DMZ doesn't work?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
mjoecups
DD-WRT Novice


Joined: 13 Sep 2021
Posts: 2

PostPosted: Mon Sep 13, 2021 17:58    Post subject: DMZ doesn't work? Reply with quote
Hello,

I am a newb with dd-wrt, although I have over 40 years experience working with computers and networking (wow).

I have configured a link sys E900 with Firmware: DD-WRT v3.0-r47381 big (09/08/21)

This is working, but the DMZ feature doesn't appear to work at all.

I am hoping to drop this in place of a different router to gain the bandwidth monitoring features of dd-wrt.

Therefore I know that the rest of the network is correct and configured to work properly. All the ports on other devices are open.

Am I missing some setting or configuration that makes this go?

Thanks for your help in advance!
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Sep 13, 2021 18:06    Post subject: Reply with quote
Welcome to the forum.

I will transfer this thread to the appropriate forum (see the forum guidelines link in my signature for helpful pointers about where to post and otherwise helpful tips )

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
d33b0_n4p41m
DD-WRT User


Joined: 10 Sep 2021
Posts: 133

PostPosted: Mon Sep 13, 2021 18:12    Post subject: Re: DMZ doesn't work? Reply with quote
mjoecups wrote:
I have configured a link sys E900 with Firmware: DD-WRT v3.0-r47381 big (09/08/21)

This is working, but the DMZ feature doesn't appear to work at all.

What exactly do you mean? The DMZ feature doesn't expose the IP / range in question directly to the internet or upstream router's LAN?
mjoecups
DD-WRT Novice


Joined: 13 Sep 2021
Posts: 2

PostPosted: Tue Sep 14, 2021 18:59    Post subject: Post subject: Re: DMZ doesn't work? Reply with quote
Quote:
What exactly do you mean? The DMZ feature doesn't expose the IP / range in question directly to the internet or upstream router's LAN?


My previous router was set to DMZ to a server. The server handled all security/firewall and server jobs (mail/web/etc)

Replacing the old router with dd-wrt set to DMZ to the same box gets me nothing.

The configurations is a single cable modem connected to the WAN port on the router.

Server has a DHCP reserved IP and has the correct address.

Firewall on dd-wrt is off.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Sep 15, 2021 3:47    Post subject: Reply with quote
All the DMZ does is DNAT the input from the WAN's IP to the IP specified in the DMZ. It's managed in the PREROUTING chain of the nat table.

Code:
root@lab-ddwrt2:~# iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 9 packets, 1836 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.63.101       tcp dpt:80 to:192.168.1.1:80
    1   116 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.63.101       tcp dpt:22 to:192.168.1.1:22
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            192.168.63.101       to:192.168.1.1
    0     0 TRIGGER    all  --  *      *       0.0.0.0/0            192.168.63.101      TRIGGER type:dnat match:0 relate:0
    0     0 DNAT       all  --  *      *       0.0.0.0/0            192.168.63.101       to:192.168.1.100


In the example above, it's the last entry in the table (my WAN is 192.168.63.101, and I've configured the DMZ as 192.168.1.100). Make sure the rule is there *and* shows hits on the pkts and bytes columns.

P.S. One reason it might NOT be working is due to SFE on the Setup page. That nonsense often breaks things, like port forwarding. And the DMZ is essentially port forwarding. I'm not saying this is the case here. But just something to be aware of. SFE is notorious for breaking things.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Sep 15, 2021 9:21    Post subject: Reply with quote
Follow @eibgrad's advice.

one observation, your firewall is off, so I hope this router is not directly connected to the internet.

If it is not then consider setting the router up as a WAP:
https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point

If it is directly connected to the internet (your modem is in bridged mode) then I suggest you turn the firewall on Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
d33b0_n4p41m
DD-WRT User


Joined: 10 Sep 2021
Posts: 133

PostPosted: Wed Sep 15, 2021 10:03    Post subject: Reply with quote
Doesn't the SPI firewall have to be enabled for DMZ to work, anyway?
_________________
An old man said, “Erasers are made for those who make mistakes.” A youth replied, “Erasers are made for those who are willing to correct their mistakes!” Attitude matters! ~ Anonymous
----------
“You are always a student, never a master. You have to keep moving forward.” ~ Conrad Hall
----------
“Life is about moving on, accepting changes and looking forward to what makes you stronger and more complete.” ~ Anonymous
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Wed Sep 15, 2021 10:47    Post subject: Reply with quote
d33b0_n4p41m wrote:
Doesn't the SPI firewall have to be enabled for DMZ to work, anyway?

And do NOT enable CTF & FA...


_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Sep 15, 2021 10:52    Post subject: Reply with quote
d33b0_n4p41m wrote:
Doesn't the SPI firewall have to be enabled for DMZ to work, anyway?


I was thinking the same thing initially. But even if the spi firewall is disabled, the DMZ rule still gets added, and any attempt to use it still results in hits on the rule. So I assume it still works regardless.

Frankly, I've never been 100% sure what disabling the spi firewall actually does anyway. It's NOT as if doing so clears all the firewall rules. In fact, it just seems to change the rules that are there. And those rules still show hits when appropriate. IOW, it's still seems functional, just NOT in the same way. Whereas I would have *expected* the router to literally stop using the firewall, or at least completely eliminate any rules. But again, from what I can see, that's NOT the way it appears to work.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Thu Sep 16, 2021 8:53    Post subject: Reply with quote
https://de.wikipedia.org/wiki/Stateful_Packet_Inspection

SPI = Stateful_Packet_Inspection

With a Firewall that is not SPI, you need two rules - A->B and B->A.

A SPI Firewall only needs one rule - A->B. It the see the state of B->A an allow it as it's the reply to the A->B connection.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Sep 16, 2021 16:37    Post subject: Reply with quote
Per Yngve Berg wrote:
https://de.wikipedia.org/wiki/Stateful_Packet_Inspection

SPI = Stateful_Packet_Inspection

With a Firewall that is not SPI, you need two rules - A->B and B->A.

A SPI Firewall only needs one rule - A->B. It the see the state of B->A an allow it as it's the reply to the A->B connection.


Well that's an interesting take on it. I didn't interpret the enabling and disabling of the stateful firewall to mean when it's disabled, you still have a firewall, but it just doesn't track state. I interpreted it to mean you no longer have a firewall, AT ALL.

Just another one of those problems of interpretation that comes from a lack of documentation, and having to rely on the option's label to determine its purpose/intent.

Assuming the meaning is as you suggest, that doesn't jive w/ what's happening in the actual firewall rules. When disabled, I still see state rules, and see them being triggered. In fact, when you change the Operating Mode from Gateway (the default) to Router, *then* you see the state machine become inoperable. And it's done explicitly via the following rule in the raw table (something that does NOT happen by merely disabling the stateful firewall).

Code:
root@lab-ddwrt2:~# iptables -t raw -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 130 packets, 20726 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  130 20726 CT         all  --  *      *       0.0.0.0/0            0.0.0.0/0            NOTRACK


Btw, it's not my intent to take the OP's issue down this potential rabbit hole. It's an interesting discussion, but at the end of the day, if it requires the OP to leave the stateful firewall enabled to get the DMZ working, so be it.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum