Access DMZ from LAN and vice versa (DMZ Pin Hole) on Netgear FVX538

Hi All,

Just a quick question regarding the FVX538 and it's DMZ setup. I've looked through the manual and site, but found nothing.

I used to use Smoothwall and it has an option of setting up a "pin hole" from the DMZ to the LAN so that certain ports can be accessed on the LAN from the DMZ. This is what I need as my MySql server is on the LAN (192.168.1.x), but the Web Server is on the DMZ (192.168.2.x) but it does need access to the database.

Does the FVX538 have the ability to do this, and if so how?

Also I was trying to access my DMZ from my LAN but that was blocked too, likewise I need to access computers on the DMZ from the LAN (again Smoothwall allows LAN->DMZ and DMZ->LAN where specified). Is there any way this can be done as well as the other way around?

Just to clarify (if that made no sense at all)....

1. I need to get access from the DMZ to LAN on certain ports
2. I need to open the DMZ up so that the LAN can access it.

Basically the web server is on the DMZ and needs to stay there for security, but needs to have access to LAN port 3306 for MySql.

The LAN PC's need to see the Web Server on the DMZ to put files, etc onto it.

Can anyone help please?

Thanks
DukeLitoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arvindSR Manager OperationCommented:
check on Manual -- clearly written for DMZ deny or allow traffic

http://kbserver.netgear.com/products/FVX538v2.asp  -- Reffrenace manual

Step 2: Define the DMZ port rules
Both inbound and outbound traffic is blocked by default. All traffic services must be enabled.
From the Main Menu of the browser interface, under Security, click on Rules and then select
WAN-DMZ from the pulldown to view the DMZ Rules menu, shown below.
Follow the procedure described in “Using Rules to Block or Allow Specific Kinds of Traffic” on
page 6-1 for the standard LAN firewall because it’s the same as the procedure for the DMZ port
firewall.
Figure 5-5: DMZ Rules screen
DukeLitoAuthor Commented:
Hi,

I've followed the procedures in the manual and set the WAN-DMZ to allow traffic from the LAN, although it doesn't seem to work.  Basically I've allowed all traffic to the DMZ.

It has been suggested that because I have two different subnets 192.168.1.X (LAN) and 192.168.2.X (DMZ) that I should try creating static routes, or enable RIP.

Many main concern though, are "Pin Holes".  I need to allow access from a host on the DMZ to a host on the LAN - web server on DMZ to database server on LAN.  Is this at all possible with the FVX538?  I currently use this feature on Smoothwall.

Thanks
arvindSR Manager OperationCommented:
Good way is to enable Static route on DMZ side and make this is as private:


To add or edit a Static Route:
1. Click the Add button to open the Add/Edit Menu, shown below.
2. Type a route name for this static route in the Route Name box under the table.
(This is for identification purpose only.)
3. Select Private if you want to limit access to the LAN only. The static route will not be reported
in RIP.
DukeLitoAuthor Commented:
I've now resolved this problem myself, and the answer can be found on the Netgear Forums by following the link below;

http://forum1.netgear.com/support/viewtopic.php?p=110587#110587

or please feel free to check out the text below......

Thanks


How to access the DMZ from a single machine/address on the LAN:
===============================================================

1.      Firstly enable the DMZ port
2.      Select the “DMZ-WAN” interface
3.      Allow all outgoing services on all ports – if you’re not too fussed, otherwise restrict as necessary.
4.      Click “ADD” to create a new rule
5.      Set service as “ANY”
6.      Set action as “ALLOW ALWAYS”
7.      Set “Send To Lan Server” as the IP address of the machine on the DMZ (usually a web or mail server)
8.      Add port translation if necessary
9.      Set “WAN Users” to “Single Address” and enter the IP address of the DMZ Gateway.  You should have entered this IP address when you enabled the DMZ port.  (This is because effectively all traffic hitting the DMZ originates from/at this port)
10.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the DMZ (you web/mail server)



How to access the DMZ from all machines/addresses on the LAN:
=============================================================

This is virtually the same as above, however the only thing that changes is step 9 where you change this to “Address Range” and enter all local addresses.  Note: This must include your DMZ gateway IP in the range.  This is because effectively all traffic hitting the DMZ originates from/at this port!

1.      Firstly enable the DMZ port
2.      Select the “DMZ-WAN” interface
3.      Allow all outgoing services on all ports – if you’re not too fussed, otherwise restrict as necessary.
4.      Click “ADD” to create a new rule
5.      Set service as “ANY”
6.      Set action as “ALLOW ALWAYS”
7.      Set “Send To Lan Server” as the IP address of the machine on the DMZ (usually a web or mail server)
8.      Add port translation if necessary
9.      Set “WAN Users” to “Address Range” and enter the range of  IP addresses to allow.  Remember to include the IP address of the DMZ Gateway.  You should have entered this IP address when you enabled the DMZ port.  (This is because effectively all traffic hitting the DMZ originates from/at this port)
10.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the DMZ (you web/mail server)


 
How to access the LAN from the DMZ (a.k.a DMZ Pin Hole):
========================================================

Sometimes you may need access to a server on your LAN from the DMZ.  You should consider this carefully as any breach in the DMZ means there is a possibility on access to the LAN.  This is very remote and is better than running a server exposed to the Internet on the LAN.  Servers exposed to the Internet should ALWAYS be on a DMZ.

You may need to get access back to the LAN from your DMZ, for example to query a database.  To do this you need to create what is known as a DMZ Pin Hole.  Here’s how to do it on the FVX538;

1.      Select the “LAN-WAN” interface
2.      Click “ADD” to create a new rule
3.      Set service as required, or use a service you have already created.
4.      Set action as “ALLOW ALWAYS” (or as required)
5.      Set “Send To Lan Server” as the IP address of the machine on the LAN (usually a server of some kind, in my case it’s a MySQL Database server)
6.      Add port translation if necessary
7.      Set “WAN Users” to “Single Address” and enter IP address of the LAN Gateway (192.168.1.1 by default if you haven’t changed it). This is because effectively all traffic hitting the LAN originates from/at this port
8.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the LAN (your MySql server???)


 
Why does it work this way?
==========================

"Send to LAN server" is always the IP address of the destination machine, along with port translation if needed.

WAN Users – This is the origination IP Address of the machines trying to reach your LAN server (above).  So if this is set to “ANY”, then any machine, anywhere can access that server.  Otherwise you can restrict access by a Single IP Address, or a range of IP’s.

Public Destination IP Address – This is the IP address the request will “hit” before it reaches the “LAN Server”.  For example, in the case of a request from the internet it would be your Internet IP address assigned by your ISP.  In the case of a request from your LAN it would be the LAN IP of the router (or the DMZ) depending.  

The router compares the “Public Destination IP Address” with that of the incoming packet, if they match the rule is run.  Otherwise it isn’t.  So you can tie down access depending upon where the request came from.


For example;

If you create a rule with a destination LAN server, set WAN users to “ANY” but set the “Public Destination IP Address” to “Other” and specified an Internal IP of you LAN the rule would not run and access would be denied from the Internet.  Even though WAN users was “ANY”.  This isn’t that secure…. So you should tie to WAN users to a specific IP (either internal or external).




----------


Ok,

I've finally solved the issue (no thanks to Netgear support who suggested RIP and static routes - don't do it, not necessary, doesn't work!) and can now get access from the LAN to the DMZ, and back from the DMZ to the LAN (on certain ports only).

I've included a quick step by step set of instructions (which are pretty well tied down and secure).

If you're interested in DMZ to LAN access, it's the second from last set of instructions.  The last set "Why does it work like this" may help a few people understand why/how it works like this.

Anyway, hope this helps some other people out there with a FVX538, sometime, somewhen!

Good hunting!

Smashed.




FVX538: How to access the DMZ from a single machine/address on the LAN:
====================================================

1.      Firstly enable the DMZ port
2.      Select the “DMZ-WAN” interface
3.      Allow all outgoing services on all ports – if you’re not too fussed, otherwise restrict as necessary.
4.      Click “ADD” to create a new rule
5.      Set service as “ANY”
6.      Set action as “ALLOW ALWAYS”
7.      Set “Send To Lan Server” as the IP address of the machine on the DMZ (usually a web or mail server)
8.      Add port translation if necessary
9.      Set “WAN Users” to “Single Address” and enter the IP address of the DMZ Gateway.  You should have entered this IP address when you enabled the DMZ port.  (This is because effectively all traffic hitting the DMZ originates from/at this port)
10.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the DMZ (you web/mail server)



FVX538:How to access the DMZ from all machines/addresses on the LAN:
===================================================

This is virtually the same as above, however the only thing that changes is step 9 where you change this to “Address Range” and enter all local addresses.  Note: This must include your DMZ gateway IP in the range.  This is because effectively all traffic hitting the DMZ originates from/at this port!

1.      Firstly enable the DMZ port
2.      Select the “DMZ-WAN” interface
3.      Allow all outgoing services on all ports – if you’re not too fussed, otherwise restrict as necessary.
4.      Click “ADD” to create a new rule
5.      Set service as “ANY”
6.      Set action as “ALLOW ALWAYS”
7.      Set “Send To Lan Server” as the IP address of the machine on the DMZ (usually a web or mail server)
8.      Add port translation if necessary
9.      Set “WAN Users” to “Address Range” and enter the range of  IP addresses to allow.  Remember to include the IP address of the DMZ Gateway.  You should have entered this IP address when you enabled the DMZ port.  (This is because effectively all traffic hitting the DMZ originates from/at this port)
10.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the DMZ (you web/mail server)


 
FVX538:How to access the LAN from the DMZ (a.k.a DMZ Pin Hole):
================================================

Sometimes you may need access to a server on your LAN from the DMZ.  You should consider this carefully as any breach in the DMZ means there is a possibility on access to the LAN.  This is very remote and is better than running a server exposed to the Internet on the LAN.  Servers exposed to the Internet should ALWAYS be on a DMZ.

You may need to get access back to the LAN from your DMZ, for example to query a database.  To do this you need to create what is known as a DMZ Pin Hole.  Here’s how to do it on the FVX538;

1.      Select the “LAN-WAN” interface
2.      Click “ADD” to create a new rule
3.      Set service as required, or use a service you have already created.
4.      Set action as “ALLOW ALWAYS” (or as required)
5.      Set “Send To Lan Server” as the IP address of the machine on the LAN (usually a server of some kind, in my case it’s a MySQL Database server)
6.      Add port translation if necessary
7.      Set “WAN Users” to “Single Address” and enter IP address of the LAN Gateway (192.168.1.1 by default if you haven’t changed it). This is because effectively all traffic hitting the LAN originates from/at this port
8.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the LAN (your MySql server???)


 
Why does it work this way?
====================

"Send to LAN server" is always the IP address of the destination machine, along with port translation if needed.

WAN Users – This is the origination IP Address of the machines trying to reach your LAN server (above).  So if this is set to “ANY”, then any machine, anywhere can access that server.  Otherwise you can restrict access by a Single IP Address, or a range of IP’s.

Public Destination IP Address – This is the IP address the request will “hit” before it reaches the “LAN Server”.  For example, in the case of a request from the internet it would be your Internet IP address assigned by your ISP.  In the case of a request from your LAN it would be the LAN IP of the router (or the DMZ) depending.  

The router compares the “Public Destination IP Address” with that of the incoming packet, if they match the rule is run.  

Otherwise it isn’t.  So you can tie down access depending upon where the request came from.


For example;

If you create a rule with a destination LAN server, set WAN users to “ANY” but set the “Public Destination IP Address” to “Other” and specified an Internal IP of you LAN the rule would not run and access would be denied from the Internet.  Even though WAN users was “ANY”.  This isn’t that secure…. So you should tie to WAN users to a specific IP (either internal or external).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.