This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

what makes a DMZ?

What i am confused about here... with regard to setting up guest wireless. Is how a DMZ works.

I have set up two separate Wireless Access points. Both Vigor AP 700's. One is plugged into my switch and give standard run-of-the-mill access to my internal LAN. (192.168.1.1/24)

The second Wireless AP is plugged into a separate EthX port on my UTM box. This then gets issued its OWN DHCP server in UTM9 on a different subnet....192.168.2.1/24

I understand that the DHCP issued addresses prevents traffic from the two subnets mixing. BUT, isn't it just simply a case of making my ip address static in windows... and changing the subnet mask to 255.255.248.0. That then gives me access to the OTHER subnet?

This isn't a true DMZ then is it? or are we just relying on people not doing static IP addresses?

Bit of a nooby question i guess... but it just strikes me as wierd.

This thread was automatically locked due to age.

Parents

0 apijnappels over 12 years ago

This is a true DMZ. Watch however that your 255.255.255.248 subnet only allows for 6 hosts in the subnet, it may be well enough, but it sure isn't too much.....

For DMZ (or LAN) to be able to access each other, you'll have to make firewall rules allowing traffic, otherwise no traffic is allowed.
Same is true for access to (and from) internet. Access from internet usually also requires DNAT rules (assuming you have only 1 public IP-address).

The only thing that you should not do is interconnect the DMZ and LAN to each other by plugging them into the same switch or hub. If you do that, than you also can't guess which DHCP-address you get, since both DHCP-servers will receive the broadcast and will make an offer.

Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 apijnappels over 12 years ago

This is a true DMZ. Watch however that your 255.255.255.248 subnet only allows for 6 hosts in the subnet, it may be well enough, but it sure isn't too much.....

For DMZ (or LAN) to be able to access each other, you'll have to make firewall rules allowing traffic, otherwise no traffic is allowed.
Same is true for access to (and from) internet. Access from internet usually also requires DNAT rules (assuming you have only 1 public IP-address).

The only thing that you should not do is interconnect the DMZ and LAN to each other by plugging them into the same switch or hub. If you do that, than you also can't guess which DHCP-address you get, since both DHCP-servers will receive the broadcast and will make an offer.

Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data