- ZTE Router (Airtel):
- WAN IP: Public IP assigned by ISP
- LAN IP:
192.168.100.1
- Connected to the TP-Link router
- TP-Link Router:
- WAN IP:
192.168.100.12
(assigned by ZTE router) - LAN IP:
192.168.50.1
- Manages the internal network with devices in the
192.168.50.x
range
- WAN IP:
- Application Server:
- IP:
192.168.50.102
- Port:
40000
- IP:
Scenario
You have a dual-router setup where a ZTE (Airtel) router is connected to the internet, and a TP-Link router is connected behind it. The TP-Link router manages an internal network where an application runs on a device with IP 192.168.50.102
on port 40000
. The goal is to access this application from the public internet securely.
Network Layout
- ZTE Router (Airtel):
- WAN IP: Public IP assigned by ISP
- LAN IP:
192.168.100.1
- Connected to the TP-Link router
- TP-Link Router:
- WAN IP:
192.168.100.12
(assigned by ZTE router) - LAN IP:
192.168.50.1
- Manages the internal network with devices in the
192.168.50.x
range
- WAN IP:
- Application Server:
- IP:
192.168.50.102
- Port:
40000
- IP:
Objective
To configure the network so that external traffic can access the application running on 192.168.50.102:40000
using the public IP address.
Step-by-Step Configuration
Step 1: Configure DMZ on the ZTE (Airtel) Router
- Log in to the ZTE Router:
- Open a web browser.
- Enter the ZTE router’s IP address (
192.168.100.1
). - Enter the username and password to access the settings.
- Navigate to DMZ Settings:
- Go to Advanced > NAT > DMZ.
- Enable DMZ:
- Enable the DMZ option.
- Set the DMZ Host IP address to the TP-Link router’s WAN IP, which is
192.168.100.12
. - Save the settings.
Step 2: Configure Port Forwarding on the TP-Link Router
- Log in to the TP-Link Router:
- Open a web browser.
- Enter the TP-Link router’s IP address (
192.168.50.1
). - Enter the username and password to log in.
- Navigate to Port Forwarding:
- Go to Advanced > NAT Forwarding > Virtual Servers.
- Add a New Port Forwarding Rule:
- Click Add or Create New.
- Service Port:
40000
- Internal IP:
192.168.50.102
- Internal Port:
40000
- Protocol:
TCP
(orTCP/UDP
if the application uses both protocols) - Status: Enable
- Click Save.
Detailed Configuration Tables
DMZ Configuration on ZTE Router
Field | Value |
---|---|
Enable DMZ | Yes |
DMZ Host IP Address | 192.168.100.12 |
Port Forwarding Rule on TP-Link Router
Field | Value |
---|---|
Name | webservice |
Protocol | TCP |
External Port | 40000 |
Internal IP | 192.168.50.102 |
Internal Port | 40000 |
Status | Enable |
Explanation for Network Professional
DMZ Configuration on ZTE Router:
- Purpose: The DMZ setting forwards all incoming traffic from the internet to the TP-Link router’s WAN IP (
192.168.100.12
). This simplifies the configuration by centralizing external traffic handling to the TP-Link router. - Security Consideration: While this exposes the TP-Link router to the internet, it maintains the internal network’s security by isolating it from direct exposure.
Port Forwarding on TP-Link Router:
- Specific Forwarding: The port forwarding rule on the TP-Link router ensures that only traffic on port
40000
is directed to the internal device192.168.50.102
, making the application accessible via the public IP. - Isolated Configuration: This maintains the internal network’s integrity, as only the necessary ports are opened and forwarded, reducing the risk of unauthorized access.
Testing the Configuration
- Check WAN Configuration on TP-Link Router:
- Ensure the WAN IP is correctly set to
192.168.100.12
.
- Ensure the WAN IP is correctly set to
- Verify and Test:
- Use an external device to access the application.
- Open a web browser and enter
http://[Your Public IP]:40000
. - Ensure the application is accessible and functions correctly.
Conclusion
By configuring the ZTE router to use DMZ and forwarding all traffic to the TP-Link router, and then setting up specific port forwarding rules on the TP-Link router, you achieve a secure and streamlined network configuration. This allows external access to the application running on 192.168.50.102:40000
using the public IP while maintaining internal network security and integrity.
This setup is advantageous because it:
- Centralizes traffic management to the TP-Link router.
- Provides flexibility in handling multiple services and ports.
- Maintains security by limiting direct exposure of the internal network.
By following these steps, network professionals can ensure reliable and secure access to internal applications from the public internet.
Benefits of the Configuration
- Centralized Traffic Management:
- DMZ on ZTE Router: By placing the TP-Link router in the DMZ of the ZTE router, all inbound traffic from the internet is directed to the TP-Link router. This simplifies network management and ensures that the TP-Link router handles all external traffic, allowing for more granular control over security settings and traffic management.
- Isolated Internal Network:
- Subnet Segmentation: The TP-Link router manages a separate internal network (
192.168.50.x
). This segmentation ensures that devices on the internal network are isolated from direct exposure to the internet. Only necessary ports are forwarded, reducing the attack surface.
- Subnet Segmentation: The TP-Link router manages a separate internal network (
- Granular Port Forwarding:
- Specific Port Forwarding: On the TP-Link router, only the traffic for the application port (
40000
) is forwarded to the internal server (192.168.50.102
). This limits access to the specific service running on that port, preventing unnecessary exposure of other services and devices on the network.
- Specific Port Forwarding: On the TP-Link router, only the traffic for the application port (
- Improved Security:
- Layered Defense: The dual-router setup creates multiple layers of defense. An attacker would need to breach the ZTE router’s DMZ configuration and then the TP-Link router’s port forwarding rules to reach the application. This layered security approach complicates potential attacks and provides more opportunities to detect and mitigate threats.
- Control and Monitoring:
- Logging and Monitoring: With the TP-Link router handling port forwarding, it’s possible to enable logging and monitoring on the router. This allows network administrators to track incoming traffic, identify potential threats, and respond to suspicious activity in real-time.
- Reduced Attack Surface:
- Selective Exposure: By forwarding only the required port (
40000
), the configuration minimizes the number of open ports exposed to the internet. This selective exposure reduces the opportunities for attackers to exploit vulnerabilities.
- Selective Exposure: By forwarding only the required port (
- Enhanced Network Management:
- Simplified Configuration Changes: Any changes in the internal network or application setup only require updates on the TP-Link router. The ZTE router’s DMZ configuration remains unchanged, simplifying network management and reducing the risk of configuration errors.
Security Protections Provided
- Mitigation of Direct Attacks:
- DMZ Isolation: Placing the TP-Link router in the DMZ ensures that direct attacks on the public IP only reach the TP-Link router, not the internal devices directly. This adds a protective layer, preventing direct access to the application server.
- Controlled Access:
- Port Forwarding Rules: By explicitly defining port forwarding rules, only traffic intended for the specific application port is allowed. This reduces the likelihood of unauthorized access to other services or ports on the internal network.
- Detection and Response:
- Monitoring Capabilities: The TP-Link router can be configured to log incoming connections and potential threats. Administrators can use these logs to detect and respond to suspicious activities quickly.
- Network Segmentation:
- Separate Subnets: The internal network’s segmentation from the DMZ ensures that even if an attacker breaches the TP-Link router, they still need to navigate through another layer of network protection to reach other internal devices.
- Firewall Rules:
- Enhanced Security Policies: Both the ZTE and TP-Link routers can have firewall rules configured to further restrict and control traffic, adding another layer of defense against potential threats.
- Limiting Exposure:
- Minimized Open Ports: By forwarding only the necessary port, the configuration minimizes the number of open ports exposed to the internet, making it harder for attackers to find entry points.
Conclusion
This dual-router configuration with DMZ and specific port forwarding enhances the security of your application by centralizing traffic management, isolating the internal network, and providing granular control over network access. It creates a layered defense mechanism, reducing the attack surface, and allowing for better monitoring and response to potential threats. By following this setup, you can significantly improve the protection of your application from unauthorized access and cyber threats.