1

Lets say I have three networks in my topology : Internal network, DMZ, Internet. And my DMZ Area contains a lot of servers, but lets say in this example that it contains only a DNS Server and a Web Server. enter image description here

So, should I use public IP addresses or private addresses for the servers that are on the DMZ network ?

If the answer is Public IP Addresses : Isn't it a little bit unpractical ? (because I guess that this way, each server on the DMZ should have a public IP)

If the answer is Private IP Addresses : how could it work knowing that the DNS Server will answer with private addresses for the persons that request the IP of the Web server.

I don't know if my question is clear, if it isn't, tell me in the comments and I will try to make it better.

Edit : Forgive if I am saying some non sense, it is the first time that I configure a DMZ, and I'm confused.

Community
  • 1
Sidahmed
  • 141
  • 1
  • 1
  • 7

4 Answers4

4

There's more than one way to go:

Using public ip adresses

Everything in your DMZ has a public address. Everything that you don't want to be accessible from the internet does not belong into your DMZ and will then get a private address.

Using private ip adresses

Everything in your DMZ has a private address. For every system that needs to be accessible from the internet you have a public ip with a corresponding NAT rule on your firewall.

Using this variant you'll have a hard time to make sure your internal systems get the same connectivity to your DMZ as external systems. You'll either need to make you internal systems talk to the public adresses (and NAT these requests, too) or you'll need a so-called split-DNS setup where your DNS-Zone looks differently depending on who is asking (i.e. public ip returned for external queries, private ip returned for internal queries).

I personally prefer the first method and just go with public addresses as it makes management much less complex.

Andreas Rogge
  • 2,670
  • 10
  • 24
0

not sure the age of this thread but there are a couple things you could do if the router will support:

  1. Change VLans (my small business/home router allows assigning ports and vlans. Set ports to separate vlans may separate your traffic if setup right

  2. with my router I was able to go under access control>>access rules and set a rule

  3. SOURCE:
  4. ALL SERVICES
  5. Interface
  6. destination:
  7. date (sun-mon-tue--etc.)
  8. time 0.00-24.00

then tested via Ping.

extra configs: turn on a separate DMZ with different IP range, static IP for dmz (or assign ip range to give 1 ip out) etc.

before setting access rule, DMZ IP can ping all ips on personal network and 8.8.8.8 (google) after settings: ping 8.8.8.8, dmz ip host, private lan IP (router only IP) and NOT my nas, other routers, etc.

james
  • 1
0

Use private addressing, not because of technicalities, but because it's cheaper.

Don't do split-DNS.

Instead boldly put your network devices to action by configuring what people call a hairpin NAT.

kubanczyk
  • 13,502
  • 5
  • 40
  • 55
-2

You don't want internal systems connecting to the DMZ. That's the purpose of the DMZ, to host something on the internet but keep it separate from the rest of your network in case something gets compromised. So using private IP addresses is fine. In mostly all cases, better, because then you don't have to bridge interfaces on your firewall.

Ryan Prosser
  • 1