How to set up a DMZ LAN on FVX538

How to set up a DMZ LAN on FVX538?

This document describes how to set up a DMZ LAN on the FVX538 firmware version 3.0.3-17, and how to use the Multi-NAT function on the DMZ. This article will cover the following features:

1. Enable & configure the FVX538 DMZ port

2. Inbound & Outbound rules for DMZ

Topology:

Internetx172.16.0.20172.16.0.80DMZ: 172.16.0.1WAN: 10.180.38.80LAN: 192.168.1.1Multiple IPs from ISP: 10.180.38.80-10.180.38.85FVX538Firmware: 3.0.3-17

Note: There is a FS116 (16-port switch) connected to the FVX538 in this diagram so that multiple servers can be a part of the DMZ

We have been given multiple static IP addresses from our ISP which range from 10.180.38.80-10.180.38.85 (obviously imaginary). We would like our FTP server (local IP 172.16.0.20) to be accessed from the public IP of 10.180.38.82, and our HTTP server (172.16.0.80) to be accessed from the public IP of 10.180.38.80, which is also our router’s public address. We would like our local users (192.168.1.x) to be able to access the FTP and HTTP service of those servers. LAN user-initiated access to the DMZ is enabled by default (but DMZ-initiated access to the LAN is blocked by default), so we will not need to add any LAN DMZ rules to allow Local User access. They can access the servers through their DMZ IPs of 172.16.0.x.

 

First, assuming our LAN IP and Internet are already connected, we’ll need to enable the DMZ. In the Network Configuration->DMZ Setup menu:

1 – Select Yes for Do you want to enable DMZ Port?

2 – Input the router’s DMZ IP address and Subnet Mask in the IP Address and Subnet Mask fields (computers on the DMZ will use this as their gateway), we chose 172.16.0.1.

 

Note: The DMZ IP address will be the Default Gateway IP address for all of your PCs or devices that will be connected to the DMZ port (8). Do not use the IP address that you have assigned to one of your servers. Also, the DMZ’s IP address can not be on the same subnet as the LAN (if your router’s LAN address is 192.168.1.1/255.255.255.0, you can not set the DMZ to 192.168.1.x). Also, the DMZ address needs to be a private address (RFC1918).

 

3 – In this case, we’ve also enabled the DHCP server. This is optional, but is recommended if you would like devices on the DMZ to automatically receive IPs from the FVX538 DHCP server.

After clicking Apply, you should be able to connect devices to the DMZ port (8) on the FVX538. Static addresses given to those devices will be set to the 172.16.0.x subnet with a gateway of 172.16.0.1, which is the router’s DMZ IP address.

 

Next, we’ll configure the FTP and HTTP servers’ firewall rules. If we have set the FTP server’s static IP to be 172.16.0.20 and the HTTP server’s IP to be 172.16.0.80, then we’ll use the following settings:

Go to the Security->Firewall Rules->DMZ WAN Rules menu:

 

GVC Knowledge Base

No rules are currently shown. Under Inbound Services click add.. to add a new Inbound Service Policy, the following screen appears:

1 – Under Service, choose the service you’d like. In this case we chose FTP. If you’d like all services to be forwarded to a server, you can choose Any.

 

Note: If the service (or port) that you would like forwarded doesn’t appear in the Service dropdown, you can create a custom service in the Security->Services menu, after which your new service name will be shown in the Service dropdown list in this screen.

 

2 – Under Action choose Allow always.

3 – For Send to DMZ Server, choose the local DMZ address of the server where you would like this type of traffic to be forwarded.

4 – Under WAN Destination IP Address, choose Other Public IP Address. In the box that appears on the right, input the public IP address your ISP has given to you that you would like to be assigned to that server/service.

All other fields can be left as default. When all the information is set, click Apply. The following screen will appear:

You can see the information we entered in the previous screen is now displayed in the Inbound Services menu.

 

Using the same procedure, we can create an HTTP service as well, this time we’ll just tell it to use the same IP that the router is assigned on WAN1:

1 – Under Service choose the service you’d like. In this case we chose HTTP.

2 – Under Action choose Allow always.

3 – For Send to DMZ Server, choose the local DMZ address of the server where you would like this type of traffic to be forwarded.

4 – Under WAN Destination IP Address, choose WAN1.

5 – Under Wan Users choose Any.

6 – Under Log choose Never.

 

When all the information is set, click Apply, the following screen will appear:

If our FTP server needs to send files to remote servers that require the connection to be from a specific IP, we can change the IP our server reports in the Outbound Services section. Clicking add… under Outbound Services shows the following screen:

 

1 – Under Service choose FTP

2 – Under Action choose Allow always

3 – Under DMZ Users choose Single Address. In the fields that appear to the right, type the server’s local DMZ IP address.

4 – Under NAT IP, choose Single Address. In the fields that appear to the right, type the public IP address you would like the server to report as its own.

 

All other settings should be fine as default. Click the Apply button and the following screen appears:

Since the HTTP server will use the router’s WAN1 address for its outbound address by default, there is no need to add a rule for that.

At this point, we have configured the servers to be able to be accessed from the Internet. By default, LAN users can initiate connections to the DMZ (but DMZ can’t initiate connections to the LAN), so we don’t need to add anything else.

001

Clients And Partners

Microsoft Small Business Specialists are partners who recognize that small-business customers have IT needs and who are able to meet those needs with high-quality solutions built on Micrsoft

Global View Computing Company Testimonials

Featured Articles
"I had not had antivirus installed on my computer for at least 7 months ... "
"The ITech Service has been a great asset to Active Environmental. Working with the ... "  ... Mark Johnson, 
manager, NYC
"I just want to thank Chance and his extremely friendly team for always being ... "
"We cannot put into words how grateful we are to have Global View Computing ... "