3 Replies Latest reply on May 3, 2010 6:13 PM by rcamm

    DMZ with public IP on DSL

      Hi  All,

       

      I am  looking for some advice on how to get a DMZ with public IP 's  going. Here are the details:

       

      Sg720 with 4.06 firmware

       

      The connection is a pppoe based ADSL , the ISP is handing out a range  of 8 Statis IP's .. of which  one (first after the network address )  is assigned to the  SG.

       

      The rest of the IP's  are supposed to have that as the gateway.

       

      Now I know that I have to disable nating between DMZ and internet interface  but I am not sure what to do next... Will the DMZ interface have it's own public IP ?

       

      Do I need to create a bridge.. ?

       

      I  will have only one or two machines in this DMZ.

       

      I have seen this document

      https://kc.mcafee.com/corporate/index?page=content&id=KB62420

       

      Any help would be appreciated...

        • 1. Re: DMZ with public IP on DSL

          The document you refer to has all the info....maybe it could be better written

           

          As it sounds like you have one block of IP's you have the first 3 options available.

           

          I personally would go with option 1, but that is probably due to the fact that option 1 is the configuration most users have done before, and also provides the greatest flexability in future configuration options.

           

          Many users also go with the 2nd and 3rd option.

           

          If you can identify pieces of that article you would like clarification on, I am happy to do so.

          1 of 1 people found this helpful
          • 2. Re: DMZ with public IP on DSL

            I recently bought a new SG565 after my original one died and am in a similar situation as the original poster. Additionally I want to take this opportunity to possibly change my configuration to a better setup. I currently have my network setup with the default VLAN1 (192.168.0.0/24) which contains my local network and I have a second VLAN3 (192.168.1.0/24) which I want to use for my publicly accessible servers. I originally used to have my public servers accessible using DNAT but I have received advice that it is not optimal to use DNAT when it comes to setting up reverse DNS (local & public) which previously I had not done and I was advised I should instead setup this second VLAN as a DMZ and use my servers public IP's. The issue is that I wish to have a number of services on these servers accessible to local users as well as to public users on the internet such as mail, web, ftp etc while other services on the servers should only be accessible to local users eg directory services, print server, workgroup blogs, local DNS etc. I also need to manage the servers on VLAN3 from my local network on VLAN1 using Remote Desktop (VNC).

             

            If the advice I have received is correct what would be the best choice to use given that I have a small block of 3 public IP's (currently one default IP that points to the SG565 and the other two setup on the SG565 as alias's pointing to my servers local IP's but I want to change these to point to the servers public IP's instead). If I need to add extra servers I can get additional public IP's and my ISP provides a web interface to setup public reverse DNS. The servers are MacMini's with single ethernet ports and I'll be running Snow Leopard Server. Basically what would be best choice, routing based, bridged or 1-1 NAT in this situation?

             

            Finally given that I do receive an answer on the prefered method to use what steps do I need to take to move from DNAT to one of these other choices?

             

            Thanks in advance

            Greg

            • 3. Re: DMZ with public IP on DSL

              To route rather than NAT go to

               

              firewall -> nat -> masquerading -> Enable NAT from DMZ interfaces to Internet interfaces

               

              and disable this option.

               

              Then, instead of creating port forward or NAT rules, simply create packet filters of type=FORWARD to allow incoming access to the server as desired.

               

              Nothing more needs to be done so you can access the DMZ from the LAN or VPN connection...this is enabled by default.

               

              Hope this helps.