Hello and Greetings,

I am a new (and happy) user of openwrt 0.9 on a wl500gp. x-wrt,ctorrent,screen,samba and print-server are running - but now a am
unsure how to reach my last goal - a DMZ within my lan.

I am not using the router part of the wl500gp (wan port emtpy) - but I want to configure a dmz via vlans/iptables.
I have seen the dmz wiki entry, but this assumes you have a wan port and the asus router is the gateway/router .

in contrast my given network:

* fritzbox as dsl router+gateway (+voip)
* wl500gp is placed inside the lan (since working as nas, download and printserver, no routing here so far)
* several pc in lan (conntected to wl500gp *and* fritzbox)
* can not place fritzbox behind wl500gp (separate rooms, nas, printer location)

Wanted Configuration:

- WANTED: one pc as webserver in separated environment (dmz)
- use WL500gp as "DMZ VLAN switch" and firewall (no wan routing)
- keep WL500gp as print-server, nas and switch in lan

with openwrt ALL seems to be possible, but how ?

e.g:

- Port forwarding on fritzbox to webserver (Port 80 to e.g. 192.168.69.200)
- VLAN DMZ Port (4) in same subnet with lan (192.168.69.111)
- IP Tables
   - DMZ can answer to calls from outside (both lan+wan, http, ssl, ssh)
   - DMZ must not establish ANY outgoing traffic
   - DMZ must not see any router or pc (neither on asus vlan1 nor those connected to fritzbox

internet  ==> fritzbox (192.168.69.250) dsl/voip router
                             +
                             + ===> (192.168.69.20,wlan) lanpc1 
                             + ===> (192.168.69.30,cat5) lanpc2 
                             + 
                             + ===> (port1, vlan0) => (192.168.248) wl500gp (nas+print-server)
                                                                      +
                                                                      +== (port4,vlan2) ==> (192.168.69.200) **DMZ**PC as webserver
                                                                      +== (port2 vlan0) ==> (192.168.69.100) lanpc3
                                                                      +
                                                                      +==> (port0, vlan1, [wan, unused])

I have created vlan2 like

vlan2hwname=et0
vlan2ports=4 5*
dmz_proto=static
dmz_netmask=255.255.255.0
dmz_ipaddr=192.168.69.111
dmz_ifname=vlan2
dmz_ifnames=vlan2

first problem:

i cannot ping 192.168.69.200 from the asus router (192.168.69.111 is responding).

second problem:

could you point me to a working similar setup, especially the iptable entries for this ?

Please do not laugh about my first steps toward a dmz, I am a beginner deep in the forest at this time ;-)

Manfred R.
Munich, Germany

wl500gp, ip192.168.69.248/255.255.255.0

all should be/is in the same above subnet.

## lan_ifnames=vlan0 eth2
## landevs=vlan0 wl0
## vlan0hwname=et0
..
nvram set vlan2hwname=et0
nvram set vlan2ports="4 5t"

nvram set dmz_ifname=vlan2
nvram set dmz_ifnames=vlan2
nvram set dmz_proto=static
nvram set dmz_ipaddr=192.168.69.111
nvram set dmz_netmask=255.255.255.0
ifup dmz

ok, vlan2 is separated from br0. i cant find a iptables rule that allows ping from br0 to dmz
e.g. iptables -A FORWARD -o dmz -j ACCEPT does not work

brctl addif br0 vlan2

ok, vlan2 is bridged into br0. i cant find a iptables rule that denies e.g. a ping from br0 to dmz
e.g. iptables -A FORWARD -o vlan2 -j DENY does not work

Any hint ?

I think I got my setup  !

Here is a link to my current configuration (in german), describing

- dmz vlan settings
- iptables,
- port forwarding, routes
- (and some other tasks like printserver ...)

http://www.regele.org/wl500gp/OpenWrtWithDMZ_HowTo.html

With this setup I get a dmz "cell embedded" into my lan (as opposed to the more safe setup
with dmz between lan and internet)

Comments are welcome, this is my first router with openwrt - there is so much to learn..

Manfred.