Connect to computer on LAN setup for DMZ

By mpg187
in Smart Home, Network & Security

 Share

Recommended Posts

Community Regular

mpg187

Posted
Posted (edited)

I have my Laptop setup with DMZ on my router so I can test something). On my LAN it get's the same IP as my public IP. I cannot connect to my laptop from another computer on my network.

I tried the hostname and it's IP.

EDIT: I can ping my laptop using IP or hostname (the hostname resolves to the IP) but I cannot VNC, RDP, SMB into it.

Edited by mpg187
Grand Master

offroadaaron

Posted
Posted (edited)
  Volatile said:
dmz = instant virus

Not really, more instant hack.

You can use a firewall to exclude certain traffic over the WAN.

The reason you might not be able to get the the DMZ from the inside LAN could be because the router isn't allowing you to.... It shouldn't allow you due to the fact people could hop from the DMZ to you inside LAN, which would be really insecure.

Edited by offroadaaron
Grand Master

offroadaaron

Posted
Posted
  Volatile said:
But isn't that defeating the purpose? Open one firewall so that you can use another?

DMZ is meant to be segmented from the rest of your inside LAN.... Normally there will be a DMZ --> firewall --> machine (like I edited above while you posted).

Plus you're not opening a firewall you're opening NAT/PAT ----> private IP address so it looks like an outside IP and securing that zone from the rest of the network.

I'm crap at discribing this type of thing so I'll just post from wiki :-P

http://en.wikipedia.org/wiki/DMZ_%28computing%29

  Quote
The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network.

Firewall is in the middle, obviously internal network is the internal network and DNS and stuff are on the DMZ.

400px-DMZ_network_diagram_1_firewall.svg.png

Mentor

Volatile

Posted
Posted
  offroadaaron said:
DMZ is meant to be segmented from the rest of your inside LAN.... Normally there will be a DMZ --> firewall --> machine (like I edited above while you posted).

Plus you're not opening a firewall you're opening NAT/PAT ----> private IP address so it looks like an outside IP and securing that zone from the rest of the network.

Ah, now that I did not know!

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

What exactly are you trying to accomplish anyway? As offroad has brought up your DMZ normallly is isolated from your lan - sure its possible to open some pinholes between your dmz and your lan -- say a printer or allow vnc/rdp/ftp access from your lan to your dmz -- but this normally a very isolated segment -- since its open to the public side.

You isolate boxes in a dmz to protect your lan and still allow services to the public net.

What router do you have? If its doing a shared IP thing with your public IP its going to be difficult to allow services between your lan and your dmz segment.. curious how its doing the routing? Or is natting the IP traffic? -- could look like its coming from your Public IP -- which would be the same IP your dmz box has (as you stated).

Why don't you let us know what router your using, and what your wanting to accomplish - and then we could tell you how to best do it. If you need unsolicited traffic from the internet -- you would normally just setup a port forward.

Grand Master

offroadaaron

Posted
Posted
  BudMan said:
What router do you have? If its doing a shared IP thing with your public IP its going to be difficult to allow services between your lan and your dmz segment.. curious how its doing the routing? Or is natting the IP traffic? -- could look like its coming from your Public IP -- which would be the same IP your dmz box has (as you stated)..

It's still using NAT I probably didn't describe it perfect before.

Whats happening is that he has the private IP address of the LAPTOP (lets say 10.0.0.1) and the router has the outside IP address (let say 203.5.233.6) anything going to 203.5.233.6 will be pushed through NAT/PAT to 10.0.0.1 unless a port forward is in place for that port to go to a different private IP address.

What my guess the router is doing is placing a firewall statement when you do a DMZ stating that it doesn't want any traffic from the DMZ to be able to access the inside network, my guess is there is a setting to turn this on and off in the router.

I hope that makes some sense, in my head it does :p

  BudMan said:
Why don't you let us know what router your using, and what your wanting to accomplish - and then we could tell you how to best do it. If you need unsolicited traffic from the internet -- you would normally just setup a port forward.

This would be a good to know.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I agree with you -- most of the time its a natted dmz.. But that is not what he said. He said;

"On my LAN it get's the same IP as my public IP"

Off the top the vigor daytek routers have something they call true-dmz. Now I have not actually ever had a chance to play with this.. But for example this article

http://www.support.draytek.co.uk/kb_vigor_truedmz.html

At other times, however, it is essential that your public IP address is not only routed through to an internal (LAN-side) device, but also that the LAN-side device inherits the public IP address for itself.

In order that data is forwarded to the internal host and the internal host has the public IP address, various Vigor routers have a sophisticated feature called True-DMZ, which does exactly that.

true_dmz2.jpg

Which is why I would really like him to verify this statement about the lan pc having the public IP.. And give us the model number of the router he is using. Maybe there are other routers that have this feature? Need to know what router he is using so we can look up the manual.

Community Regular

mpg187

Posted
  • Author
Posted
  BudMan said:
So your going to directly connect your box to the internet "dmz" And then enable SMB to it -- yeah thats real secure :rolleyes:
I don't want to SMB over the internet (that's just a side effect)

I set the computer to DMZ so all the ports are forwarded. The the time made it DMZ I did not have time to forword the ports for VNC and RDP so I just put DMZ on.

I also am trying to create an FTP server so I made my computer DMZ:

https://www.neowin.net/forum/index.php?showtopic=816784

Grand Master

offroadaaron

Posted
Posted
  mpg187 said:
I don't want to SMB over the internet (that's just a side effect)

I set the computer to DMZ so all the ports are forwarded. The the time made it DMZ I did not have time to forword the ports for VNC and RDP so I just put DMZ on.

I also am trying to create an FTP server so I made my computer DMZ:

https://www.neowin.net/forum/index.php?showtopic=816784

I'd just forward the ports needed to be honest, it'll be easier in the long run.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

What router do you have?? Why is it like pulling teeth to get answers to the most basic questions!

You have mentioned 3 ports you need -- vnc 5900, rdp 3389 and ftp 21 --- You sure and the F do not need to put your box in the DMZ for that. And your going to have all kinds of issues with access from your lan boxes if you do -- which seems like something you want.

As to smb being open to the public net since your in the dmz -- kind of an issue dont you think???

As to your ftp question -- yeah I see that and posted in the thread.

Please give us the make and model of your router so I can check on this true-dmz or shared ip dmz, etc..

I still not if I buy your public IP is on your lan computer -- unless I see that the router your using supports it from the manual, etc. And then I want to see what the manual says about allowing traffic from the natted lan to this box, etc.

Edited by BudMan
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.