Possible to create a DMZ using an attached managed switch with its own VLAN?

Forgive the really crude drawing in paint. Here is my current network diagram. I can create a VLAN with the managed switch connected to my gaming consoles. Is it possible to turn this VLAN into a DMZ somehow?

There is a conceptual error, or at least one in terminology here:

A "DMZ host" -- as the term is used by home routers -- can, by technical necessity, only be a single machine.

Basically, a "DMZ host" means a home router forwards all ports from the WAN to a single machine, effectively making it completely open to the internet without the need of more specific port forwards.

Presumably that's why game makers call for a machine to be "in a DMZ", they don't want to deal with the hassle of supporting their customers with configuring their router. They take the shortcut of "just allow anything anywhere to access your machine."

But naturally, that only works if one machine receives everything. If you have multiple machines you can't just make all of them "DMZ hosts" and hope that it magically works, the router just wouldn't know which port should go to which machine. You will have to do that manually, check which ports each game needs, make a forward rule in the firewall to forward the port to the respective machine.

(Edited for clarification: "DMZ hosts" are actually not a real DMZ. Thanks to @mikma)

2 Likes

is it really needed ?

I haven't so far found any games (got a PS4) requiring access from outside.

1 Like

Are you thinking of dmz host as implemented on home routers? They usually aren't in a Dmz. A Dmz can absolutely contain multiple machines.

Some home routers refer to a DMZ host, which—in many cases—is actually a misnomer. A home router DMZ host is a single address (e.g., IP address) on the internal network that has all traffic sent to it which is not otherwise forwarded to other LAN hosts.

2 Likes

Perhaps not. I'm currently getting NAT type 2 when I run the connection test. It's causing issues joining lobbies in GTA V online. I tried forwarding these ports according to Sony "The port numbers for PSN servers used for this are TCP: 80, 443, 3478, 3479, 3480, 5223, 8080 and UDP: 3478, 3479.". I didn't forward ports 80 or 443 because I thought that would break every other device on my network, though I may be mistaken. Even after forwarding those ports, I still get NAT type 2. The next step I read online was to try a DMZ, but it seems rather complicated to set up, so I'd definitely prefer not to go that route if possible.

I had understood from this post that an entire VLAN could be designated as a DMZ. Though this solution may be overkill for the issue I'm trying to solve.

OK, GTA isn't one of the game we've played online, but we get NAT2 as well, when we test the connection.

Try to put your consoles directly behind the ISPs device, see if anything improves.
If not, it's not an openwrt issue.

You're not double NATed by any chance, are you (not that it should matter) ?

There's a good chance I'm double-NATed. Not sure how to confirm this though. My ISP's router does not have bridged mode and I can't disable DHCP on it. What I've done which "works" at the moment is I've got an Ethernet cable going from the ISP router to the WAN port on my OpenWrt router. I've put the OpenWrt in the DMZ on the ISP router. I've also disabled the firewall on the ISP router, though I'm not sure if this is truly necessary since my OpenWrt router is in the DMZ. The ISP router serves IPs at 192.168.0.x and OpenWrt is the only device on the ISP router. OpenWrt serves IPs at 192.168.1.x, so there's no conflict that I'm aware of with the ISP router.

yup. that's double NAT.

like I said, try connecting the console directly to the main router.

Hmm, yeah, it's still NAT 2 when connected to the ISP router

That's expected, but does the online gaming work ?

Apart from the very relevant discussion above, your plan only works if all upstream switches of your "Managed Switch" are managed switches as well. The behaviour of unmanaged switches in regards to VLANs is undefined, they may drop tagged packets, just pass them on, corrupt them silently or do even more subtle things.

Yes, thank you for clarifying.

It seems to be working again. I guess neither NAT 2 nor the OpenWrt were causing the issue. Thanks for the help

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.