Add a LAN IP Address to DMZ

On the Vigor Router, each WAN interface has a DMZ (demilitarized zone), where you can add a LAN host (IP address) and make it completely exposed to the Internet. The DMZ host will be accessible by the IP address of the WAN interface, and the router will map all the unsolicited traffic on the WAN interface to it. It is the solution when you need to do forward traffic to a LAN server but cannot define the traffic by UDP or TCP ports.

To add a host into DMZ, go to NAT >> DMZ Host, and go the tab of the WAN interface you want the host to be accessed from

  1. For WAN 1, select "Private IP"; For other WANs, check Enable.
  2. Click Choose IP at Private IP and select the IP address of the DMZ host
  3. Click OK to apply the settings.
a screenshot of DrayOS DMZ host setup

Note that the following functions have higher priority than the DMZ Host settings so that traffic will not be forwarded to the DMZ host if: (1) It matches the Port Redirection settings. (2) It matches the Open Ports setting. (3) It is destined to the ports on which the router itself is actively listening. (For example, if WAN management is enabled on the router and allows telnet and HTTP access, inbound packets to ports 23 and 80 will be intercepted by the router).


Set up Access Control List (Optional)

Instead of anyone could access DMZ, we may prefer to set up a whitelist for the source IP. We can achieve this by two firewall rules. Go to Firewall >> Filter Setup >> Default Data Filter to add the rules:

Rule #1 (usually we start adding rules from index 2)

  • Direction: WAN -> LAN/DMZ/RT/VPN
  • Source IP/Country: Allowed source
  • Destination IP/Country: DMZ host
  • Action: Pass Immediately
whitelist

Rule #2

  • Direction: WAN -> LAN/DMZ/RT/VPN
  • Source IP/Country: Any
  • Destination IP/Country: DMZ host
  • Action: Block Immediately
block others

Now, only source IP 111.111.111.111 could access DMZ host 192.168.1.11

To add a host into DMZ, go to NAT >> DMZ Host, and add a profile as follows:

  1. Select the WAN interface where the LAN host should be accessed for WAN Profile
  2. Enter the IP address of DMZ Host IP at DMZ Host IP
  3. Click Apply to apply the settings.
a screenshot of Vigor3900 DMZ Host configuration

Note that the following functions have higher priority than the DMZ Host settings so that traffic will not be forwarded to the DMZ host if:
(1) It matches the Port Redirection settings.
(2) It matches the Open Ports setting.
(3) It is destined to the ports on which the router itself is actively listening. (For example, if WAN management is enabled on the router and allows telnet and HTTP access, inbound packets to ports 23 and 80 will be intercepted by the router).

a screenshot of Vigor3900 Management Port Setup

Published On: May 09, 2018 

Was this helpful?     


Related Articles