DMZ: HowTo? (Wiki is confusing me)

IP-Addresses at the ipfire:
Red: → is the local IP of the Router. The Router get its WAN-IP via DHCP from the provider.

Default is:
Forward: Block
Outgoing: Allow

In the WebFrontend I see that NAT is ON on Green, Orange and Blue.

In die Wiki I found I have to create a rule for the Internet access to the DMZ. This rule is setting NAT to ON. Is this a double?

With this rules it is not possible to get an wget https:// successfull.

Only with a second rule that allows the host in the DMZ to reach the I-NET a wget is successfull.

How is the correct way to establish a DMZ-Host that can reach the internet but is encapsulated from green and blue?

Start here.

If you don’t want access for green to orange.
You will need a firewall rule.
Would leave access for someone to administrate
The server unless you plane to do that at the local machine.

In die Wiki I found I have to create a rule for the Internet access to the DMZ. This rule is setting NAT to ON. Is this a double?


1 Like

It looks like this
OrangeRed Open

is not true if:
Default is:
Forward: Block
Outgoing: Allow

(In the Wiki it is recommended to block all traffic that is not allowed. So I set forward to “block”)

But some/all devices on Red can/should have WAN access allowed.
Usually this network can be very well controlled, so it is possible to allow the device their internet access necessary for their function.

So with the default setting ‘Forward: block’, the orange network (DMZ) has NO access to the I-NET? And so each host in the DMZ needs a special rule set (maybe simplyfied by groups) to act as a Service in the I-Net?

And with this rules there has to be some kind of source NAT because the DMZ has a private IP?

Did you read @hvacguy 's link?
If you try to understand the wiki article, things become more clear.
Forwarding is the term for initiation of connections local → internet,
destination NAT allows connections from the internet to a server in a local net ( orange for example ).

The way I see the concept of port forward/destination nat is to separate in my mind the traffic in two distinct entities:

  1. traffic from the LAN to the WAN
  2. traffic from the WAN to the LAN

Case number 1, the traffic originated from inside the orange zone (e.g a laptop or a desktop) can freely connect to the red zone (WAN). Vice versa, it cannot go from the orange zone to the green zone, unless you create a rule in the firewall to allow this.

This is because two separate situations:

a) a set of default rules in the firewall will allow the outbound traffic free passage to the red zone while blocking any traffic directed to the green zone;
b) for the allowed traffic, the router knows that the TCPIP traffic originated from a specific IP address (say your laptop) in the DMZ will receive an answer coming back from the WAN and therefore it knows to which local IP address to forward the packets.

Now let’s examine the case number 2. You now do not have anymore a laptop, but a server in the DMZ. This server is waiting for an incoming traffic to come in and request a response, (e.g. a web server will answer to a url request with its main page). How is the router supposed to know to which of the several machines you could have in the DMZ that traffic is supposed to go? It doesn’t know, unless you create this information. How? With a rule in the firewall that introduces in the routing table an instruction that tells the machine “if the incoming traffic has a port number XX, then forward that traffic to”.

This is the port forward/Destination NAT.

Remember, due to the nature of IPv4, there is an IP space in the LAN that is separated from Internet. Therefore the incoming traffic has only the public IP as a target, it is up to the router/firewall to rewrite that traffic so that it reaches the private IP machine that is supposed to receive those packets.