Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1033
  • Last Modified:

Setting up network with DMZ

At our office we need to have a web server connected to the Internet. This server must  have a different IP range (192.168.yyy.*) than our internal network (192.168.xxx.*) .  We have one fixed WAN IP address (213.ccc.vvv.bbb)

Programs running in the web server are running to port PPPP, so that from the interner  we would run them as:            

As hardware we have got a Zyxel P660HW-D1 ADSL router and a D-Link DFL-200 firewall router with a DMZ port.

The wiring, as far as I understand should be as (please correct if wrong)
"      WAN  connected to the Zyxel ADSL router
"      Zyxel ADSL router connected to the switch
"      A LAN port in the D-Link firewall connected to the switch
"      DMZ port in the D-Link firewall connected to the Web server (PC)

The IPs settings could be:
Zyxel ADSl router : 192.168.xxx.1
PCs in internal network : 192.168.xxx.>1 with gateway setup as 192.168.xxx.1

DMZ port in D-Link firewall : 192.168.yyy.200
PC  acting as web server: 192.168.yyy.201  AND  gateway 192.168.xxx.1 (is this correct?)

In the Zyxel ADSL router we have setup NAT so rhat all entries to 213.ccc.vvv.zzz through port PPPP should be translated to the PC  acting as web server: 192.168.yyy.201.

Anything wrong with this wiring and setup?
  • 4
  • 3
2 Solutions
The gateway of PC acting as Web Server should be 192.168.yyy.200

The gateway of a device needs to be in it's own subnet, wihc for said PC would be 192.168.yyy.1-255 assuming a subnet mask of

You have a slightly added complexity here in that you're doing 2 lots of NAT I think,  one in the Zyxel router, and some in the Dlink.  The usual arrangement would be to have a static IP of 213.ccc.www.aaa programmed into the WAN port on the Dlink, and that cabled straight into the Zyxel.  Then the regular ports on the Dlink would be on 192.168.xxx   and the DMZ would be on 192.168.yyy.   As montezz rightly says the web server would need 192.168.yyy as it's default gateway.

However, if you only have 1 static WAN IP, then I think  you're going to have to do double NAT, or some kind of IP routing on the Zyxel/Dlink.   If you go for NAT, then the Dlinks WAN port will need to be cabled into the Zyxel, and the Dlinks wan port will need a 192.168.xxx address, with the Zyxel as it's default gateway.  You will then need to set up 2 NAT rules, one in the Zyxel, and another in the Dlink.

Before you had the need for the web server, were you using the Dlink firewall, or just the Zyxel ?
moose25Author Commented:
The thing is that we moved offices. previously we had a cable modem directly linked to the d-link and everything worked fine.

At the new offices the local operators only give ADSL services and that is why we need the Zyxel ADSL router since the D-link does not have ADSL functionalities.

Since the initial post we have made some modifications but these are not fully working. The setup is as follows:

Zyxel ADSL with Ip in 192.168.yyy.1
D-link WAN IP 192.168.yyy.2 cabled direct to the Zyxel and gateway is 192.168.yyy.1 (Zyxel)
D-link DMZ IP 192.168.yyy.3 cabled direct to the PC acting as the web server
D-link LAN IP 192.168.xxx.1

PC acting as web server with IP 192.168.yyy.4 and gateway 192.168.yyy.1 (Zyxel)
PCs in the protected network with IPs in the range 192.168.xxx and gateway 192.168.xxx.1 (D-link's LAN IP)

No NAT setup in the Zyxel or D-link. No mapping in either.

With this setup we can reach the internet from the PCs in the protect network (192.168.xxx) but NOT from the PC acting as the Web Server.

From any PC in 192.168.xxx we can NOT ping the PC acting as the web server (192.168.yyy.4) but we can ping the D-link's DMZ IP.

From the Internet we can not run our programs in the web server (http://213.ccc.vvv.zzz:PPPP/program_name)

Now for questions:
a) Should we map in the zyxel any entry to port PPP to 192.168.yyy.3 (D-link DMZ) or .4 (PC web server)?
b) why can we ping the D-link's DMZ Ip but not the web server PC's IP ?


This is really driving us mad!

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


If I'm reading the above right ( a diagram would be *really* useful), then you've given the Dlink WAN the same subnet as the dlink DMZ   ie   yyy ,  on most firewalls ( I can't comment for sure on the dlink) the DMZ would be on a separate IP subnet.   Do you have the option of making the DMZ on a separate subnet, ie  zzz ?
moose25Author Commented:
Here is the diagram
Did you try putting the DMZ into a third subnet, ie  192.168.xxx. ?
moose25Author Commented:
Yes and it works. Just wondering if there was another solution using only two subnets.

Is that possible?
It would appear not .. most firewalls that I've used have a separate subnet for the DMZ.  Just out of interest why would you want it on the same subnet as your internal stuff ?

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now