DMZ in luci please?

Is there a way to set DMZ in the web interface ?

1 Like

No, I don't think so.

You can add something like this in /etc/config/firewall to enable DMZ.

config redirect
    option src wan
    option proto all
    option dest_ip 192.168.1.100
1 Like

Well. DMZ basically means:

  • You keep your regular LAN network
  • Other computers of your environment to be reachable from the outside (either through regular routing a couple of IP addresses or port forwarding) are never part of your LAN but of a separate network
  • Firewall configuration allows for traffic from LAN to DMZ but not the other way around

This way, DMZ hosts can be taken over through security issues within the services they expose but since the DMZ hosts are not allowed to directly contact your LAN hosts, your LAN is safe unless LAN clients establishes a connection to an infected DMZ host.

This very scenario can be done purley within LuCI

  • Create a separate DMZ interface
  • Bridge not vlan eth0.1 (LAN) or eth0.2 (WAN) but something else, like eth0.3.
  • Set up a switch config to have some ports not expose vlan 1 but vlan 3
  • Create a separate firewall zone DMZ which is "reject" by default but allows to contact "wan" directly.
  • Since this firewall setting prevents DHCP and DNS as well, you need to allow at least inbound DHCP traffic from DMZ, and either provide an external DNS server through DHCP or allow inound DNS traffic from DMZ.

r43k3n, what you describe is not an answer to the question in two different aspect:

  • First thing is: That's not a DMZ at all but an "exposed host" configuration, which lacks the specific parameter of "192.168.1.100 can be infected but other LAN devices are prevent from this infection being spreaded"
  • You describe settings, but not the way to click in LuCI -- but the LuCI web interface was asked for in the OP post.

Regards,
Stephan.

Steps:

Network menu, Firewall, Traffic Rules tab, Traffic Rules section, New forward rule section,
fill "Allow-DMZ" (dont use spaces, just '-a-zA-Z'), source 'wan', destination 'lan', clic on Add and Edit...
select proper destination address (the internal IP of the Computer that will expose all his ports to WAN network)
Change any other desired settings.

Save or Save & Apply.

3 Likes

hello i don't have function for me , i have a fai tp link lede ,netduma r1 and ps4 pro

how make please ?

I do not understand what are you trying to say, please elaborate better your explanation of what problem you have.

ok sorry i have successfull to place to dmz in lede for the netduma :wink: thanks

You also need to do this in ssh according to what I'm researching:

uci set uhttpd.main.rfc1918_filter='0'

Do you know what that setting is and what it does?

There's no need for that setting. The user never told us they'd be accessing the router from the Internet (not suggested anyway).

Also see on the DMZ topic:

That's UCI, not LuCI as requested.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.