Setting up network with DMZ

Posted on 2009-12-28
Last Modified: 2012-06-27
At our office we need to have a web server connected to the Internet. This server must  have a different IP range (192.168.yyy.*) than our internal network (*) .  We have one fixed WAN IP address (213.ccc.vvv.bbb)

Programs running in the web server are running to port PPPP, so that from the interner  we would run them as:            

As hardware we have got a Zyxel P660HW-D1 ADSL router and a D-Link DFL-200 firewall router with a DMZ port.

The wiring, as far as I understand should be as (please correct if wrong)
"      WAN  connected to the Zyxel ADSL router
"      Zyxel ADSL router connected to the switch
"      A LAN port in the D-Link firewall connected to the switch
"      DMZ port in the D-Link firewall connected to the Web server (PC)

The IPs settings could be:
Zyxel ADSl router :
PCs in internal network :>1 with gateway setup as

DMZ port in D-Link firewall : 192.168.yyy.200
PC  acting as web server: 192.168.yyy.201  AND  gateway (is this correct?)

In the Zyxel ADSL router we have setup NAT so rhat all entries to 213.ccc.vvv.zzz through port PPPP should be translated to the PC  acting as web server: 192.168.yyy.201.

Anything wrong with this wiring and setup?
Question by:moose25
    LVL 6

    Assisted Solution

    The gateway of PC acting as Web Server should be 192.168.yyy.200

    The gateway of a device needs to be in it's own subnet, wihc for said PC would be 192.168.yyy.1-255 assuming a subnet mask of
    LVL 4

    Expert Comment


    You have a slightly added complexity here in that you're doing 2 lots of NAT I think,  one in the Zyxel router, and some in the Dlink.  The usual arrangement would be to have a static IP of programmed into the WAN port on the Dlink, and that cabled straight into the Zyxel.  Then the regular ports on the Dlink would be on   and the DMZ would be on 192.168.yyy.   As montezz rightly says the web server would need 192.168.yyy as it's default gateway.

    However, if you only have 1 static WAN IP, then I think  you're going to have to do double NAT, or some kind of IP routing on the Zyxel/Dlink.   If you go for NAT, then the Dlinks WAN port will need to be cabled into the Zyxel, and the Dlinks wan port will need a address, with the Zyxel as it's default gateway.  You will then need to set up 2 NAT rules, one in the Zyxel, and another in the Dlink.

    Before you had the need for the web server, were you using the Dlink firewall, or just the Zyxel ?

    Author Comment

    The thing is that we moved offices. previously we had a cable modem directly linked to the d-link and everything worked fine.

    At the new offices the local operators only give ADSL services and that is why we need the Zyxel ADSL router since the D-link does not have ADSL functionalities.

    Since the initial post we have made some modifications but these are not fully working. The setup is as follows:

    Zyxel ADSL with Ip in 192.168.yyy.1
    D-link WAN IP 192.168.yyy.2 cabled direct to the Zyxel and gateway is 192.168.yyy.1 (Zyxel)
    D-link DMZ IP 192.168.yyy.3 cabled direct to the PC acting as the web server
    D-link LAN IP

    PC acting as web server with IP 192.168.yyy.4 and gateway 192.168.yyy.1 (Zyxel)
    PCs in the protected network with IPs in the range and gateway (D-link's LAN IP)

    No NAT setup in the Zyxel or D-link. No mapping in either.

    With this setup we can reach the internet from the PCs in the protect network ( but NOT from the PC acting as the Web Server.

    From any PC in we can NOT ping the PC acting as the web server (192.168.yyy.4) but we can ping the D-link's DMZ IP.

    From the Internet we can not run our programs in the web server (http://213.ccc.vvv.zzz:PPPP/program_name)

    Now for questions:
    a) Should we map in the zyxel any entry to port PPP to 192.168.yyy.3 (D-link DMZ) or .4 (PC web server)?
    b) why can we ping the D-link's DMZ Ip but not the web server PC's IP ?


    This is really driving us mad!

    LVL 4

    Expert Comment


    If I'm reading the above right ( a diagram would be *really* useful), then you've given the Dlink WAN the same subnet as the dlink DMZ   ie   yyy ,  on most firewalls ( I can't comment for sure on the dlink) the DMZ would be on a separate IP subnet.   Do you have the option of making the DMZ on a separate subnet, ie  zzz ?

    Author Comment

    Here is the diagram
    LVL 4

    Accepted Solution

    Did you try putting the DMZ into a third subnet, ie ?

    Author Comment

    Yes and it works. Just wondering if there was another solution using only two subnets.

    Is that possible?
    LVL 4

    Expert Comment

    It would appear not .. most firewalls that I've used have a separate subnet for the DMZ.  Just out of interest why would you want it on the same subnet as your internal stuff ?

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now