I test it yesterday while playing....works but to achive NAT TYPE OPEN i do portforwording.
I test your rule right now....strange..because it says nat type "moderate"....it doesn't open port 3074 to be open.
Why? the range was 1-65535.
Thank you
So with this rule says moderate
Change the rule to specific device...
IPv4 TCP/UDP 1-65535 from any host in wan to 192.168.0.100 at port 1-65535 in dmz
Says OPEN
It wants specific address to work?
Because that's what you put. You do need to put the full range of ports, that's a DMZ, after all.
The X I placed in the IP address was merely a placeholder, it meant to change the rule to the specific device. Glad you got it working!
Yes, that's what all DMZ configs on other routers require.
1 Like
Thank you for the help
This is exactly DMZ with nat type OPEN for consoles.
I test it.
1 Like
The firewall rule is all that is needed to configure DMZ to a single host.
The creation of a separate VLAN and subnet is unnecessary, although it will still work.
On the other hand if your intention was to set up a DMZ with multiple hosts with specific ports or port ranges forwarded to specific hosts and to have everything on a separate VLAN and subnet then your original example is correct.
Both examples are correct it just depends on what your goal is.
2 Likes
To those who may read this in the future, this is the rule to make a LAN device DMZ. Make this the last rule in the Port Forwards, at the bottom of /etc/config/network -
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '1-65535'
option dest_ip '192.168.xxx.xxx'
option dest_port '1-65535'
option name 'DMZ'
3 Likes
The firewall rule is all that is needed to configure DMZ to a single host.
The creation of a separate VLAN and subnet is unnecessary, although it will still work.
Question from a noob (apologies in advance), who is still reading basic courses on networks. My understanding is that using switch +VLAN settings is as if networks were physically separated (2 different physical switches). In the case you mention, you just control the "flow" of information between the wan and the single host, ie other hosts on the lan will not be directly affected by these rules. But the host is still a member of the LAN so in terms of security, your solution seems less secure than the one of the original post. Am I completely wrong?
I take the opportunity of this comment to ask another noob question concerning this step in the guide:
Under Create / Assign firewall-zone select unspecified -or- create and type dmz
Is there any difference between choosing unspecified or creating a zone (called dmz in the post). I mean, if you let unspecified, does it mean that the firewall will not be activated at all in the DMZ? My understanding is that if you create a firewall-zone, default rules will be applied (and I guess these default rules will have all ports closed)
When no zone is specified or created, the Global Zone rules are used instead.
OK thanks for the answer.
A last question: is it possible to completely deactivate the firewall between the DMZ (as described in the initial post, ie on a separate VLAN) and the WAN, whereas maintaining it on the LAN?
To my understanding, the rule you mentioned
config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp udp' option src_dport '1-65535' option dest_ip '192.168.xxx.xxx' option dest_port '1-65535' option name 'DMZ'
allows all the incoming traffic (TCP+UDP) from the wan to the lan (in your rule, could have been the DMZ VLAN of the initial post). But my understanding is that some ports may be still closed for the outgoing traffic. Is it possible to completely shutdown the firewall for a specific zone? Or at least create a similar rule to insure the outgoing traffic is completely allowed/unfiltered on this specific zone? by cloning your rule and inverting dest and src for example ? Sorry if it is a completely dumb idea.
Perhaps I don't understand, or you are not aware that a Linux firewall is basically sets of modules loaded into the running Kernel. You cannot turn off the firewall, since in Linux, NATing is done via the same software as the firewall.
You can also use option proto 'all'
Totally lost, as this only happens if you don't allow forwarding from the Zone to WAN by default. In any case, the established/related to the ports opened would be allowed to reply (I think this is what your concern was).
Not really, it seems you're new to learning the Zone-based firewall method. I had the same concerns first starting in OpenWrt.
Thanks a lot for your patient and clear answer. Indeed I'm completely new to open source firmware for routers and despite I am a Linux user for quite some years now on my desktop computer, I didn't know that in linux the firewall was part of the kernel.
I (somehow) understood that the hosts in the zone were automatically allowed to answer to incoming requests (if these incoming requests were allowed by the firewall).
I was not sure that the DMZ was allowed to be the initiator of outgoing traffic on any port (not just the classical ports for the main protocols: 80 for HTTP etc.). Probably due to the fact that I misinterpreted the word "Forwarding" in the main settings... Indeed my question was pure non-sense.
It also imply that an issue I try to solve was not due to my ISP router (some forums said port forwarding and DMZ was buggy on this router when UDP was involved), and that it will probably not find any solution with my brand new router with Openwrt (with or without a DMZ). The problem is probably due to some filtering located in the servers of my ISP. But that's another story...
Thanks again for your answers!
I think dhcp-dns should be dmz-dns in this step.
Also the text does not say to change the Source zone to DMZ.
Both of these are clearly shown in the image, so this is just a nit.
Thanx for the step-by-step instructions.
Are you sure this is all it takes?
I am running a netperf server on the DMZ PC.
When I run the speedtest from outside, download test works, but upload test doesn't work.
By any chance these rules are incomplete?
If you only have a single IP on WAN (and 1 WAN), there should be no additional configurations necessary. Outbound is the same as any other client.
- Are you certain that you do not have any conflicting inbound port forwarding rules?
- Is the traffic TCP or UDP?
- Do you have other outbound traffic issues with this server?
1 Like
I have 2 WAN's, using mwan3 in failover mode.
That's your issue. Your DMZ server must use one WAN connection during the test. In addition, the connection to your DMZ machine cannot failover to the other WAN during the test.
To be sure i uninstalled mwan3, removed the backup ISP.
It made no difference.
Still, only the upload test is not able to run. Download test works.
Internet is working on dmz pc.
The same setup works when I replace the openwrt box with a DLink stock router and use it's dmz feature.
My /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
list network 'lan2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wwan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
config rule
option src 'wan'
option proto 'tcp'
option dest_port '23'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '1-65535'
option dest_ip '192.168.8.210'
option dest_port '1-65535'
option name 'DMZ'This works!!
I was doing some mistake from netperf client side.
1 Like
This works for a lan client from wan
config dmz 'dmz'
option from 'wan'
option to_ip '192.168.1.223'
thanks a lot!