RV042 DMZ port + NAT

Unanswered Question
Oct 19th, 2009

Hi,

I recently purchased a Linksys RV042, hoping to make use of the DMZ port to seperate a Wireless/guest network.

I have a single, dynamic IP on the WAN, and do not need external access to the DMZ.

With other routers I have used, a DMZ port can be used to host an 'insecure' network, and will route/NAT its data out to the WAN. In this way, I have secured a private 'green' network from a public 'orange' network, whilst still allowing internet access for both.

The RV042 doesn't seem to support this? The DMZ port does allow setting a Subnet, which I have set to the 'private' IP range I want to use for the Wireless 'public' segment. I can ping the IP (after allowing it in the firewall rules) but I cannot route past that point (i.e. cannot ping external hosts).

Do I assume correctly that the RV042 cannot route/NAT private IPsin the DMZ space?

If so, why not? Are there plans to enable this in future Firmware?

I expected to be able to use the DMZ port as a DMZ without the need for multiple public IPs, making use of NAT.

Many thanks,

Geoff

Model: Linksys RV042

Firmware: 1.3.12-tm

WAN: Dynamic Public IP

LAN: 192.168.1.x

WAN: 172.16.0.x

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Carr Mon, 10/19/2009 - 07:37

I read, your post and I have a possible solution for you.  The rv042 will not do dhcp on the dmz.  However I see that you only have one wan Ip address.  Since that is the case.  The wrvs4400n version 2, would probably be a better router for you and what you are needing.  You can create up to 4 wireless ssid's on that router.  His has vlan option that will allow you to segregate the wireless and not allow it to have access to the anything on your network.  Another option would be if you keep the rv042, you can hang a wireless router off of the dmz and have the router provide dhcp that way.  I hope this helps.

muppetgeoff Mon, 10/19/2009 - 10:56

Hi David, Thanks for the reply.

davicarr wrote:

.... if you keep the rv042, you can hang a wireless router off of the dmz and have the router provide dhcp that way.  I hope this helps.

Unfortunately - that doesn't work. Let me explain...

Before implementing the wireless, I have tested the viability of using private IPs in the DMZ space using a single PC hoked into the DMZ port with the following settings:

RV042:

DMZ IP: 172.16.0.254

Subnet: 255.255.255.0

PC

IP: 172.16.0.1

Subnet: 255.255.255.0

Default Gateway: 172.16.0.254

Ignoring DNS resolution for the moment, I have tried to connect to some 'public' IPs that I know (private servers hosted out 'in the cloud that I can connect to by IP from the 'private' LAN of the RV042). Pings and connects fail. I have tried opening up the firewall on the RV042, disabling the firewall completely, and tried setting some static routes.

It appears that the RV042 only performs NAT for the LAN, and performs 'routing' for the DMZ. As such, the 172 address range cannot be routed, and so fails.

Comparing this functionality to other DMZ-enabled routers I have used (such as M0n0Wall, IPCop, Smoothwall, WatchGuard) those others can function in the same way (often called 'Bridged mode') OR they can function in NAT mode for the DMZ.

Unless I am missing something, the RV042 cannot do this yet? Is there any technical reason?

As stated, I have only just purchased this device, but I cannot replace it. So I need to find a working solution, or forget the idea.

Many thanks,

Geoff

Te-Kai Liu Mon, 10/19/2009 - 22:22

What you need is RV082, which supports port-based VLAN. Each VLAN has access to the internet but not other VLANs.

muppetgeoff Mon, 10/19/2009 - 23:19

Hi,

tekliu wrote:

What you need is RV082...

Unfortunately, I cannot afford, or justify affording, the 082. The 042 has just enough ports for what I need *if* the DMZ port will allow NAT. If I am to buy different hardware - I can spend less for some other brand that *does* do what I need.

So I guess what I'm saying, is what I need is for Cisco to consider enabling DMZ-NAT as an option in a future firmware release. In a similar way that they included the option for inputting a DMZ subnet instead of just a single IP.

I wouldn't know even how to make this suggestion to them.

Kind regards,

Geoff

Te-Kai Liu Mon, 10/19/2009 - 23:32

>...that they included the option for inputting a DMZ subnet instead of just a single IP.

RV042 DMZ Port can be configured as either DMZ Range or DMZ Subnet. Regardless of the choice made, the computers in RV042's DMZ have their own public IP addresses, i.e. not NAT'ed.

muppetgeoff Mon, 10/19/2009 - 23:43

Hi,

tekliu wrote:

...Regardless of the choice made, the computers in RV042's DMZ have their own public IP addresses, i.e. not NAT'ed.

I was making an example of a firmware change that was related to the DMZ. Highlighting that they do make such changes.

muppetgeoff wrote:

>...what I need is for Cisco to consider enabling DMZ-NAT as an option in a future firmware release

With such an option, users would be able to host multiple physical, dedicated servers (such as seperate Mail and Web servers) in the DMZ, and publish them from a single IP - which is the 'standard' number of IPs that ISP's dish out.

For me personally, I do not need it for access inbound. I need it as a seperate LAN outbound. I think I've hammered that point enough though, and mention the alternative use only as secondary weight to such a change request :)

The DMZ could therefore be considered as a seperate Vlan, untrusted by default.

Kind regards,

Geoff

Te-Kai Liu Mon, 10/19/2009 - 23:53

>The DMZ could therefore be considered as a seperate Vlan, untrusted by default.

RVS4000 (priced at $129) supports VLAN, which might fit your need.

David Carr Tue, 10/20/2009 - 07:23

Yeah, I agree with security.  You might wanna try the rvs4000, or go with the wireless version of that router the wrvs4400n as an option.

Actions

This Discussion

Related Content