ
-
Set Internal IP address to your DMZ server, e.g. 192.168.0.100
-
Set Internal port to 1-65535
-
Click Add when you’re OK.
Thanks @lleachii for help.
Finally, let’s finish with traffic rules.
-
Click on the Traffic Rules tab
-
Under Open ports on router, set a name like dhcp-dns
-
Under Protocol, select UDP
-
Under Port set 53
-
Click Add
-
Find your new rule in the list and click edit
-
Set Destination address to your router’s DMZ IP address
-
Repeat for DHCP port 67 UDP if you want to use router’s DHCP server, but don’t set the destination address as DHCP is broadcast.
####Checking the logs#####
If you enable log before you can monitor the firewall rules by browsing to Status -> Kernel Log .
That's all.