DMZ Firewall Solution for the Express Router
3 DMZ Single IP Address Solution
This solution explains how to set up a DMZ solution when the Internet service provider (ISP) has assigned a single IP address to your network.
HTTP/FTP | HTTP/FTP |
|
|
| News | ||||||
(Web) | proxy | SMTP | (proxy) | ||||||||
server | server | server | server | ||||||||
10.2.0.1 | 10.2.0.2 | 10.2.0.3 | 10.2.0.4 | ||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DNS
server
194.25.6.4
News
(NNTP)
server
196.24.5.8
DMZ 10.2.0.0
Internet
|
| |
|
| server |
LAN2 port | 10.5.0.1 | |
| ||
10.2.0.10 |
| News |
|
| |
|
| server |
| LAN1 port | 10.5.0.2 |
Intel Express | 10.5.0.10 |
|
Router |
|
|
| Secure LAN | Users |
| 10.5.0.0 |
|
In the example, the DMZ network connects to the LAN2 port and is on the 10.2.0.0/16 subnet. The LAN2 port has been assigned an IP address of 10.2.0.10. The secure private network connects to the LAN1 port and is on the 10.5.0.0/16 subnet. The LAN1 port has been assigned an IP address of 10.5.0.10.
Note: The services available on the DMZ can be placed on a single server. If this is done, you must configure NAT entries and filters accordingly.
3.1Static Routing Setup
Configure static routing as follows:
∙Configure static routing on the Internet connection, LAN1, and LAN2. This is done in Advanced Setup by setting the Routing Protocol parameter to None/Static.
∙Define a static route on the WAN interface to the Internet. Use the default static route setting (network address of 0.0.0.0 and netmask 0.0.0.0) as shown in the example below.
3.2Network Address Translation (NAT) Setup
The devices on the DMZ have been assigned private IP addresses. You must set up NAT to translate the private IP addresses on the DMZ to the external IP address assigned by the ISP. This will map services (i.e. port numbers) on the external IP address to servers on the DMZ.
Version 1.0 | 6 |