Hello,
How to configure the DMZ for dymamic IP (dhcp)?
The router receives the ip using the dhcp.
How to make the dmz between the internet interface and host in the lan (192.168.1.101)?
Thank you in advance.
DMZ with Dynamic IP (DHCP)
You do not have the required permissions to view the files attached to this post.
-
-
horstkevin
newbie
- Posts: 26
- Joined:
Re: DMZ with Dynamic IP (DHCP)
Hi there,
it doesnt matter if you get your wan-ip via dhcp or if it's static.
The idea of a DMZ is to separate the LAN in 2 pieces.
LAN1 is your DMZ. That is a separate LAN, where you connect servers that need to be reachable from the internet (like webservers, mailservers etc).
If somebody hacks you webserver he wont have acces to your LAN2 where the clients and maybe other servers are.
LAN2 is the LAN for your clients and maybe servers that are not reachable from the internet.
ether1 = internet
ether2 = LAN1, for example 192.168.10.0/24 (this is your DMZ for webservers etc)
ether3 = LAN2, for example 192.168.20.0/24 (this is LAN for clients. Important: ether2 is NOT master of ether3. you have to configure in ether3 interface-setting, that master is none.)
That was the easy part
Now you have to configure the correct firewall-rules very well. Be careful with that. You should know exactly what you do. If you don't know, put your configuration here first and let it check by others.
Input rules:
accept input from your LAN2, so that you can access router configuration (winbox) from your LAN.
accept input established and related
if you like accept input for icmp packets, so that you can ping your internet-connection from outside
drop all other inputs.
forwarding rules:
accept forwarding for related and established connections
accept forwarding from LAN2 to internet for example for port 80, 443, 21 etc so that your clients can surf the web etc.
accept forwarding from LAN1 to internet for example for port 80, 443 etc so that your servers can get updates, send dyndns-data etc.
maybe you want to have a connection between LAN1 and LAN2. place the accepting forwarding rule for this case here.
drop all other forwarding (dont select an interface in this rule. this rule is for all interfaces)
Attention: the correct order of these rules is VERY important. otherwise there may occur backdoors and other security problems.
Allow only the connections for special ports or IPs, if possible.
This is only a basic setup that is maybe not complete for your setup.
finally you need to setup a src-nat rule and dst-nat rules to the webservers, mailservers etc. so that the servers are reachable from the web.
it doesnt matter if you get your wan-ip via dhcp or if it's static.
The idea of a DMZ is to separate the LAN in 2 pieces.
LAN1 is your DMZ. That is a separate LAN, where you connect servers that need to be reachable from the internet (like webservers, mailservers etc).
If somebody hacks you webserver he wont have acces to your LAN2 where the clients and maybe other servers are.
LAN2 is the LAN for your clients and maybe servers that are not reachable from the internet.
ether1 = internet
ether2 = LAN1, for example 192.168.10.0/24 (this is your DMZ for webservers etc)
ether3 = LAN2, for example 192.168.20.0/24 (this is LAN for clients. Important: ether2 is NOT master of ether3. you have to configure in ether3 interface-setting, that master is none.)
That was the easy part
Now you have to configure the correct firewall-rules very well. Be careful with that. You should know exactly what you do. If you don't know, put your configuration here first and let it check by others.
Input rules:
accept input from your LAN2, so that you can access router configuration (winbox) from your LAN.
accept input established and related
if you like accept input for icmp packets, so that you can ping your internet-connection from outside
drop all other inputs.
forwarding rules:
accept forwarding for related and established connections
accept forwarding from LAN2 to internet for example for port 80, 443, 21 etc so that your clients can surf the web etc.
accept forwarding from LAN1 to internet for example for port 80, 443 etc so that your servers can get updates, send dyndns-data etc.
maybe you want to have a connection between LAN1 and LAN2. place the accepting forwarding rule for this case here.
drop all other forwarding (dont select an interface in this rule. this rule is for all interfaces)
Attention: the correct order of these rules is VERY important. otherwise there may occur backdoors and other security problems.
Allow only the connections for special ports or IPs, if possible.
This is only a basic setup that is maybe not complete for your setup.
finally you need to setup a src-nat rule and dst-nat rules to the webservers, mailservers etc. so that the servers are reachable from the web.
Re: DMZ with Dynamic IP (DHCP)
Thank you for the deep explanation, but I will not able to handle it on the mikrotik.Hi there,
it doesnt matter if you get your wan-ip via dhcp or if it's static.
The idea of a DMZ is to separate the LAN in 2 pieces.
LAN1 is your DMZ. That is a separate LAN, where you connect servers that need to be reachable from the internet (like webservers, mailservers etc).
If somebody hacks you webserver he wont have acces to your LAN2 where the clients and maybe other servers are.
LAN2 is the LAN for your clients and maybe servers that are not reachable from the internet.
ether1 = internet
ether2 = LAN1, for example 192.168.10.0/24 (this is your DMZ for webservers etc)
ether3 = LAN2, for example 192.168.20.0/24 (this is LAN for clients. Important: ether2 is NOT master of ether3. you have to configure in ether3 interface-setting, that master is none.)
That was the easy part
Now you have to configure the correct firewall-rules very well. Be careful with that. You should know exactly what you do. If you don't know, put your configuration here first and let it check by others.
Input rules:
accept input from your LAN2, so that you can access router configuration (winbox) from your LAN.
accept input established and related
if you like accept input for icmp packets, so that you can ping your internet-connection from outside
drop all other inputs.
forwarding rules:
accept forwarding for related and established connections
accept forwarding from LAN2 to internet for example for port 80, 443, 21 etc so that your clients can surf the web etc.
accept forwarding from LAN1 to internet for example for port 80, 443 etc so that your servers can get updates, send dyndns-data etc.
maybe you want to have a connection between LAN1 and LAN2. place the accepting forwarding rule for this case here.
drop all other forwarding (dont select an interface in this rule. this rule is for all interfaces)
Attention: the correct order of these rules is VERY important. otherwise there may occur backdoors and other security problems.
Allow only the connections for special ports or IPs, if possible.
This is only a basic setup that is maybe not complete for your setup.
finally you need to setup a src-nat rule and dst-nat rules to the webservers, mailservers etc. so that the servers are reachable from the web.
I just want to forward all ports from 192.168.1.101 to the internet. The 192.168.1.101 is the real gateway (firewall and linux router) for the LAN.
-
-
horstkevin
newbie
- Posts: 26
- Joined:
Re: DMZ with Dynamic IP (DHCP)
But you should be able to handle it on Mikrotik. Mikrotik is not plug and play. When you want plug and play better use TP-Link or other toys.Thank you for the deep explanation, but I will not able to handle it on the mikrotik.
I just want to forward all ports from 192.168.1.101 to the internet. The 192.168.1.101 is the real gateway (firewall and linux router) for the LAN.
When you don't understand what you do, you shouldn't do it at all. Otherwise your network will absolutely be insecure and you could become responsible for ddos-attacks without your knowledge.
Using mikrotik without knowledge is absolutely dangerous.
When you want to forward all ports from LAN to the internet, you just have to make sure that NAT is enabled. Then all ports will automatically be forwarded to the internet.