• October 31, 2024, 09:25:30 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2

Author Topic: DMZ behavior - DMZ machines should not have LAN access  (Read 25852 times)

pounce

  • Guest
DMZ behavior - DMZ machines should not have LAN access
« on: November 11, 2008, 11:53:22 AM »

I want to put a machine in the DMZ. I do not want this machine to have any LAN access. I want this machine to only have WAN access and accept any traffic not assigned elsewhere through port forwading etc. Can I do this with DIR-655  and if so how?

Thanks!
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #1 on: November 11, 2008, 12:49:12 PM »

No you can not do this as this would require a different physical interface on the DIR-655.  The LAN ports on this device are connected through an unmanaged switch to a single interface on the DIR-655.  What you are thinking of is more of a business class Router/Firewall DMZ interface as opposed to a home router DMZ which is just a default forward.
Logged
non progredi est regredi

pounce

  • Guest
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #2 on: November 11, 2008, 01:17:21 PM »

Thanks for the speedy response. With that said, how exactly is the Guest feature working in this regard? It is my understanding that the Guest feature only allows WAN access for "wireless" connections.

Is the absence of this true DMZ feature an explicit choice? It seems to me that it's careless to offer DMZ for a machine with LAN access. It's hard for me to imagine why this would be offered.

Is a true DMZ on this product something that the the product team could add in a software rev? If so how do I file a formal enhancement request?
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #3 on: November 11, 2008, 01:48:14 PM »

The guest feature is not going to be a whole lot of help as it is a wireless interface feature.

Given we would need a separate interface to keep the unmanaged switch portion of this device from allowing LAN communication this would not be a software fix.

The DMZ feature of this device is designed mostly for people who have some service they are serving from their LAN PC as a home project.  Or for troubleshooting purposes.  It is not designed to act as a full DMZ interface, if you want such an interface you will need to look at business class equipment regardless of vendor.
Logged
non progredi est regredi

pounce

  • Guest
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #4 on: November 11, 2008, 02:13:38 PM »

You didn't answer my questions and I am not interested in using the guest feature.

Is it an explicit choice by DLink not to have a proper DMZ on this router?

How do I file an enhancement request?

I raise the issue of the Guest feature because it's essentially doing a vlan. The router *can* do a proper DMZ because it's almost there with the guest feature. There is nothing stopping the Dlink engineers from adding a real DMZ to this hardware. It would not take a lot to specify port 1 in the switch to be a fixed IP in a separate vlan and then have the router treat this port as a real DMZ.

Dlink should not be referring to their DMZ feature as DMZ. It's not a DMZ and from what I can tell there are not enough warning about the security risks. Risks are mentioned but there is nothing in the documentation that explicitly states that any machines in the dlink DMZ have access to the rest of the network and therefore if they are comprised due to their exposure that the rest of the network is exposed.
« Last Edit: November 11, 2008, 02:43:06 PM by pounce »
Logged

EddieZ

  • Level 10 Member
  • *****
  • Posts: 2494
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #5 on: November 11, 2008, 02:27:43 PM »

All of the home routers I had (Tornado, 2x Asus, Linksys) implement DMZ more or less like D-link did...but that's only afaik. You can make the router launch a nuclear missle...if you choose to implement it  ;D
Logged
DIR-655 H/W: A2 FW: 1.33

pounce

  • Guest
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #6 on: November 11, 2008, 02:31:23 PM »

I generally ignore arguments like "but all my friends are doing it...".

Whatever they have for DMZ on this router is *not* a DMZ. That said if the router can't do a proper DMZ today and I can open an enhancement request to have one added I'll do that. I'll also raise the issue that Dlink is not being responsible enough with it's customers on the topic of security wrt their DMZ feature on this and any other router that is not actually isolating the DMZ machine from the rest of the LAN.
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #7 on: November 11, 2008, 03:48:29 PM »

In case I have not made myself clear I will try this one last time, then I am going to hunt Lycan down because this is getting ridiculous.

THIS SWITCH'S LAN PORTS ARE ON AN UNMANAGED SWITCH.  IT IS NOT POSSIBLE TO CREATE AN ISOLATED INTERFACE ON AN UNMANAGED SWITCH.  IMPOSSIBLE.  THERE IS NO FEATURE REQUEST TO ELEVATE AS IT WOULD TAKE ANOTHER PHYSICAL INTERFACE TO PERFORM AS YOU REQUEST.  I AM GOING TO ADD ANOTHER IMPOSSIBLE FOR CLARITY.

If you want a DMZ interface buy an firewall with a DMZ interface instead of a product designed to forward unspecified traffic to a LAN host as a last ditch effort for troubleshooting and setting up server software you know nothing about.

I mentioned the guest network feature because you asked me about it.

Every consumer level router (which is what this product is) that I have ever seen has this very feature and refers to it as DMZ, so the "but all my friends are doing it..." argument is not only valid, its as good as law.

While we are drumming up things we are liable for telling every customer should we add a list of every piece of network exploit software ever written in the manual.  Perhaps we should require that they understand firewall theory to buy our product.  Or better yet, we have to warn them that they are "bad people" on the other side of that wire.

You purchased the wrong product for your purposes, return it and buy a product that does what you require instead of expecting your consumer grade equipment to match your ridiculous expectations.  The number for Customer Service is 1 800 326 1688 ext. 6314, they can figure out who I am based on my handle.
Logged
non progredi est regredi

EddieZ

  • Level 10 Member
  • *****
  • Posts: 2494
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #8 on: November 11, 2008, 03:59:27 PM »

I generally ignore arguments like "but all my friends are doing it...".

Whatever they have for DMZ on this router is *not* a DMZ. That said if the router can't do a proper DMZ today and I can open an enhancement request to have one added I'll do that. I'll also raise the issue that Dlink is not being responsible enough with it's customers on the topic of security wrt their DMZ feature on this and any other router that is not actually isolating the DMZ machine from the rest of the LAN.

"All my friends are doing it" confirms and supports that fact that is a home router and not some freak attempt by D-Link to mislead the consumer. But it seems that you would like to see this pro feature also on home routers?

It's a fact that Real DMZ on home routers is 99% never a feature.  
Thus I doubt your disqualification about D-Link. I guess D-link is not claiming anywhere that their home routers (how the DIR655 is advertised) feature the professional DMZ features you mention, they offer a different line of products for that purpose (professional and secured environments). Unless I've missed the latest edition of the "Bible on Required Specs and Morals for Home routers" ofcourse.  ???

Apart from that theoretical morals and values discussion, could you provide an example of D-Link misrepresenting this feature to the consumer?

Just a question: Pounce is a.k.a. Audituner?
« Last Edit: November 11, 2008, 04:05:37 PM by EddieZ »
Logged
DIR-655 H/W: A2 FW: 1.33

pounce

  • Guest
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #9 on: November 11, 2008, 04:11:29 PM »

Fatman, You are incredibly rude. I find your tone and remarks offensive. I'd wager your posts in no way reflect the attitude Dlink would want you to have toward the general public.

You assume it's easy to understand the capability of the Dlink products by reading the product description. I challenge you to actually look at the product description and the manual and tell me where a reasonable person would find that the DMZ feature of the DIR-655 router does not block lan traffic on the DMZ IP.

You really need to step back and take a breath and realize how you come across to the public. Maybe you are just too close to all of this stuff to imagine a different view of the world.

Bottom line is I am a customer. I asked about a feature that did not behave as expected. I asked if this was expected behavior and if it was by design. I asked how to file an enhancement request to have the feature added to the product. This is all very reasonable.

Your actions are rude and you better believe I will raise this to your management.

It is absolutely possible for your developers to add a true DMZ to this hardware despite your all caps rant that it is not. You are wrong and this makes your posting and attitude all the more revolting.
Logged

pounce

  • Guest
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #10 on: November 11, 2008, 04:13:27 PM »

"All my friends are doing it" confirms and supports that fact that is a home router and not some freak attempt by D-Link to mislead the consumer. But it seems that you would like to see this pro feature also on home routers?

It's a fact that Real DMZ on home routers is 99% never a feature. 
Thus I doubt your disqualification about D-Link. I guess D-link is not claiming anywhere that their home routers (how the DIR655 is advertised) feature the professional DMZ features you mention, they offer a different line of products for that purpose (professional and secured environments). Unless I've missed the latest edition of the "Bible on Required Specs and Morals for Home routers" ofcourse.  ???

Apart from that theoretical morals and values discussion, could you provide an example of D-Link misrepresenting this feature to the consumer?

Just a question: Pounce is a.k.a. Audituner?

I'm not sure why anyone on this board who owns this router would argue a defense for not wanting a true DMZ. The reactions I am getting here are bizarre. I don't know the "culture" on this board but it sure doesn't seem professional or customer focused.

What's an Audituner?
Logged

EddieZ

  • Level 10 Member
  • *****
  • Posts: 2494
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #11 on: November 11, 2008, 04:21:45 PM »

I'm not sure why anyone on this board who owns this router would argue a defense for not wanting a true DMZ. The reactions I am getting here are bizarre. I don't know the "culture" on this board but it sure doesn't seem professional or customer focused.

What's an Audituner?

If I wanted a true DMZ I wouldn't have bought the D-Link. If I wanted true bandwidth throttling I would not have bought the D-Link. "Everything is possible" is just a very easy answer to all global issues.
You seem to be taking the discussion towards the redefinition of 'home routers' and their features. And as a simple user trying to help other users out, I think this forum might not be the right place for that subject. If people want professional DMZ and features they need to buy a different product. If you want to win (or even race) the Formula 1 in Monaco you don't line up a Fiat 500...but in daily use the Fiat will do fine, or do you also request FIAT to rebuild the model to enter the GP?

PS: You still haven't answered my question where/how D-Link is misleading its customers.
« Last Edit: November 11, 2008, 04:34:15 PM by EddieZ »
Logged
DIR-655 H/W: A2 FW: 1.33

pounce

  • Guest
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #12 on: November 11, 2008, 04:33:37 PM »


Well, you seem to be taking the discussion towards the redefinition of 'home routers' and their features. And as a simple user trying to help other users out, I think this forum might not be the right place for that subject. If people want professional DMZ and features they need to buy a different product. If you want to win (or even race) the Formula 1 in Monaco you don't line up a Fiat 500...but in daily use the Fiat will do fine.

PS: You still haven't answered my question where/how D-Link is misleading its customers.

You know, I'm still having a hard time understanding why you don't think it's reasonable that a customer should be able to ask for an enhancement request so that a feature could be added to a product. I'm puzzled. You are not helping really. You just seem to be stirring the pot, honestly.

Where did I use the term "misleading"?
Logged

EddieZ

  • Level 10 Member
  • *****
  • Posts: 2494
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #13 on: November 11, 2008, 04:41:13 PM »

You know, I'm still having a hard time understanding why you don't think it's reasonable that a customer should be able to ask for an enhancement request so that a feature could be added to a product. I'm puzzled. You are not helping really. You just seem to be stirring the pot, honestly.

Where did I use the term "misleading"?

You've already seen the answer from D-Link: True DMZ-> other product line ("You purchased the wrong product for your purposes"). Apparently you don't seem happy with the answer (you changed one of your post in which you accused Dlink by the way) and keep pounding on adding a pro feature to a SOHO product. So who's stirring the pot here?
« Last Edit: November 11, 2008, 04:44:15 PM by EddieZ »
Logged
DIR-655 H/W: A2 FW: 1.33

davevt31

  • Level 9 Member
  • ****
  • Posts: 1601
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #14 on: November 11, 2008, 04:45:48 PM »

You asked a question and where told no to the question.  You didn't like that answer and proceeded with more ranting.  Its very simple, this router won't ever do what you want it to do, its not meant to.  Take yours back to the store or put it on Ebay and buy yourself the exact piece of equiptment that you want.  Just be prepared to spend a lot of money for what you want.
Logged
Pages: [1] 2