Networking & Wireless forum

Resolved Question

Firewall - DMZ / WAN IP Address Assignments

by skikayaker / May 9, 2012 10:39 PM PDT

My setup to the question:

I've setup a D-Link DFL-700 Firewall LAN/DMZ/WAN config behind a Cisco broadband router/gateway that connects with my carrier.

We'll say my Cisco broadband gateway IP is 201.201.201.1 and is part of a class-C block (201.201.201.0/24).

I set my WAN (static) to 201.201.201.2 and set the ARP to public.

I set my LAN to 192.168.1.1 (private) and also setup the DHCP server to use 192.168.1.1 as a range 192.168.1.0/24.

I set my DMZ to 201.201.201.6 and set the ARP to public with a single IP 201.201.201.6/32.

MY QUESTION:
Could I/Should I set my DMZ to the same IP as my WAN?

Note: Anytime I move a server on my 201.201.201.0 network behind the DMZ using the same IP there is a delay of many hours before the outside world can find the route despite clearing the ARP cache and DNS cache of the server that was moved.

When I read support notes from DLink I see two different scenarios. The FAQ suggests that the DMZ has a unique IP, and if NO NAT as in my case I would configure the way I've outlined here.

However, according to this link to a PDF diagram, the Dlink techs in the UK seem to suggest that the DMZ uses the same IP as the WAN.
ftp://ftp.dlink.co.uk/dfl_firewall/dfl-700/dfl-700_dmz_no_nat_config.pdf

skikayaker has chosen the best answer to their question. View answer
Discussion is locked
You are posting a reply to: Firewall - DMZ / WAN IP Address Assignments
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Firewall - DMZ / WAN IP Address Assignments
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Best Answer chosen by skikayaker

Collapse -
Firewall - DMZ / WAN IP Address Assignments
by skikayaker / May 19, 2012 3:32 AM PDT

UPDATE:

I changed the firewall DMZ IP to be the same as the firewall WAN IP like the PDF I posted earlier in this thread suggested and it worked fine, without any problems. After this IP change I moved my mail server behind the DMZ hoping to not experience the latency issue I reported here, since I changed the IP of the DMZ to be the same as the WAN. The same latency issue occurred. It appears that even when the DMZ and WAN IP addresses are the same, moving a server from the WAN to the DMZ has the latency ARP issue.

SOLUTION:
I powered off/on my Cisco Router that is my gateway to the internet and the latency problem was resolved.

The issue is the ARP tables in the Cisco router that handles all the data going in and out of my network from the internet is the issue, and since this hardware is supplied by my carrier I do not have admin access and cannot clear the ARP. A simple power off/on is the fix here.

Collapse -
Answer
Proxy arp
by bill012 / May 10, 2012 1:11 AM PDT

You really if at all possible you want to run a consistent subnet mask. When using a layer 2 design your machines in your DMZ should be able to directly communicate with the broadband gateway using the actual mac addresses. The firewall should be totally transparent other than filtering traffic.

The way it works when you use the same subnet on multiple networks is that the device in between has to spoof the arp messages. So when the broadband gateway arps the ip of the server the firewall send its mac address pretending to be the server. This tends to be messy.

I would suspect the arp table you need to clear is in the broadband gateway since it does not know in effect you changed the mac of your server.

The more standard way to do this is to route the traffic. You would put in a small subnet for the connection between the gateway and the firewall. You would then route a different subnet to the firewall for machines in the DMZ. Of course the reason many people do not do it this way is because it needs more addresses which are tough to get if they are actually public internet IP.

It will most likely work the way you have it. You would be in much more trouble if you were using a cable modem and it was the providers device that needed the ARP cleared.

Collapse -
Firewall - DMZ / WAN IP Address Assignments
by skikayaker / May 15, 2012 6:41 AM PDT
In reply to: Proxy arp

Thank you for your reply. I have an entire class-c block (255) of IP addresses and have a handful of extra IPs I can use. I'm not sure if I understand your idea regarding routing multi-subnets between the gateway and the firewall scenario, but I'm interested if you can elaborate.

Also, in my scenario where 201.201.201.1 is my gateway, and 201.201.201.2 is my WAN side of my firewall, should I be allocating 201.201.201.2 (same as WAN) to my DMZ interface, or should I allocate 201.201.201.6 (unique IP that is also part of the same subnet)? In my initial post I referenced a PDF from DLink UK division indicating WAN and DMZ use same IP. The American division FAQ indicates unique IP address assignments within the same subnet for WAN and DMZ.

My config I noted in my initial post works, but for some reason, takes time to propogate to DNS resolution.

Additional info would be appreciated.

Thanks!

Collapse -
Tough manual
by bill012 / May 15, 2012 10:57 PM PDT

This is a very hard to read manual. They are trying to make it easy for people who only have a single IP address which makes it hard for those who have lots of real ip addresses.

I would guess you want to make the ip for the dmz and the wan the same. From what I can tell they are using the ability to change the IP on the DMZ as a way to subnet the block. So if you have a /24 and want to use the last /26 block for your dmz you would not be able to see the real gateway.

This is a messy way to do this and is completely dependent on proxy arp to work.

I would try to get it to work with the same address on the DMZ and WAN. I would also try to turn off the proxy ARP setting.

I suspect this proxy arp is the cause of all your problems.

I doubt you have a DNS issue since you are not changing the address of the server and are not NATTING so the IP address to name mapping should not change.

Say your server has mac xx.xx.xx.xx.xx and your router has yy.yy.yy.yy.yy

When you have the server not behind the DMZ the broadband router issues a ARP for say a server IP of 201.201.201.201 and the server gives it xx.xx.xx.xx.xx now when you move your server into the DMZ even though the IP did not change the mac is now yy.yy.yy.yy.yy. So traffic from the server to the internet still goes to the broadband since its mac is the same the. Traffic coming back from the internet gets to the broadband router and it will try to send it to xx.xx.xx.xx.xx which does not exit but it does not know that. After a couple of hours the ARP entry in the broadband router will timeout and it will issue a new ARP for 201.201.201.201 and your router will say...that's me and give it yy.yy.yy.yy.yy even though that is not really the server mac. It now works until you move it back and the broadband router now has the wrong mapping in its ARP table.

So you can either clear the arp in the broadband router, figure out how to get it to work without proxy arp, or not move the server around.

Collapse -
Thank you Bill.
by R. Proffitt Forum moderator / May 16, 2012 2:25 AM PDT
In reply to: Tough manual

Nice writeup!

Collapse -
Firewall - DMZ / WAN IP Address Assignments
by skikayaker / May 17, 2012 12:41 AM PDT
In reply to: Tough manual

Thanks Bill. One thing I will try next time I move a few more servers from the WAN switch to the DMZ switch is to power off/on the Cisco Router to clear the ARP. I don't have admin access to the Cisco since it's controlled by my broadband carrier. The other thing I'll try is setting the DMZ IP to be the same as the WAN IP rather than a different IP within the same subnet. Since the servers are production and in constant use I have to wait for the weekend. I'll post my results here.

One thing that I failed to mention, that is also required by my DFL-700 firewall is to add each IP that I move behind the DMZ to the Routing table and check the box:
"Publish network on all other interfaces via Proxy ARP "

I don't think there is a work around to this with exception to the less desirable port mapping option within the same switch.

I think clearing the Cisco router with power off/on, and possibly setting the same IP for WAN and DMZ will do the trick.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?