Setting up network with DMZ

At our office we need to have a web server connected to the Internet. This server must  have a different IP range (192.168.yyy.*) than our internal network (*) .  We have one fixed WAN IP address (213.ccc.vvv.bbb)

Programs running in the web server are running to port PPPP, so that from the interner  we would run them as:            

As hardware we have got a Zyxel P660HW-D1 ADSL router and a D-Link DFL-200 firewall router with a DMZ port.

The wiring, as far as I understand should be as (please correct if wrong)
"      WAN  connected to the Zyxel ADSL router
"      Zyxel ADSL router connected to the switch
"      A LAN port in the D-Link firewall connected to the switch
"      DMZ port in the D-Link firewall connected to the Web server (PC)

The IPs settings could be:
Zyxel ADSl router :
PCs in internal network :>1 with gateway setup as

DMZ port in D-Link firewall : 192.168.yyy.200
PC  acting as web server: 192.168.yyy.201  AND  gateway (is this correct?)

In the Zyxel ADSL router we have setup NAT so rhat all entries to 213.ccc.vvv.zzz through port PPPP should be translated to the PC  acting as web server: 192.168.yyy.201.

Anything wrong with this wiring and setup?
Who is Participating?
simon_m_Connect With a Mentor Commented:
Did you try putting the DMZ into a third subnet, ie ?
montezzConnect With a Mentor Commented:
The gateway of PC acting as Web Server should be 192.168.yyy.200

The gateway of a device needs to be in it's own subnet, wihc for said PC would be 192.168.yyy.1-255 assuming a subnet mask of

You have a slightly added complexity here in that you're doing 2 lots of NAT I think,  one in the Zyxel router, and some in the Dlink.  The usual arrangement would be to have a static IP of programmed into the WAN port on the Dlink, and that cabled straight into the Zyxel.  Then the regular ports on the Dlink would be on   and the DMZ would be on 192.168.yyy.   As montezz rightly says the web server would need 192.168.yyy as it's default gateway.

However, if you only have 1 static WAN IP, then I think  you're going to have to do double NAT, or some kind of IP routing on the Zyxel/Dlink.   If you go for NAT, then the Dlinks WAN port will need to be cabled into the Zyxel, and the Dlinks wan port will need a address, with the Zyxel as it's default gateway.  You will then need to set up 2 NAT rules, one in the Zyxel, and another in the Dlink.

Before you had the need for the web server, were you using the Dlink firewall, or just the Zyxel ?
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

moose25Author Commented:
The thing is that we moved offices. previously we had a cable modem directly linked to the d-link and everything worked fine.

At the new offices the local operators only give ADSL services and that is why we need the Zyxel ADSL router since the D-link does not have ADSL functionalities.

Since the initial post we have made some modifications but these are not fully working. The setup is as follows:

Zyxel ADSL with Ip in 192.168.yyy.1
D-link WAN IP 192.168.yyy.2 cabled direct to the Zyxel and gateway is 192.168.yyy.1 (Zyxel)
D-link DMZ IP 192.168.yyy.3 cabled direct to the PC acting as the web server
D-link LAN IP

PC acting as web server with IP 192.168.yyy.4 and gateway 192.168.yyy.1 (Zyxel)
PCs in the protected network with IPs in the range and gateway (D-link's LAN IP)

No NAT setup in the Zyxel or D-link. No mapping in either.

With this setup we can reach the internet from the PCs in the protect network ( but NOT from the PC acting as the Web Server.

From any PC in we can NOT ping the PC acting as the web server (192.168.yyy.4) but we can ping the D-link's DMZ IP.

From the Internet we can not run our programs in the web server (http://213.ccc.vvv.zzz:PPPP/program_name)

Now for questions:
a) Should we map in the zyxel any entry to port PPP to 192.168.yyy.3 (D-link DMZ) or .4 (PC web server)?
b) why can we ping the D-link's DMZ Ip but not the web server PC's IP ?


This is really driving us mad!


If I'm reading the above right ( a diagram would be *really* useful), then you've given the Dlink WAN the same subnet as the dlink DMZ   ie   yyy ,  on most firewalls ( I can't comment for sure on the dlink) the DMZ would be on a separate IP subnet.   Do you have the option of making the DMZ on a separate subnet, ie  zzz ?
moose25Author Commented:
Here is the diagram
moose25Author Commented:
Yes and it works. Just wondering if there was another solution using only two subnets.

Is that possible?
It would appear not .. most firewalls that I've used have a separate subnet for the DMZ.  Just out of interest why would you want it on the same subnet as your internal stuff ?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.