Guide to set up DMZ via LUCI

Hello everyone....many times community helps me....so it's time help others.Configuration for DMZ zone with out need of CLI at all.:slightly_smiling_face:

A DMZ (demilitarized zone) is a method for separating untrusted traffic from a trusted network. One of the most common implementations of this would be for supporting a publicly accessible server (such as web) on a local internet connection or your gaming console (Xbox,PS4). The server sits in the DMZ and can be accessed from the Internet, but it cannot access the trusted network.

Physical devices

My router has these physical interfaces:

  • eth0 (WAN)

  • eth1 (LAN)

  • wlan0 (wireless card)

The eth0 device maps to the physical WAN port on the back of the router. It’s important to note that the physical interfaces may differ from router to router, depending on the chipsets.

The Switch

The switch (eth1) includes a number of ports, including the four physical ones on the back of the router,

The switch supports VLANs (virtual LANs), and by default OpenWRT puts all of those ports into VLAN 1. This means that physical connections in those four ports at the back are on the same virtual switch and are able to communicate with each other. You can imagine that if I changed the VLAN of one of those ports to VLAN 10, that the device plugged into that port would no-longer be able to communicate with other devices on the switch. This is the basis for our DMZ.

That VLAN 1 actually creates a new interface on the router:

  • eth1.1 (VLAN 1)

The configuration of the switch (including the mapping of ports to VLANs) is available under the switch menu, Network -> Switch

Note: The port numbers on the switch in OpenWRT do not necessarily map in the right direction to the back of the router.

Creating a new VLAN

The first thing we want to do is create VLAN 10 and then assign one of the ports to that VLAN, removing it from VLAN 1.

  • Browse to Network -> Switch

  • Click Add to make a new VLAN entry

  • Set this new entry’s VLAN ID to 10

If your set up in Wan is DHCP set VLAN as this picture....

If your set up in WAN is PPPoE like mine set up VLAN as this picture...

As you can see i remove LAN1 from current LAN interface (off)...
In VLAN 10 (DMZ) i set LAN1 untagged and attach it LAN eth1 (tagged) as separate network.

Note: Setting VLAN to untagged tells the switch to add the appropriate VLAN tag to each ethernet frame as the traffic exits that port. The setting tagged means that the switch should expect that traffic leaving the port has already been tagged, perhaps by the operating system running on the device which is attached to the port.

LAN 1 (port 1 on the back of the router) is now in VLAN 10, while the remaining three ports are in VLAN 1 and so it is now isolated from the others. The CPU (eth1) is also in VLAN 10, else we would not be able to pass any traffic to LAN 1.

That new VLAN 10 creates a new interface on the router:

  • eth1.10 (VLAN 10)

Interfaces

In OpenWRT you create virtual network interfaces which map to physical devices on the router. These are available under the Network -> Interfaces menu.

For example, my router has:

  • LAN (for my internal local area network)

  • WAN (for the external Internet connection)

One or more physical devices are attached to these zones, for example in my case:

  • LAN (bridges VLAN 1 eth1.1 and wlan0 together)

  • WAN (eth0.2)

The LAN bridge creates a new interface on the router:

  • br-lan (bridged LAN)

Creating a new interface

Once we have created our new VLAN, we want to create a new interface for the DMZ. In the same way that the VLAN 1 device, eth1, is attached to the LAN interface, we will attach VLAN 10 device, eth1.10, to our new DMZ interface.

Browse to Network -> Interfaces

  • Click Add New Interface to make a new DMZ zone

  • Set the name of the new interface to DMZ

  • Leave the protocol of the new interface to static

  • Ensure bridge over multiple interfaces remains unchecked

  • For the interface, select only VLAN Interface: “eth1.10”

  • Click Submit

You should be presented with a new configuration screen for this interface.

  • Set IPv4 address to something in a new range different to LAN, e.g. if your LAN is 192.168.1.1 then set DMZ to 192.168.0.1

  • Set IPv4 netmask to 255.255.255.0 if you want different type of network see the following picture as an example.

Leave the rest of the settings blank, you do not need to set routes, or IPv6 if you don’t want to.

Click on the Advanced Settings tab

Ensure Bring up on boot is ticked

If you don’t want IPv6, untick Use builtin IPv6-management

Click on the Physical Settings tab, should already be set to eth1.10

Click on the Firewall Settings tab

Under Create / Assign firewall-zone select unspecified -or- create and type dmz

Click Save and Apply

(I have already done...but look in columm "create"...here write "dmz".)

If you want to run DHCP on your DMZ, then under DHCP Server click Setup DHCP Server button, leave default settings

We now have a new interface or zone called for the DMZ that’s set to use out DMZ VLAN. It has a new firewall policy assigned to it, dmz, which we now need to configure.

Firewall

Now we need to configure the firewall to do a few things:

  • Allow the DMZ to talk to the WAN zone, so that devices can access the Internet.

  • Allow the LAN zone to talk to the DMZ, but not the other way around.

Let’s do zone settings first.

  • Browse to Network -> Firewall

  • Under the Zones section on General Settings page, edit the dmz zone.

  • Leave the name set to dmz.

  • Set input to accept, so that we accept all incoming packets by default.

  • Leave output as accept, although you could set this to reject by default but you’ll require specific outgoing rules as required.

  • Leave Masquerading and MSS clamping disabled.

  • Under Covered networks ensure that only dmz is selected.

.

Under the section Inter-Zone Forwarding, ensure Allow forward to destination zones is set only to WAN.

Ensure Allow forward from source zones is set only to LAN.

Click Advanced Settings tab

If you don’t want IPv6, you can set Restrict to address family to IPv4 only.

****Tick Enable logging on this zone,if you want to see what’s happening.

Now let’s do port forwards.

  • Click on the Port Forwards tab

  • Under New port forward section, give a name, such as DMZ

  • Set Protocol to TCP+UDP

  • Set External zone to WAN

  • Set Exteranl port to 1-65535

  • Set Internal zone to DMZ

  • Set Internal IP address to your DMZ server, e.g. 192.168.0.100

  • Set Internal port to 1-65535

  • Click Add when you’re OK.:wink:

Thanks @lleachii for help.

Finally, let’s finish with traffic rules.

  • Click on the Traffic Rules tab

  • Under Open ports on router, set a name like dhcp-dns

  • Under Protocol, select UDP

  • Under Port set 53

  • Click Add

  • Find your new rule in the list and click edit

  • Set Destination address to your router’s DMZ IP address

  • Repeat for DHCP port 67 UDP if you want to use router’s DHCP server, but don’t set the destination address as DHCP is broadcast.

####Checking the logs#####

If you enable log before you can monitor the firewall rules by browsing to Status -> Kernel Log .

That's all. :slightly_smiling_face:

8 Likes

How is this a "DMZ" in the "consumer/SOHO router" sense, when you're still required to open ports?

  • How would (let's say) a PS4 or Xbox work in this situation?
  • More port forwards?
  • Which ones?

Most gaming sites say when you cant figure it out, put the IP of the device in a DMZ...your instructions wouldn't fix their issue.

Have you worked on that?

I thought it would be suggested to make a rule sending all TCP/UDP to dmz at the bottom of your Port Forward Firewall table. I'm interested to see how/if that indeed works.

Creating a second VLAN is quite common on OpenWrt - getting access to the devices VLAN capability is one common reason people choose to switch. Also, I think VLAN 10 is used by some ISPs to carry either the Internet or voice, so those readers would have to be mindful of that.

This is actually a good instruction sheet on how to create a second VLAN on an OpenWrt device!

1 Like

The same does Gargoyle...it is not a "true" DMZ...i think it is as much as possible to DMZ.
To make consoles with NAT TYPE OPEN you must portforwarding the ports.Thats i did in mine.
If you have another solution to DMZ or make this simpler...tell me.:slightly_smiling_face:

I am just learning...i am not a "guru" in networking.
In many cases it is something like "trial and error".

If it is tottaly wrong i will delete the post if has misinformation.

Something like that?

I don't now about that...they can choose something else ..this is just an example.

To be honest, I don't know. I was curious if you tested it.

But the rule I was thinking of is: IPv4 TCP/UDP 1-65535 from any host in wan to 192.168.0.x at port 1-65535 in dmz.

Specifying the IP of the host makes it a "DMZ" in the consumer/SOHO router sense.

I think this is an excellent example!

I test it yesterday while playing....works but to achive NAT TYPE OPEN i do portforwording.

I test your rule right now....strange..because it says nat type "moderate"....it doesn't open port 3074 to be open.
Why? the range was 1-65535.

Thank you

So with this rule says moderate

Change the rule to specific device...

IPv4 TCP/UDP 1-65535 from any host in wan to 192.168.0.100 at port 1-65535 in dmz

Says OPEN

It wants specific address to work?

Because that's what you put. You do need to put the full range of ports, that's a DMZ, after all.

The X I placed in the IP address was merely a placeholder, it meant to change the rule to the specific device. Glad you got it working!

Yes, that's what all DMZ configs on other routers require.

1 Like

Thank you for the help

This is exactly DMZ with nat type OPEN for consoles.
I test it.

1 Like

The firewall rule is all that is needed to configure DMZ to a single host.

The creation of a separate VLAN and subnet is unnecessary, although it will still work.

On the other hand if your intention was to set up a DMZ with multiple hosts with specific ports or port ranges forwarded to specific hosts and to have everything on a separate VLAN and subnet then your original example is correct.

Both examples are correct it just depends on what your goal is.

2 Likes

To those who may read this in the future, this is the rule to make a LAN device DMZ. Make this the last rule in the Port Forwards, at the bottom of /etc/config/network -

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '1-65535'
	option dest_ip '192.168.xxx.xxx'
	option dest_port '1-65535'
	option name 'DMZ'
3 Likes

The firewall rule is all that is needed to configure DMZ to a single host.
The creation of a separate VLAN and subnet is unnecessary, although it will still work.

Question from a noob (apologies in advance), who is still reading basic courses on networks. My understanding is that using switch +VLAN settings is as if networks were physically separated (2 different physical switches). In the case you mention, you just control the "flow" of information between the wan and the single host, ie other hosts on the lan will not be directly affected by these rules. But the host is still a member of the LAN so in terms of security, your solution seems less secure than the one of the original post. Am I completely wrong?

I take the opportunity of this comment to ask another noob question concerning this step in the guide:

Under Create / Assign firewall-zone select unspecified -or- create and type dmz

Is there any difference between choosing unspecified or creating a zone (called dmz in the post). I mean, if you let unspecified, does it mean that the firewall will not be activated at all in the DMZ? My understanding is that if you create a firewall-zone, default rules will be applied (and I guess these default rules will have all ports closed)

When no zone is specified or created, the Global Zone rules are used instead.

Screenshot%20from%202018-12-14%2010-09-13

OK thanks for the answer.
A last question: is it possible to completely deactivate the firewall between the DMZ (as described in the initial post, ie on a separate VLAN) and the WAN, whereas maintaining it on the LAN?
To my understanding, the rule you mentioned

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '1-65535'
	option dest_ip '192.168.xxx.xxx'
	option dest_port '1-65535'
	option name 'DMZ'

allows all the incoming traffic (TCP+UDP) from the wan to the lan (in your rule, could have been the DMZ VLAN of the initial post). But my understanding is that some ports may be still closed for the outgoing traffic. Is it possible to completely shutdown the firewall for a specific zone? Or at least create a similar rule to insure the outgoing traffic is completely allowed/unfiltered on this specific zone? by cloning your rule and inverting dest and src for example ? Sorry if it is a completely dumb idea.

Perhaps I don't understand, or you are not aware that a Linux firewall is basically sets of modules loaded into the running Kernel. You cannot turn off the firewall, since in Linux, NATing is done via the same software as the firewall.

You can also use option proto 'all'

Totally lost, as this only happens if you don't allow forwarding from the Zone to WAN by default. In any case, the established/related to the ports opened would be allowed to reply (I think this is what your concern was).

Not really, it seems you're new to learning the Zone-based firewall method. I had the same concerns first starting in OpenWrt.

:+1:

Thanks a lot for your patient and clear answer. Indeed I'm completely new to open source firmware for routers and despite I am a Linux user for quite some years now on my desktop computer, I didn't know that in linux the firewall was part of the kernel.

I (somehow) understood that the hosts in the zone were automatically allowed to answer to incoming requests (if these incoming requests were allowed by the firewall).
I was not sure that the DMZ was allowed to be the initiator of outgoing traffic on any port (not just the classical ports for the main protocols: 80 for HTTP etc.). Probably due to the fact that I misinterpreted the word "Forwarding" in the main settings... Indeed my question was pure non-sense.
It also imply that an issue I try to solve was not due to my ISP router (some forums said port forwarding and DMZ was buggy on this router when UDP was involved), and that it will probably not find any solution with my brand new router with Openwrt (with or without a DMZ). The problem is probably due to some filtering located in the servers of my ISP. But that's another story...

Thanks again for your answers!

I think dhcp-dns should be dmz-dns in this step.

Also the text does not say to change the Source zone to DMZ.

Both of these are clearly shown in the image, so this is just a nit.

Thanx for the step-by-step instructions.

Are you sure this is all it takes?
I am running a netperf server on the DMZ PC.
When I run the speedtest from outside, download test works, but upload test doesn't work.
By any chance these rules are incomplete?

If you only have a single IP on WAN (and 1 WAN), there should be no additional configurations necessary. Outbound is the same as any other client.

  • Are you certain that you do not have any conflicting inbound port forwarding rules?
  • Is the traffic TCP or UDP?
  • Do you have other outbound traffic issues with this server?
1 Like

I have 2 WAN's, using mwan3 in failover mode.

That's your issue. Your DMZ server must use one WAN connection during the test. In addition, the connection to your DMZ machine cannot failover to the other WAN during the test.