Home Networking DMZ Using Two Routers

Hi all,

I am trying to create a secure home network using the two tiered DMZ router configuration described in the following article, however, after setting it up, my second router is not allowing connections to the internet.

http://www.boutell.com/newfaq/creating/dmz.html

Using his approach, below is my setup with two routers (please note I DO NOT need to connect any web servers to router 1 with port forwarding):

Router 1: Netgear D6200 (supposedly DMZ / Firewall)
Connected to ISP via fibre using Dynamic IP address assignment

WiFi: OFF
DCHP = OFF
NAT: = ON
DNS: Get from ISP  (I would like to change this to Google or OpenDNS later for more security?)

LAN Setup tab:
IP Address: 192.168.0.1
Subnet Mask: 255.255.255.0

Router 2: Linksys WRT1900AC
Connected to Router 1 through LAN port 1 of router 1 directly into WAN/INTERNET port on router 2

WiFi: ON
DCHP = ON
NAT: = ON
DNS: Get from ISP  (I would like to change this to OpenDNS later for more security)

LAN Setup tab:
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0

Start IP: 192.168.1.51
End IP: 192.168.1.100

DNS1: 8.8.8.8 (Google)
DNS2: 8.8.4.4

I have all of our home networked PCs, mobile devices and NAS connected to router 2 using IP reservations for each device and MAC address filtering for Wi-Fi security.

Can someone please tell me what I need to do to get this running properly?

Thanks,
Lai
Laila JacksonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
router 1 add 192.168.1.1 to dmz
router 2 gateway 192.168.0.1
nat/dmz clients on router 2
0
Laila JacksonAuthor Commented:
Hi thanks for this.

I am not sure what you mean by add 192.168.1.1 to DMZ of router 1.  Does this not contradict the whole purpose of adding in the extra layer of security?

In the guide that I referenced, the writer suggests to avoid using the built-in DMZ feature of either router as it does not make your network more secure. He writes:

"In fact, it does the opposite. Routers that offer a DMZ feature are offering to expose your server computer to traffic on all incoming ports, which is less secure than forwarding ports individually. And since your server would still be on the same physical network with other computers, nothing would prevent hackers from communicating with your other computers after they took over the server. "

Is your solution following this logic?

As a side note, I enabled DCHP on my first router and it seems to have kicked it into gear, but, I am worried that having DCHP on both routers is going to cause other issues that I am not aware of.
0
JustInCaseCommented:
You need to assign static IP address  from 192.168.0.0/24 range on WAN port of router 2 since DHCP on router 1 is off.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

JustInCaseCommented:
You posted while I was typing answer, so...
If you enable DHCP on router 1 it will not cause any issue since router 2 router use nat, and it has different IP range to router 1. So, that's approach similar to adding static IP address to WAN port of router 2.
You can use static IP address or turn on DHCP on router 1 or both. It will all work. The only thing that will not work is if don't use DHCP and don't assign static ip address on WAN port of router 2.
:)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Laila JacksonAuthor Commented:
Hey thanks for that.

I have DCHP enabled on both routers.

Also, I have not touched the NAT, so it is also is enabled on both routers. I have also disabled UPnP on both routers as well as I was told this is another good security practice to follow.

It appears, that I am not having any issues, BUT, I am worried that my configuration might have security flaws.

My goal with this setup was to create a fully private network hidden behind a DMZ router using the method described in http://www.boutell.com/newfaq/creating/dmz.html

This approach of using two router firewalls would render it almost impossible for a hacker to get into my home network from the internet.

Also, for DNS settings, is there any issue with setting the DNS settings in the second router or should they be configured in the first router?

Thanks for the patience, I have little experience in home networking, just plugging in and setting the WiFi SSID and passwords!
0
David Johnson, CD, MVPOwnerCommented:
why do you keep saying DMZ if you want to disallow connections? if you add another router
i.e. router 1 ---- router 2 --- local network
                      |---router 3 ---computers in DMZ i.e. web server
your local network will be secure as computes in dmz cant access computers in router 2
0
JustInCaseCommented:
In most cases it does not matter what DNS will router 1 will use and also in most cases one NAT without open ports is enough more than enough. :)

Most of problems with hackers don't come from outside than from inside.
I am not worried much about security flows in my home network, user reckless behavior is most likely cause for providing enter to network for hacker ...
0
Laila JacksonAuthor Commented:
@ David.

Thanks for replying.

I apologize for any confusion, I am certainly incompetent in this area and maybe my communication is confusing you:)

I am not sure what you mean by disallow connections? I still want the devices attached to my home network using the second router to access the internet if that's what you mean.

Lets try again.

The article I posted in the link by Boutell suggests that using two routers will stop any outside intruders from gaining access to my home server network if they managed to gain access to my first router.

Like most people that Boutell was targeting in his article, my home network setup using one router connected to the internet was vulnerable to outside hackers because any computer or device attached to that router would be accessible to a hacker if they did in fact manage to gain access to my router.

MI might be completely wrong but my interpretation of Boutells solution was that adding another router between my initial router and my home network would render it impossible for a hacker to hack into my home network and gain access to my files due to having two firewalls.

So I am hoping that my new configuration has achieved this goal.
0
Laila JacksonAuthor Commented:
Hi guys thanks again for your patience.

This is what I have done:

Router 1 - Netgear D6200 connected directly to ISP

Internet settings tab
Internet IP address - Get auto from ISP

DNS 1: 208.67.222.222 (Open DNS)
DNS 2: 208.67.220.220 (Open DNS)

NAT: Enabled

LAN setup:

IP address: 192.168.0.1
Subnet: 255.255.255.0

DHCP: Yes
IP Start: 192.168.0.2
IP End: 192.168.0.254

UPnP: Off

All radios on this device are OFF.

----------------------------------------------------
Router 2 - Linksys WRT1900AC

Internet settings tab
Internet connection type is set to - Auto Configuration DHCP

Local Network Tab
IP address: 192.168.1.1
Subnet: 255.255.255.0

DHCP: On
IP start: 192.168.1.51
IP end: 192.168.1.100

DNS 1: 8.8.8.8 (Google)
DNS 2: 8.8.4.4 (Google)

Advanced Routing Tab
NAT: Enabled
Dynamic routing (RIP): Disabled

Security Tab
Firewalls IPv4 IPv6:  ON

DMZ Tab
DMZ: OFF

Connectivity tab
UPnP: Disabled

----

My second router has all devices in my home network attached by cable and wireless.

Is this setup correct?
0
JustInCaseCommented:
Yes, that is correct setup.

And you can ignore following.
:)
The only thing I would do differently (some bad experience with DHCP on some cheap routers) is:
I would add static IP on WAN port of the second router and exclude that IP address from DHCP range on the first router.
And maybe configure WiFi for guests on Netgear router (and turn it on only when I have guests).
0
Lionel NCommented:
Thank you for this idea of serif,

If I understood properly, the compromisable server that we want accessible from outside is connected with LAN to router 1?

Thanks,

God bless
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.