Hi!
I have to realize the following solution:
Public IP: 1.2.3.4
Internal network: 192.168.0.0/24
Provider router (default gateway): 192.168.0.254
Astaro 9: 192.168.0.253
DMZ (reachable from internet): 192.168.1.0/24
The Astaro only exists to separate the DMZ from the internal network. The provider router uses DNAT to translate the Destination IP from 1.2.3.4 to 192.168.1.100 (web server). The provider router knows that the subnet 192.168.1.0/24 is behind 192.168.0.253.
Is that secure? I'm not sure because the router IP (Astaro) is an IP in the internal subnet. In addition to that connections from the internal subnet to the dmz will have two different ways:
Internal -> DMZ: 192.168.0.1 (client) -> 192.168.0.254 (default gw) -> 192.168.0.253 (Astaro) -> 192.168.1.1 (webserver dmz)
DMZ -> Internal: 192.168.1.1 (webserver dmz) -> 192.168.0.253 (Astaro as default gw) -> 192.168.0.1 (direct connection to client)
So the routing DMZ -> Internal is not the same because the provider router is not necessary.
Perhaps someone has an idea?
Greetings!
This thread was automatically locked due to age.
