Community discussions

MikroTik App
 
cele
just joined
Topic Author
Posts: 6
Joined: Tue Feb 08, 2011 12:44 am

NAT vs. DMZ

Wed Feb 09, 2011 11:34 am

Public x.x.x.x
Local 192.168.0.1/24
server 192.168.0.2
PC 192.168.0.3

If I want to access server through public IP from PC in local network will it work if I only put server in DMZ? For example HTTP connection. Or should I do NAT translation?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: NAT vs. DMZ

Wed Feb 09, 2011 4:01 pm

http://wiki.mikrotik.com/wiki/Hairpin_NAT
But introducing a separate DMZ network is much cleaner if you can do that.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
unbkbl
just joined
Posts: 8
Joined: Tue Feb 08, 2011 6:01 pm
Location: Medellin, Colombia

Re: NAT vs. DMZ

Wed Feb 09, 2011 11:42 pm

DMZ is less secure as you need to strongly secure the whole server you put in the DMZ. Is better to just NAT the ports you need to access from the Internet.
Voluntas - Fides - Esperantia
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: NAT vs. DMZ

Thu Feb 10, 2011 12:10 am

DMZ is significantly more secure as the device that is most likely to get compromised (the server accessible from the public Internet) won't be on the same subnet as all other hosts secured by benefit of not being accessible at all.

Unless we're having a definition problem: I'm not talking about a SOHO router DMZ where ALL ports are forwarded to a device on the local network, like D-Link or Netgear routers etc. do. I'm talking about a true DMZ where you have three separate IP networks: WAN, LAN, and DMZ. The LAN can access the DMZ and WAN, the DMZ can access the WAN, and the WAN can access only specific services by merit of an explicit NAT port forward (if you're doing NAT), and a hole poked explicitly in the firewall. You get the same host protection for the DMZ host as if it was on the LAN, but the LAN is additionally protected from the DMZ host, which is the host most likely to be attacked.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
unbkbl
just joined
Posts: 8
Joined: Tue Feb 08, 2011 6:01 pm
Location: Medellin, Colombia

Re: NAT vs. DMZ

Thu Feb 10, 2011 12:44 am

Thanks for the clarification, my mistake
Voluntas - Fides - Esperantia
 
cele
just joined
Topic Author
Posts: 6
Joined: Tue Feb 08, 2011 12:44 am

Re: NAT vs. DMZ

Thu Feb 10, 2011 9:42 am

Public x.x.x.x
Local 192.168.0.1/24
server 192.168.0.2
PC 192.168.0.3

If I want to access server through public IP from PC in local network will it work if I only put server in DMZ? For example HTTP connection. Or should I do NAT translation?
I'm asking about this because I port forwarded (NAT) port x.x.x.x:2022 to 192.168.0.2:22 and I can access server from outside (Internet) but when I try to access server from 192.168.0.3 by public IP (x.x.x.x:2022) it doesn't work. My question is why?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: NAT vs. DMZ

Thu Feb 10, 2011 3:58 pm

Read the link I posted as an immediate reply higher up.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

Who is online

Users browsing this forum: eworm, Rahl, vecernik87, w0lt and 86 guests