Advanced DMZ Network on a Thomson Router


If you need help with telnet commands, see this first telnet.html

Important
Use the routers web interface to backup the router settings before playing.
Reinstalling the backup or in the worst case resetting to factory default and reinstalling the backup should get things back to how they were.
Undo commands are not show on this page, so you will need the router config backup to remove these commands.
Use these commands at your own risk.
This shows an example of a advanced DMZ network, make your own judgment of the security implications this offers.

Objective
To create a DeMilitarized Zone (DMZ) on the router which allows web access but is totally isolated from the Local Network (LAN).
This allows the local network and the router to remain secure and private from the DMZ network
Create a safe place for a web server etc. If the web server is compromised there should be no way through to the LAN.
This example gives the option of placing up to 3 ethernet ports on the DMZ network. Ethernet port 1 can not be moved!
The option to place a virtual wireless station on the DMZ network.
And the option to forward all ports to a single IP address.

Any server or games machine place in the DMZ will need a port forward rule created in the normal way.
Alternatively the "forward all ports" option may be used.

An alternative use for a DMZ network is to provide web access for guests.  
This allows web access while keeping your local network LAN secure and private.

The Commands:

I'll try to present this in a modular form so that only the required options need to be used.


Create a Virtual Wireless Station ( Supported on the TG857n v2 but not supported on the TG585v7)

If wireless is not required, skip this section.
Command Comments
wireless mssid ifadd ssid=MyDMZ "MyDMZ" could be any SSID
This command give the response
"Allocated ssid id[0/1] ethernet port[wl_ssid1_local0]"
Make a note of of the ssid_id, in this case it's "1"
and the ethernet port name, in this case it's "wl_ssid1_local0"
you'll need them later.
wireless mssid ifconfig This command asks the following questions
ssid_id = 1 Answer with the ssid_id  provided above.
[ssid] = MyDMZ Answer with the same SSID used in the first command.
[apisolation] = disabled
[any] = enabled
[secmode] = wpa-psk Options are { disabled | wep | wpa-psk }
[WEPkey] = 1234567890 Enter your own wep key
[WPAPSKkey] = secure password Enter your own wpa key
[WPAPSKversion] = WPA+WPA2 Options are { WPA | WPA2 | WPA+WPA2 }
[radio_id] = 0 Always answer 0
wireless mssid ifattach ssid_id=1 Use the ssid_id  provided above.
eth bridge ifadd intf=Wdmz dest=wl_ssid1_local0 logging=disabled Use the ethernet port name from the first command , in this case it's "wl_ssid1_local0" 
eth bridge ifattach intf=Wdmz logging=disabled
eth bridge iflist Optional -- just checking.
saveall Make the settings permanent.

Check you can connect to this new wireless station before proceeding.


Move Required Interfaces to the DMZ Vlan

Use the commands for the option you need and omit the commands for the options you don't need.

Option(a): add ethernet port 2 to DMZ
Option(b): add ethernet port 3 to DMZ
Option(c): add ethernet port 4 to DMZ
Option(d): add virtual wireless to DMZ

This command eth bridge vlan iflist  can be used to see the progress of the steps in this section.

The above is before we start moving interfaces (Wdmz is missing from this screen shot)

Important: Each interface must be added to the dmz vlan before being deleted from the default vlan.
Ethport1 can not be moved.

Command Comments
eth bridge vlan iflist Optional -- check progress.
eth vlan add name=dmz vid=2 Required for all options
eth bridge vlan ifadd name=dmz intf=OBC untagged=disabled Required for all options
eth bridge vlan ifadd name=dmz intf=ethport2 untagged=enabled Option (a): add ethernet port 2
eth bridge vlan ifadd name=dmz intf=ethport3 untagged=enabled Option (b): add ethernet port 3
eth bridge vlan ifadd name=dmz intf=ethport4 untagged=enabled Option (c) add ethernet port 4
eth bridge vlan ifadd name=dmz intf=Wdmz untagged=enabled Option (d) add virtual wireless created above
eth bridge vlan iflist Optional -- check progress.
eth bridge vlan ifdelete name=default intf=ethport2 Required only if Option (a) above was used
eth bridge vlan ifdelete name=default intf=ethport3 Required only if Option (b) above was used
eth bridge vlan ifdelete name=default intf=ethport4 Required only if Option (c) above was used
eth bridge vlan ifdelete name=default intf=Wdmz Required only if Option (d) above was used
eth bridge vlan iflist Optional -- check progress.
saveall


This screen capture shows the result after adding OBC, ethport3, ethport4 and Wdmz to the dmz vlan
And removing ethport3, ethport4 and Wdmz from the default vlan.
OBC should remain on both vlans.



Setup Routing

Required for all options:

Command Comments
eth ifadd intf=Eth_DMZ1
eth ifconfig intf=Eth_DMZ1 dest=bridge vlan=dmz
eth ifattach intf=Eth_DMZ1
ip ifadd intf=DMZ1 dest=Eth_DMZ1
ip ifconfig intf=DMZ1 group=dmz
ip ifattach intf=DMZ1
ip ipadd intf=DMZ1 addr=192.168.3.254 netmask=24 Set the IP range
ip ipconfig addr=192.168.3.254 preferred=enabled primary=enabled
nat ifconfig intf=DMZ1 translation=transparent
service system ifadd name=DNS-S group=dmz Enable DNS in the network
saveall


Enable DHCP on this Network

If DHCP is not required then skip this section

Command
dhcp server pool add name=DMZ1_private
dhcp server pool config name=DMZ1_private intf=DMZ1 poolstart=192.168.3.1 poolend=192.168.3.20 netmask=24 gateway=192.168.3.254 server=192.168.3.254 leasetime=86400
dhcp relay ifconfig intf=DMZ1 relay=enabled
dhcp relay add name=DMZ1_to_127.0.0.1
dhcp relay modify name=DMZ1_to_127.0.0.1 addr=127.0.0.1 intf=DMZ1 giaddr=192.168.3.254
saveall


Telnet commands to create the required Firewall Rules

Do not use the following telnet commands if you've created a new custom level firewall in the routers user interface.
If you have a custom level firewall then add the following rules through the routers user interface.
This is because the firewall chain name will be different for a custom level.

The command -- firewall rules list -- will show all active rules.

Command
firewall rule add chain=forward_level_Standard index=1 name=DMZtoWAN srcintf=dmz dstintf=wan state=enabled action=accept
firewall rule add chain=forward_level_Standard index=2 name=WANtoDMZ srcintf=wan dstintf=dmz state=enabled action=accept
firewall rule add chain=forward_level_Standard index=3 name=DMZtoDMZ srcintf=dmz dstintf=dmz state=enabled action=accept
saveall


How the Firewall Rules look in the user interface.




The routers user interface shows the DMZ ethernet ports




Open all ports to a specified IP  ( Optional )
Follow the instructions at Forward all ports to a single IP address 
Change the IP used there to 192.168.3.50 for this DMZ network.
Do not use port forward rule together with this option.


Telnet Project for Thomson Routers


Telnet commands for a Thomson router

Multiple SSID  -- (TG587n only)

Web Access Control Schedule (TOD) -- (TG587n only)

Web content filter

Telnet scripting

Enable WDS on a TG585v7 / TG587n

Connect Two Thomson Routers Together

Basic DMZ on a Thomson Router

Advanced DMZ on a Thomson TG587n

Forward all ports to a specific LAN IP

IP QoS

Wake on LAN from Internet

Xbox and PS3 on a Thomson router

Remote Access to a Thomson Router

Home Page


footer
Copyright© NPR 2010 - 2012       Disclaimer