Basic DMZ

Basic DMZ Network on a Thomson Router

If you need help with telnet commands, see this first telnet.html

Important
Use the routers web interface to backup the router settings before playing.
Reinstalling the backup or in the worst case resetting to factory default and reinstalling the backup should get things back to how they were.
Use these commands at your own risk.
This shows an example of a basic DMZ network, make your own judgment of the security implications this offers.

Objective
To create a DeMilitarized Zone (DMZ) on the router which allows web access but is totally isolated from the Local Network (LAN).
This is a safe place for a web server etc. If the web server is compromised there should be no way through to the LAN.
The routers user interface is not accessible from DMZ.
In this example Ethernet port 4 is split from the routers bridge and connected to the DMZ, ie only port 4 is the DMZ network.
An alternative use for a DMZ network is to provide web access for guests.
This allows web access while keeping your local network LAN secure and private.

Gamers:
The WAN IP is not issued to devices on this DMZ, port forward rules are still required.
The option to forward all ports to a single IP address may be of interest to help with strict NAT issues.

Telnet commands to create the DMZ network on ethernet port 4

Command	Comments
eth bridge ifdelete intf=ethport4	Disconnect ethernet port No 4. Only port 4 will be the DMZ
eth ifadd intf=Eth_DMZ	Create a new interface
eth ifconfig intf=Eth_DMZ dest=ethif4
eth ifattach intf=Eth_DMZ
ip ifadd intf=DMZ dest=Eth_DMZ	Connect ethernet port No 4 to DMZ
ip ifconfig intf=DMZ group=dmz	Place DMZ in group dmz
ip ifattach intf=DMZ
ip ipadd intf=DMZ addr=192.168.2.254 netmask=24	Define IP range of DMZ interface
ip ipconfig addr=192.168.2.254 preferred=enabled primary=enabled	Define gateway for DMZ
nat ifconfig intf=DMZ translation=transparent	Enable NAT on DMZ
service system ifadd name=DNS-S group=dmz	Enable routers DNS server for the dmz group
saveall

Telnet commands to add DHCP to the DMZ network ( Optional )
If using a server or games machine on on a static LAN IP then DHCP is not required.
If you plan to attach a router to this port then DHCP is required.

Command
dhcp server pool add name=DMZ_private
dhcp server pool config name=DMZ_private intf=DMZ poolstart=192.168.2.1 poolend=192.168.2.20 netmask=24 gateway=192.168.2.254 server=192.168.2.254 leasetime=86400
dhcp relay ifconfig intf=DMZ relay=enabled
dhcp relay add name=DMZ_to_127.0.0.1
dhcp relay modify name=DMZ_to_127.0.0.1 addr=127.0.0.1 intf=DMZ giaddr=192.168.2.254
saveall

Place the DMZ network on IP range 192.168.2.0/24
DHCP will provide dynamic IP's within the range 192.168.2.1 to 192.168.2.20.
If a network device needs a static LAN IP, use one from the range 192.168.2.21 to 192.168.2.252

Telnet commands to create the required Firewall Rules
If a custom level firewall has been created the chain name, used in the following commands, needs to be changed to suit.
Alternatively these firewall rules may be created in the routers GUI.

Command
firewall rule add chain=forward_level_Standard index=1 name=DMZtoWAN srcintf=dmz dstintf=wan state=enabled action=accept
firewall rule add chain=forward_level_Standard index=2 name=WANtoDMZ srcintf=wan dstintf=dmz state=enabled action=accept
firewall rule add chain=forward_level_Standard index=3 name=DMZtoDMZ srcintf=dmz dstintf=dmz state=enabled action=accept
saveall

How the Firewall Rules look in the user interface.

How the Network Interface looks in the user interface.

Open all ports to a specified IP ( Optional )
Follow the instructions at Forward all ports to a single IP address
Change the IP used there to 192.168.2.50 for the DMZ network.

Options
Any server or games machine place in the DMZ will need a port forward rule created in the normal way.
Alternatively the above "forward all ports" may be used.
If used as the basis of a DMZ network remember this applies only to ethernet port 4 on the router.
A second wireless router may be plugged in to port 4 to add extra ethernet ports and wireless.
This second router will need to be set to IP range 192.168.2.0/24 with DHCP disabled.

Undo Remove the DMZ Network and re-attach port 4

Command	Comments
dhcp relay delete name=DMZ_to_127.0.0.1	Remove DHCP for DMZ
dhcp server lease flush pool=DMZ_private
dhcp server pool delete name=DMZ_privat
service system ifdelete name=DNS-S group=dmz	Remove DNS server for DMZ
ip ipdelete addr=192.168.2.254
ip ifdelete intf=DMZ
eth ifdelete intf=Eth_DMZ
eth bridge ifadd intf=ethport4 dest=ethif4	Re-attach ethernet port 4
eth bridge ifattach intf=ethport4
firewall rule delete chain=forward_level_Standard index=3	Delete DMZ firewall rules
firewall rule delete chain=forward_level_Standard index=2
firewall rule delete chain=forward_level_Standard index=1
saveall

Telnet Project for Thomson Routers

Telnet commands for a Thomson router

Multiple SSID -- (TG587n only)

Web Access Control Schedule (TOD) -- (TG587n only)

Web content filter

Telnet scripting

Enable WDS on a TG585v7 / TG587n

Connect Two Thomson Routers Together

Basic DMZ on a Thomson Router

Advanced DMZ on a Thomson TG587n

Forward all ports to a specific LAN IP

IP QoS

Wake on LAN from Internet

Xbox and PS3 on a Thomson router

Remote Access to a Thomson Router

Home Page

footer