[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Access DMZ from LAN and vice versa (DMZ Pin Hole) on Netgear FVX538

Posted on 2006-03-29
6
Medium Priority
?
1,151 Views
Last Modified: 2008-01-09
Hi All,

Just a quick question regarding the FVX538 and it's DMZ setup. I've looked through the manual and site, but found nothing.

I used to use Smoothwall and it has an option of setting up a "pin hole" from the DMZ to the LAN so that certain ports can be accessed on the LAN from the DMZ. This is what I need as my MySql server is on the LAN (192.168.1.x), but the Web Server is on the DMZ (192.168.2.x) but it does need access to the database.

Does the FVX538 have the ability to do this, and if so how?

Also I was trying to access my DMZ from my LAN but that was blocked too, likewise I need to access computers on the DMZ from the LAN (again Smoothwall allows LAN->DMZ and DMZ->LAN where specified). Is there any way this can be done as well as the other way around?

Just to clarify (if that made no sense at all)....

1. I need to get access from the DMZ to LAN on certain ports
2. I need to open the DMZ up so that the LAN can access it.

Basically the web server is on the DMZ and needs to stay there for security, but needs to have access to LAN port 3306 for MySql.

The LAN PC's need to see the Web Server on the DMZ to put files, etc onto it.

Can anyone help please?

Thanks
0
Comment
Question by:DukeLito
  • 2
  • 2
4 Comments
 
LVL 5

Expert Comment

by:arvind
ID: 16340597
check on Manual -- clearly written for DMZ deny or allow traffic

http://kbserver.netgear.com/products/FVX538v2.asp  -- Reffrenace manual

Step 2: Define the DMZ port rules
Both inbound and outbound traffic is blocked by default. All traffic services must be enabled.
From the Main Menu of the browser interface, under Security, click on Rules and then select
WAN-DMZ from the pulldown to view the DMZ Rules menu, shown below.
Follow the procedure described in “Using Rules to Block or Allow Specific Kinds of Traffic” on
page 6-1 for the standard LAN firewall because it’s the same as the procedure for the DMZ port
firewall.
Figure 5-5: DMZ Rules screen
0
 

Author Comment

by:DukeLito
ID: 16340667
Hi,

I've followed the procedures in the manual and set the WAN-DMZ to allow traffic from the LAN, although it doesn't seem to work.  Basically I've allowed all traffic to the DMZ.

It has been suggested that because I have two different subnets 192.168.1.X (LAN) and 192.168.2.X (DMZ) that I should try creating static routes, or enable RIP.

Many main concern though, are "Pin Holes".  I need to allow access from a host on the DMZ to a host on the LAN - web server on DMZ to database server on LAN.  Is this at all possible with the FVX538?  I currently use this feature on Smoothwall.

Thanks
0
 
LVL 5

Expert Comment

by:arvind
ID: 16340715
Good way is to enable Static route on DMZ side and make this is as private:


To add or edit a Static Route:
1. Click the Add button to open the Add/Edit Menu, shown below.
2. Type a route name for this static route in the Route Name box under the table.
(This is for identification purpose only.)
3. Select Private if you want to limit access to the LAN only. The static route will not be reported
in RIP.
0
 

Accepted Solution

by:
DukeLito earned 0 total points
ID: 16376417
I've now resolved this problem myself, and the answer can be found on the Netgear Forums by following the link below;

http://forum1.netgear.com/support/viewtopic.php?p=110587#110587

or please feel free to check out the text below......

Thanks


How to access the DMZ from a single machine/address on the LAN:
===============================================================

1.      Firstly enable the DMZ port
2.      Select the “DMZ-WAN” interface
3.      Allow all outgoing services on all ports – if you’re not too fussed, otherwise restrict as necessary.
4.      Click “ADD” to create a new rule
5.      Set service as “ANY”
6.      Set action as “ALLOW ALWAYS”
7.      Set “Send To Lan Server” as the IP address of the machine on the DMZ (usually a web or mail server)
8.      Add port translation if necessary
9.      Set “WAN Users” to “Single Address” and enter the IP address of the DMZ Gateway.  You should have entered this IP address when you enabled the DMZ port.  (This is because effectively all traffic hitting the DMZ originates from/at this port)
10.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the DMZ (you web/mail server)



How to access the DMZ from all machines/addresses on the LAN:
=============================================================

This is virtually the same as above, however the only thing that changes is step 9 where you change this to “Address Range” and enter all local addresses.  Note: This must include your DMZ gateway IP in the range.  This is because effectively all traffic hitting the DMZ originates from/at this port!

1.      Firstly enable the DMZ port
2.      Select the “DMZ-WAN” interface
3.      Allow all outgoing services on all ports – if you’re not too fussed, otherwise restrict as necessary.
4.      Click “ADD” to create a new rule
5.      Set service as “ANY”
6.      Set action as “ALLOW ALWAYS”
7.      Set “Send To Lan Server” as the IP address of the machine on the DMZ (usually a web or mail server)
8.      Add port translation if necessary
9.      Set “WAN Users” to “Address Range” and enter the range of  IP addresses to allow.  Remember to include the IP address of the DMZ Gateway.  You should have entered this IP address when you enabled the DMZ port.  (This is because effectively all traffic hitting the DMZ originates from/at this port)
10.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the DMZ (you web/mail server)


 
How to access the LAN from the DMZ (a.k.a DMZ Pin Hole):
========================================================

Sometimes you may need access to a server on your LAN from the DMZ.  You should consider this carefully as any breach in the DMZ means there is a possibility on access to the LAN.  This is very remote and is better than running a server exposed to the Internet on the LAN.  Servers exposed to the Internet should ALWAYS be on a DMZ.

You may need to get access back to the LAN from your DMZ, for example to query a database.  To do this you need to create what is known as a DMZ Pin Hole.  Here’s how to do it on the FVX538;

1.      Select the “LAN-WAN” interface
2.      Click “ADD” to create a new rule
3.      Set service as required, or use a service you have already created.
4.      Set action as “ALLOW ALWAYS” (or as required)
5.      Set “Send To Lan Server” as the IP address of the machine on the LAN (usually a server of some kind, in my case it’s a MySQL Database server)
6.      Add port translation if necessary
7.      Set “WAN Users” to “Single Address” and enter IP address of the LAN Gateway (192.168.1.1 by default if you haven’t changed it). This is because effectively all traffic hitting the LAN originates from/at this port
8.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the LAN (your MySql server???)


 
Why does it work this way?
==========================

"Send to LAN server" is always the IP address of the destination machine, along with port translation if needed.

WAN Users – This is the origination IP Address of the machines trying to reach your LAN server (above).  So if this is set to “ANY”, then any machine, anywhere can access that server.  Otherwise you can restrict access by a Single IP Address, or a range of IP’s.

Public Destination IP Address – This is the IP address the request will “hit” before it reaches the “LAN Server”.  For example, in the case of a request from the internet it would be your Internet IP address assigned by your ISP.  In the case of a request from your LAN it would be the LAN IP of the router (or the DMZ) depending.  

The router compares the “Public Destination IP Address” with that of the incoming packet, if they match the rule is run.  Otherwise it isn’t.  So you can tie down access depending upon where the request came from.


For example;

If you create a rule with a destination LAN server, set WAN users to “ANY” but set the “Public Destination IP Address” to “Other” and specified an Internal IP of you LAN the rule would not run and access would be denied from the Internet.  Even though WAN users was “ANY”.  This isn’t that secure…. So you should tie to WAN users to a specific IP (either internal or external).




----------


Ok,

I've finally solved the issue (no thanks to Netgear support who suggested RIP and static routes - don't do it, not necessary, doesn't work!) and can now get access from the LAN to the DMZ, and back from the DMZ to the LAN (on certain ports only).

I've included a quick step by step set of instructions (which are pretty well tied down and secure).

If you're interested in DMZ to LAN access, it's the second from last set of instructions.  The last set "Why does it work like this" may help a few people understand why/how it works like this.

Anyway, hope this helps some other people out there with a FVX538, sometime, somewhen!

Good hunting!

Smashed.




FVX538: How to access the DMZ from a single machine/address on the LAN:
====================================================

1.      Firstly enable the DMZ port
2.      Select the “DMZ-WAN” interface
3.      Allow all outgoing services on all ports – if you’re not too fussed, otherwise restrict as necessary.
4.      Click “ADD” to create a new rule
5.      Set service as “ANY”
6.      Set action as “ALLOW ALWAYS”
7.      Set “Send To Lan Server” as the IP address of the machine on the DMZ (usually a web or mail server)
8.      Add port translation if necessary
9.      Set “WAN Users” to “Single Address” and enter the IP address of the DMZ Gateway.  You should have entered this IP address when you enabled the DMZ port.  (This is because effectively all traffic hitting the DMZ originates from/at this port)
10.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the DMZ (you web/mail server)



FVX538:How to access the DMZ from all machines/addresses on the LAN:
===================================================

This is virtually the same as above, however the only thing that changes is step 9 where you change this to “Address Range” and enter all local addresses.  Note: This must include your DMZ gateway IP in the range.  This is because effectively all traffic hitting the DMZ originates from/at this port!

1.      Firstly enable the DMZ port
2.      Select the “DMZ-WAN” interface
3.      Allow all outgoing services on all ports – if you’re not too fussed, otherwise restrict as necessary.
4.      Click “ADD” to create a new rule
5.      Set service as “ANY”
6.      Set action as “ALLOW ALWAYS”
7.      Set “Send To Lan Server” as the IP address of the machine on the DMZ (usually a web or mail server)
8.      Add port translation if necessary
9.      Set “WAN Users” to “Address Range” and enter the range of  IP addresses to allow.  Remember to include the IP address of the DMZ Gateway.  You should have entered this IP address when you enabled the DMZ port.  (This is because effectively all traffic hitting the DMZ originates from/at this port)
10.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the DMZ (you web/mail server)


 
FVX538:How to access the LAN from the DMZ (a.k.a DMZ Pin Hole):
================================================

Sometimes you may need access to a server on your LAN from the DMZ.  You should consider this carefully as any breach in the DMZ means there is a possibility on access to the LAN.  This is very remote and is better than running a server exposed to the Internet on the LAN.  Servers exposed to the Internet should ALWAYS be on a DMZ.

You may need to get access back to the LAN from your DMZ, for example to query a database.  To do this you need to create what is known as a DMZ Pin Hole.  Here’s how to do it on the FVX538;

1.      Select the “LAN-WAN” interface
2.      Click “ADD” to create a new rule
3.      Set service as required, or use a service you have already created.
4.      Set action as “ALLOW ALWAYS” (or as required)
5.      Set “Send To Lan Server” as the IP address of the machine on the LAN (usually a server of some kind, in my case it’s a MySQL Database server)
6.      Add port translation if necessary
7.      Set “WAN Users” to “Single Address” and enter IP address of the LAN Gateway (192.168.1.1 by default if you haven’t changed it). This is because effectively all traffic hitting the LAN originates from/at this port
8.      Set “Public Destination IP Address”  to “Other Public IP Address” and once again enter the IP address of the machine on the LAN (your MySql server???)


 
Why does it work this way?
====================

"Send to LAN server" is always the IP address of the destination machine, along with port translation if needed.

WAN Users – This is the origination IP Address of the machines trying to reach your LAN server (above).  So if this is set to “ANY”, then any machine, anywhere can access that server.  Otherwise you can restrict access by a Single IP Address, or a range of IP’s.

Public Destination IP Address – This is the IP address the request will “hit” before it reaches the “LAN Server”.  For example, in the case of a request from the internet it would be your Internet IP address assigned by your ISP.  In the case of a request from your LAN it would be the LAN IP of the router (or the DMZ) depending.  

The router compares the “Public Destination IP Address” with that of the incoming packet, if they match the rule is run.  

Otherwise it isn’t.  So you can tie down access depending upon where the request came from.


For example;

If you create a rule with a destination LAN server, set WAN users to “ANY” but set the “Public Destination IP Address” to “Other” and specified an Internal IP of you LAN the rule would not run and access would be denied from the Internet.  Even though WAN users was “ANY”.  This isn’t that secure…. So you should tie to WAN users to a specific IP (either internal or external).
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Screencast - Getting to Know the Pipeline
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, 14 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question