Public IP/Subnet addresses are assigned to port 1 and 3.
Phone system is attached to port 3 using public address.
I have a nat masquerade rule for LAN going out WAN
The DMZ port seems to be working well, however, when locking down the router, I’m noticing some traffic coming through the firewall. The traffic is:
forward: in 1, out 3. There is nothing in the log about it coming from port 3 and going out 1, which is what I’d expect. I also wouldn’t expect it coming back the same way.
Since this port is pure routing, question as to why it is showing in the firewall log? Or am I thinking about this wrong… -_-
The examples are using NAT… Shouldn’t be natting a DMZ imo… but anyways.
DMZ or demilitarized zone is configuration when one or more LAN IPs are exposed to unsecure network. So for example if you have local WWW server with local IP and you want to show it on external public IP. I assume that your 3rd port with public IP address should work as DMZ and all traffic coming in on this port should be forwarded to your local IP.
Check that all packets coming in on 3rd port are going to your local IP and from your local IP all packets going out by your 3rd DMZ interface. You may mark packets or routing to make it working.
It’s not easy to give any answer to this without more details. Under normal circumstances, network traffic destined for the DMZ will arrive on the WAN interface and it will be routed to the DMZ. Return traffic will enter your firewall on the DMZ interface and exit on your WAN interface. From your description, you make it sound like that is not the case here?
Or are you simply thinking that routed traffic should not be considered by the firewall?
For more help, please describe your setup. Configuration extracts, IP networks and routing tables, examples from the firewall log, as well as a network diagram will help us as well as yourself to understand what you’re asking.
More that routed traffic should not be considered by the firewall. It’s coming through as natted, yet there is no nat rules apart from the one lan->wan masquerade rule.
I have no dst nat rules to the DMZ port. Routing is working fine.
I guess my question is, why am I seeing that traffic, or am I just getting confused
I guess a simple way around it would be two rules for traffic coming and going on the DMZ port to Wan?
Everything is checked by the firewall. If you don’t want that, you will need to add some firewall rules (early!) that makes the traffic pass through unchecked - something like accepting everything that comes in on interface1 and goes out on interface3, and vice versa.
You could of course remove all firewall rules, but that would break your NAT traffic on interface2.
As a side note, a DMZ does not necessarily mean that there should be no firewall filtering whatsoever. It’s rather normal to allow just a known set of protocols to enter the DMZ.
