<div dir="ltr"><div class="gmail_default" style="font-family:comic sans ms,sans-serif;font-size:small;color:#ff00ff">Most places I have worked at do not allow direct Corporate_LAN to Internet access. It is a PCI violation, and bad practice, really. All LAN traffic goes through the DMZ, and there are 2 Routers/firewalls between the LAN machines and the Internet at minimum. With VLAN tagging, you could probably use single Router/firewall setup. The danger is informal trunking between the VLAN segments that can lead to "Surprise" direct to internet connections. This is also a potential PCI finding, because each major service must have its own server. You might also consider setting up squid as a a filtering proxy that checks out all HTTP and HTTPS traffic. </div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><font style="background-color:rgb(255,255,255)" color="#20124d"><font face="garamond, serif" size="4">Wolf Halton<br>Mobile/Text 678-687-6104 </font><br><font size="4" style="font-family:verdana,sans-serif">--</font><br></font></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Sun, Mar 26, 2017 at 1:26 AM, Alex Carver <span dir="ltr"><<a href="mailto:agcarver+ale@acarver.net" target="_blank">agcarver+ale@acarver.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I disagree about the LAN not going through the DMZ to get to the<br>
outside. That's exactly how many places (including my workplace) have<br>
things set up. There's a middle ground because in theory the LAN and<br>
the WAN both need to access the DMZ.<br>
<br>
Two routers chained together will work. It's just a different set of<br>
rules and it simply makes the second router a "host" on the DMZ but you<br>
put more restrictive rules in place (no port forwarding) for anything<br>
beyond it.<br>
<br>
Now, there's technically a way to do a single router with your consumer<br>
routers as long as you replace the firmware with something that is<br>
smarter such as OpenWRT/Tomato/DDWRT, etc. As an example, I have an old<br>
Linksys WRT54G running OpenWRT. It has a five physical ethernet ports<br>
and the wireless card inside. The built-in Broadcomm SoC can actually<br>
VLAN all five of those separately (through internal VLAN tagging). So I<br>
could turn it into a five-zone firewall (WAN, LAN 1-4, and WifiLAN).<br>
<br>
You might be able to do the same if your Asus is supported by OpenWRT or<br>
similar. You get the ability to reconfigure the SoC switch inside to<br>
create zones, the benefit of iptables, and advanced routing that the<br>
stock firmware just doesn't have.<br>
<div class="HOEnZb"><div class="h5"><br>
On 2017-03-25 21:46, Scott Castaline wrote:<br>
> So you're saying that my 2 router configuration won't work? If that is the case<br>
> what brand besides Cisco makes a 1 WAN to 2 LAN router? I say besides Cisco<br>
> because the only one I worked with many years ago were Cisco 2600 series<br>
> routers, which I loved at the time just not the price.<br>
><br>
> On disability pay it's sort of off budget. What I was planning on doing was<br>
> taking one ASUS router and putting a NetGear 16 port switch off of that to drive<br>
> my DMZ LAN then the 2nd ASUS router would be off of the front LAN to create the<br>
> back LAN which would be the private LAN also with a 2nd NetGear 16 port switch.<br>
> The DMZ will have 2 game consoles, and 2 media streamers and 2 smart tvs. But<br>
> then I ran into articles on that say complete reverse of what I had planned also<br>
> using 2 routers. One of the articles endorses 3rd party firmware from Russia,<br>
> but I'm a little leery of that these days.<br>
><br>
><br>
> On 03/25/2017 05:09 PM, Jim Kinney wrote:<br>
>> The DMZ is a zone. One box or many. It is directly connected to internet and<br>
>> may or may not connect to the inside LAN. If it does, the firewall and routing<br>
>> is very, very specific. And, yes, firewall between big bad interwebs and DMZ.<br>
>><br>
>> The inside, trusted LAN doesn't connect through DMZ network to outside. It<br>
>> connects to firewall/router and your internet demarcation line.<br>
>><br>
>> So 3 nic Linux box. Nic 1 goes to internet, 2 is DMZ and 3 is private lan.<br>
>> Iptables on the box. LAN and DMZ are separate subnet with the box as their<br>
>> gateway. DMZ often has internet routable IPs. LAN usually does not and is<br>
>> NAT'ed. DMZ can be NAT'ed as well. If DMZ is not NAT'ed, nic 1 will need to in<br>
>> bridge mode.<br>
>><br>
>> The terminally paranoid will add a second firewall box on the wire between nic<br>
>> 3 and the internal LAN.<br>
>><br>
>> On Mar 25, 2017 4:42 PM, "Scott Castaline" <<a href="mailto:skotchman@gmail.com">skotchman@gmail.com</a><br>
</div></div><div class="HOEnZb"><div class="h5">>> <mailto:<a href="mailto:skotchman@gmail.com">skotchman@gmail.com</a>>> wrote:<br>
>><br>
>> So I would put the DMZ on the front or first LAN and then everything else<br>
>> on the back or second LAN? And also the DMZ is a single device and not the<br>
>> LAN itself? What if I have multiple DMZs on the first LAN can I do that?<br>
>><br>
>><br>
>> On 03/25/2017 12:30 AM, Alex Carver wrote:<br>
>><br>
>> On 2017-03-24 21:05, Scott Castaline wrote:<br>
>><br>
>> Okay I've had the cable pulled in my house I was able to unbrick an<br>
>> older ASUS router which is running ASUSWRT-Merlin which has the radios<br>
>> shutoff for the access part of it. Many years ago I remember<br>
>> setting up<br>
>> several dual LANs, the first LAN was unsecured and all of the web<br>
>> facing<br>
>> gear was on that. Then a second router with LAN to LAN interfaces<br>
>> which<br>
>> connected to LAN 1 and LAN 2 was off of this router and was a secured<br>
>> network. I thought this what a DMZ was, but on google searching DMZ<br>
>> structure I'm finding that the DMZ is a single server by itself. The<br>
>> other thing that I'm finding is that the secured LAN is on LAN 1<br>
>> and the<br>
>> DMZ is on LAN 2. That doesn't make sense to me.<br>
>><br>
>> Can anyone enlighten me with what would be the correct way of<br>
>> doing this?<br>
>><br>
>><br>
>> You can make up a DMZ using a three port router or you can daisy chain<br>
>> two routers with the link between them being the DMZ. Your LAN would<br>
>> hang off the back router farthest from the WAN.<br>
>><br>
>> Either way you're just setting up a bunch of packet filter and routing<br>
>> rules. The advantage of the dual router approach is that it would<br>
>> theoretically be harder to break into your LAN because two routers would<br>
>> need to be compromised.<br>
>><br>
>> A single router approach needs a router that can handle all traffic.<br>
>> The dual router approach only needs enough horsepower on the front<br>
>> router to handle the traffic. The back router, in theory, sees less<br>
>> traffic.<br>
<br>
______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br>
</div></div></blockquote></div><br></div>