TRENDnet Not available User Manual
Size:
1.13 Mb
Download

Advanced

DMZ

DMZ Setting

DMZ means "Demilitarized Zone." If an application has trouble working from behind the router, you can expose one computer to the Internet and run the application on that computer.

When a LAN host is configured as a DMZ host, it becomes the destination for all incoming packets that do not match some other incoming session or rule. If any other ingress rule is in place, that will be used instead of sending packets to the DMZ host; so, an active session, virtual server, active port trigger, or port forwarding rule will take priority over sending a packet to the DMZ host. (The DMZ policy resembles a default port forwarding rule that forwards every port that is not specifically sent anywhere else.)

The router provides only limited firewall protection for the DMZ host. The router does not forward a TCP packet that does not match an active DMZ session, unless it is a connection establishment packet (SYN). Except for this limited protection, the DMZ host is effectively "outside the firewall". Anyone considering using a DMZ host should also consider running a firewall on that DMZ host system to provide additional protection.

Packets received by the DMZ host have their IP addresses translated from the WAN-sideIP address of the router to theLAN-sideIP address of the DMZ host. However, port numbers are not translated; so applications on the DMZ host can depend on specific port numbers.

The DMZ capability is just one of several means for allowing incoming requests that might appear unsolicited to the NAT. In general, the DMZ host should be used only if there are no other alternatives, because it is much more exposed to cyberattacks than any other system on the LAN. Thought should be given to using other configurations instead: a virtual server, a port forwarding rule, or a port trigger. Virtual servers open one port for incoming sessions bound for a specific application (and also allow port redirection and the use of ALGs).

Port forwarding is rather like a selective DMZ, where incoming traffic targeted at one or more ports is forwarded to a specific LAN host (thereby not exposing as many ports as a DMZ host). Port triggering is a special form of port forwarding, which is activated by outgoing traffic, and for which ports are only forwarded while the trigger is active.

Few applications truly require the use of the DMZ host. Following are examples of when a

DMZ host might be required:

A host needs to support several applications that might use overlapping ingress ports such that two port forwarding rules cannot be used because they would potentially be in conflict.

23

To handle incoming connections that use a protocol other than ICMP, TCP, UDP, and IGMP (also GRE and ESP, when these protocols are enabled by the PPTP and IPSec

Enable DMZ

Putting a computer in the DMZ may expose that computer to a variety of security risks. Use of this option is only recommended as a last resort.

DMZ IP Address

Specify the LAN IP address of the LAN computer that you want to have unrestricted Internet communication.

VIRTUAL SERVER

Enable

Specifies whether the entry will be active or inactive.

Name

Assign a meaningful name to the virtual server, for example Web Server. Severalwell-knowntypes of virtual server are available from the "Application Name"drop-downlist. Selecting one of these entries fills some of the remaining parameters with standard values for that type of server.

IP Address

The IP address of the system on your internal network that will provide the virtual service, for example 192.168.10.50. You can select a computer from the list of DHCP clients in the "Computer Name"drop-downmenu, or you can manually enter the IP address of the server computer.

Protocol

Select the protocol used by the service. The common choices --UDP, TCP, and both UDP and TCP--can be selected from thedrop-downmenu. To specify any other protocol, select "Other" from the list, then enter the corresponding protocol number (as assigned by the IANA) in theProtocol box.

Private Port

24

The port that will be used on your internal network.

Public Port

The port that will be accessed from the Internet.

Schedule

Select a schedule for when the service will be enabled. If you do not see the schedule you need in the list of schedules.

Clear

Re-initializethis area of the screen, discarding any changes you have made.

ROUTING

Add/Edit Route

Adds a new route to the IP routing table or edits an existing route.

Destination IP

The IP address of packets that will take this route.

Gateway

Specifies the next hop to be taken if this route is used. A gateway of 0.0.0.0 implies there is no next hop, and the IP address matched is directly connected to the router on the interface specified: LAN or WAN.

Metric

The route metric is a value from 1 to 16 that indicates the cost of using this route. A value of 1 is the lowest cost, and 15 is the highest cost. A value of 16 indicates that the route is not reachable from this

25

router. When trying to reach a particular destination, computers on your network will select the best route, ignoring unreachable routes.

Interface

Specifies the interface --LAN or WAN--that the IP packet must use to transit out of the router, when this route is used.

Clear

Re-initializethis area of the screen, discarding any changes you have made.

Routes List

The section shows the current routing table entries. Certain required routes are predefined and cannot be changed. Routes that you add can be changed by clicking the Edit icon or can be deleted by clicking the Delete icon. When you click the Edit icon, the item is highlighted, and the "Edit Route" section is activated for editing. Click the Enable checkbox at the left to directly activate or de-activatethe entry.

ACCESS CONTROL

Enable

By default, the Access Control feature is disabled. If you need Access Control, check this option. Note: When Access Control is disabled, every device on the LAN has unrestricted access to the Internet. However, if you enable Access Control, Internet access is restricted for those devices that have an Access Control Policy configured for them. All other devices have unrestricted access to the Internet.

26