Howto configure DMZ?

I'm going to join Naftali on the opening point. For all of the features and documentation and helpful guidance on this website, there is no transitionary documentation between "How to Install" and, say, " SIP daemon for Lantiq devices with owsip."

When a typical SOHO (me) wants to add a DMZ for a small web server, there is nothing to hang his/her hat on. Yes, you have "Routing Example: Bridged DMZ," but it only applies to one particular architecture, sort of like a paint-by-the-numbers guide for a picture of a horse when I actually need a sailboat. And no picture anyway, dammit! One simple graphic might have answered a raft of questions.

Why don't I just read the documentation from step one and build from there? Because I have already, regrettably, spent weeks of my spare time doing just that. Here is the information for "untagged", one of many details that I need to understand just to complete the FIRST STEP of my DMZ:

An untagged port, with VID X, in a switch assign the VLAN tag X to incoming packets. When the packet is leaving the untagged port, and was tagged with the VID X, the VLAN tag is removed. This helps, for example, to communicate between tagged and untagged ports. A packet without VID, going inside an untagged port, gets the VID X and can be routed out other ports belonging to the same VID (apart from bridged ports).

A bit dense for me! One detail of many that must be entered correctly so that I don't bring down my network, or worse, assume that I am safe behind it!

Yes, I did write for help a week ago, but I'm afraid that my question was just as unintelligible as some of the documentation I find here. Meanwhile, no work is getting done. I understand Naftali's frustration.

There is. Get rid off the openwrt firewall, and use generic iptables rules. Quite a few recipes on the web, how to set up a DMZ with iptables. Or how to do basic protection against the "bad guys".
Build your custom image, either using imagebuilder, or generate from source, drop openwrt firewall and execute your iptables rules from /etc/rc.local, for example.
Note, however, that there might be other packages relying on openwrt-firewall.

Wow, that is terrible advice.

@Lost1 why exactly do you want a DMZ for a web server? What's wrong with port forwarding?

2 Likes

Nope, you have exactly what you are asking.
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_dmz

1 Like

Thanks, and I'm sure you are right, trendy, and I did consider it, but the switch is basically the one where I'm stuck at Guide to set up DMZ via LUCI, (post 28) only it's without the LuCI.

I'm not sure anything is wrong with port forwarding, lantis, but isolating servers to a DMZ where they can't reach the rest of the LAN sounds like a good idea to me.

Gargoyle does look like a good solution for me, lantis, but unfortunately seems to be incompatible with my R7800.

I answered you there.

I run an r7800, so I personally make sure it is compatible.
It's just only available in the latest 1.13.x beta, none of the official versions yet.

Any suggestions which one? A higher-end consumer router was what I was shooting for in the first place when I bought my R7800. Imagine my surprise when I found that it didn't even have a firewall!

I think your understanding of the basic fundamentals is low, or I do not understand you. Your R7800 surely has a firewall out of the box.

If you want a high end router I could recommend Ubiquity for instance. And then buy a seperate AP for wireless. Then you have a good setup with normally maintained software and way more configuration options than the mainstream router brands.

1 Like

More expensive router was a reference to commercial grade network gear. Ubiquity and Peplink come to mind.

Nonsense, every OpenWrt router has a firewall. R7800 stock firmware also has firewall functionality.

2 Likes

You don't understand me, the stock R7800 has no firewall, and don't call me Shirley.

hmm, is it 1984, or '85, I forget. Time to break out the packet filter kit.

I wonder why netgear would write a 173 page user manual, including a section for port forwarding. It’s almost as if no one reads or understands things nowadays...

Sorry Shirley, stock R7800 does have a firewall.

My mind cannot comprehend how a consumer-oriented router, meant to be used in a NAT setup 99.999% of the time, could not have a firewall...

1 Like

I couldn't either. So I methodically went thru the manual, and read the product pages, and even tried Googleing, and could not find mention of a firewall anywhere That's why I came here to OpenWrt.

BUT just now, I checked again, and there it is, in the manual, along with instructions on setting up a DMZ, laughing at me! I have no explanation. The stock R7800 DOES have a firewall, and I guess I'm a goat or something. So, sorry for my confusion, and apologies to Netgear and this forum.

1 Like

whodathunkit

1 Like