November 2, 2024

  • ZTE Router (Airtel):
    • WAN IP: Public IP assigned by ISP
    • LAN IP: 192.168.100.1
    • Connected to the TP-Link router
  • TP-Link Router:
    • WAN IP: 192.168.100.12 (assigned by ZTE router)
    • LAN IP: 192.168.50.1
    • Manages the internal network with devices in the 192.168.50.x range
  • Application Server:
    • IP: 192.168.50.102
    • Port: 40000

Scenario

You have a dual-router setup where a ZTE (Airtel) router is connected to the internet, and a TP-Link router is connected behind it. The TP-Link router manages an internal network where an application runs on a device with IP 192.168.50.102 on port 40000. The goal is to access this application from the public internet securely.

Network Layout

  • ZTE Router (Airtel):
    • WAN IP: Public IP assigned by ISP
    • LAN IP: 192.168.100.1
    • Connected to the TP-Link router
  • TP-Link Router:
    • WAN IP: 192.168.100.12 (assigned by ZTE router)
    • LAN IP: 192.168.50.1
    • Manages the internal network with devices in the 192.168.50.x range
  • Application Server:
    • IP: 192.168.50.102
    • Port: 40000

Objective

To configure the network so that external traffic can access the application running on 192.168.50.102:40000 using the public IP address.

Step-by-Step Configuration

Step 1: Configure DMZ on the ZTE (Airtel) Router

  1. Log in to the ZTE Router:
    • Open a web browser.
    • Enter the ZTE router’s IP address (192.168.100.1).
    • Enter the username and password to access the settings.
  2. Navigate to DMZ Settings:
    • Go to Advanced > NAT > DMZ.
  3. Enable DMZ:
    • Enable the DMZ option.
    • Set the DMZ Host IP address to the TP-Link router’s WAN IP, which is 192.168.100.12.
    • Save the settings.

Step 2: Configure Port Forwarding on the TP-Link Router

  1. Log in to the TP-Link Router:
    • Open a web browser.
    • Enter the TP-Link router’s IP address (192.168.50.1).
    • Enter the username and password to log in.
  2. Navigate to Port Forwarding:
    • Go to Advanced > NAT Forwarding > Virtual Servers.
  3. Add a New Port Forwarding Rule:
    • Click Add or Create New.
    • Service Port: 40000
    • Internal IP: 192.168.50.102
    • Internal Port: 40000
    • Protocol: TCP (or TCP/UDP if the application uses both protocols)
    • Status: Enable
    • Click Save.

Detailed Configuration Tables

DMZ Configuration on ZTE Router

Field Value
Enable DMZ Yes
DMZ Host IP Address 192.168.100.12

Port Forwarding Rule on TP-Link Router

Field Value
Name webservice
Protocol TCP
External Port 40000
Internal IP 192.168.50.102
Internal Port 40000
Status Enable

Explanation for Network Professional

DMZ Configuration on ZTE Router:

  • Purpose: The DMZ setting forwards all incoming traffic from the internet to the TP-Link router’s WAN IP (192.168.100.12). This simplifies the configuration by centralizing external traffic handling to the TP-Link router.
  • Security Consideration: While this exposes the TP-Link router to the internet, it maintains the internal network’s security by isolating it from direct exposure.

Port Forwarding on TP-Link Router:

  • Specific Forwarding: The port forwarding rule on the TP-Link router ensures that only traffic on port 40000 is directed to the internal device 192.168.50.102, making the application accessible via the public IP.
  • Isolated Configuration: This maintains the internal network’s integrity, as only the necessary ports are opened and forwarded, reducing the risk of unauthorized access.

Testing the Configuration

  1. Check WAN Configuration on TP-Link Router:
    • Ensure the WAN IP is correctly set to 192.168.100.12.
  2. Verify and Test:
    • Use an external device to access the application.
    • Open a web browser and enter http://[Your Public IP]:40000.
    • Ensure the application is accessible and functions correctly.

Conclusion

By configuring the ZTE router to use DMZ and forwarding all traffic to the TP-Link router, and then setting up specific port forwarding rules on the TP-Link router, you achieve a secure and streamlined network configuration. This allows external access to the application running on 192.168.50.102:40000 using the public IP while maintaining internal network security and integrity.

This setup is advantageous because it:

  • Centralizes traffic management to the TP-Link router.
  • Provides flexibility in handling multiple services and ports.
  • Maintains security by limiting direct exposure of the internal network.

By following these steps, network professionals can ensure reliable and secure access to internal applications from the public internet.

Benefits of the Configuration

  1. Centralized Traffic Management:
    • DMZ on ZTE Router: By placing the TP-Link router in the DMZ of the ZTE router, all inbound traffic from the internet is directed to the TP-Link router. This simplifies network management and ensures that the TP-Link router handles all external traffic, allowing for more granular control over security settings and traffic management.
  2. Isolated Internal Network:
    • Subnet Segmentation: The TP-Link router manages a separate internal network (192.168.50.x). This segmentation ensures that devices on the internal network are isolated from direct exposure to the internet. Only necessary ports are forwarded, reducing the attack surface.
  3. Granular Port Forwarding:
    • Specific Port Forwarding: On the TP-Link router, only the traffic for the application port (40000) is forwarded to the internal server (192.168.50.102). This limits access to the specific service running on that port, preventing unnecessary exposure of other services and devices on the network.
  4. Improved Security:
    • Layered Defense: The dual-router setup creates multiple layers of defense. An attacker would need to breach the ZTE router’s DMZ configuration and then the TP-Link router’s port forwarding rules to reach the application. This layered security approach complicates potential attacks and provides more opportunities to detect and mitigate threats.
  5. Control and Monitoring:
    • Logging and Monitoring: With the TP-Link router handling port forwarding, it’s possible to enable logging and monitoring on the router. This allows network administrators to track incoming traffic, identify potential threats, and respond to suspicious activity in real-time.
  6. Reduced Attack Surface:
    • Selective Exposure: By forwarding only the required port (40000), the configuration minimizes the number of open ports exposed to the internet. This selective exposure reduces the opportunities for attackers to exploit vulnerabilities.
  7. Enhanced Network Management:
    • Simplified Configuration Changes: Any changes in the internal network or application setup only require updates on the TP-Link router. The ZTE router’s DMZ configuration remains unchanged, simplifying network management and reducing the risk of configuration errors.

Security Protections Provided

  1. Mitigation of Direct Attacks:
    • DMZ Isolation: Placing the TP-Link router in the DMZ ensures that direct attacks on the public IP only reach the TP-Link router, not the internal devices directly. This adds a protective layer, preventing direct access to the application server.
  2. Controlled Access:
    • Port Forwarding Rules: By explicitly defining port forwarding rules, only traffic intended for the specific application port is allowed. This reduces the likelihood of unauthorized access to other services or ports on the internal network.
  3. Detection and Response:
    • Monitoring Capabilities: The TP-Link router can be configured to log incoming connections and potential threats. Administrators can use these logs to detect and respond to suspicious activities quickly.
  4. Network Segmentation:
    • Separate Subnets: The internal network’s segmentation from the DMZ ensures that even if an attacker breaches the TP-Link router, they still need to navigate through another layer of network protection to reach other internal devices.
  5. Firewall Rules:
    • Enhanced Security Policies: Both the ZTE and TP-Link routers can have firewall rules configured to further restrict and control traffic, adding another layer of defense against potential threats.
  6. Limiting Exposure:
    • Minimized Open Ports: By forwarding only the necessary port, the configuration minimizes the number of open ports exposed to the internet, making it harder for attackers to find entry points.

Conclusion

This dual-router configuration with DMZ and specific port forwarding enhances the security of your application by centralizing traffic management, isolating the internal network, and providing granular control over network access. It creates a layered defense mechanism, reducing the attack surface, and allowing for better monitoring and response to potential threats. By following this setup, you can significantly improve the protection of your application from unauthorized access and cyber threats.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Share via
Copy link
Powered by Social Snap