Routing from DMZ to LAN

pntruinregistrare · September 10, 2009, 5:20pm

Hi there
I try to make connection between DMZ server, with public address, and LAN computers.
When I ping public adress 80.80.80.110 FROM local area computer, all works fine.
But if I try ping from DMZ servers (80.80.80.110) to local TO local area network computer “Request time out”.
What’s wrong? All networks are direct connected to router?
Scheme is attached
Routing table look like this:

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 A S ;;; added by setup
0.0.0.0/0 reachable 80.80.80.105 1 external
1 ADC 192.168.1.0/24 192.168.1.1 0 local
2 ADC 80.80.80.104/30 80.80.80.106 0 external
3 ADC 80.80.80.108/30 80.80.80.109 0 dmz

Note: LAN computers not firewolling

fewi · September 10, 2009, 7:26pm

What do you mean saying that the LAN computers are not firewalled? Are you not running firewall rules on the router, or have you turned off any host firewalls on the LAN computers that often by default block ICMP, or both?

SurferTim · September 11, 2009, 9:37am

Do you have a masquerade or src-nat rule in the 192.168.1.1/24 router? If so, that is probably causing you a challenge. You have a few options:
A dst-nat rule from a public ip (or ips) to one (or more) of your private ips,
move the masquerade or src-nat rule to the WAN router (requires route back to 192.168.1.0/24 net),
or VPN.

EDIT: Oops! My bad. The “move the masquerade” option is out. The “WAN” router is not yours.
Replace that with this option:
Move the server behind the router (give it a 192.168.1.x/24 ip) and dst-nat the public address to the private address.

This last option is not only what I recommend, it is what I am currently using. The RouterOS firewall covers all your machines then. This firewall filter rule is my FAV!
add chain=forward action=drop src-address=xx.xx.xx.xx/yy comment=“hacking, spamming butthead”

pntruinregistrare · September 11, 2009, 12:40pm

I mean ICMP packages are not block by host firewall.
In general, on router firewall rules not set and on hosts firewall is not started, all ICMP packages must be routed by ruoter and accepted by hosts, but this is not happen.

pntruinregistrare · September 11, 2009, 2:57pm

SurferTim:

Do you have a masquerade or src-nat rule in the 192.168.1.1/24 router? If so, that is probably causing you a challenge. You have a few options:
A dst-nat rule from a public ip (or ips) to one (or more) of your private ips,
move the masquerade or src-nat rule to the WAN router (requires route back to 192.168.1.0/24 net),
or VPN.

EDIT: Oops! My bad. The “move the masquerade” option is out. The “WAN” router is not yours.
Replace that with this option:
Move the server behind the router (give it a 192.168.1.x/24 ip) and dst-nat the public address to the private address.

This last option is not only what I recommend, it is what I am currently using. The RouterOS firewall covers all your machines then. This firewall filter rule is my FAV!
add chain=forward action=drop src-address=xx.xx.xx.xx/yy comment=“hacking, spamming butthead”

I want to clarify if router make forward packages from DMZ (with public IP) to LAN (with private IP), direct without NAT-ing?
Both networks are direct connected to router through eth-local and eth-dmz interfaces.

I know from theory routers not forward packages with private IP sourse address through default route, but I don’t understand why packages doesn’t forward between two direct connected networks (one with public IP-s and other with private IP-s).

SurferTim · September 11, 2009, 6:56pm

That is the point. You can have a private net behind the router, protected by the masquerade/src-nat. I have 2 servers, one http and one smtp, behind a MT router. Both are on private ips, src-nat/dst-nat routed to public ips. And both perform great. The router firewall cuts my server traffic by 80%.

Is there a reason you do not want a masquerade/src-nat?