How can I DMZ 2 routers at the same time under 1 router?

You cannot, because its technically impossible.

Routers are not smart enough to be able to identify when incoming traffic for a port has a special destiny on your LAN. So in order to know for the router where traffic needs to go, you forward incoming ports to a destination.

DMZ basically says: forward all ports to one IP. You can't just DMZ 2 ports and expect the router to copy the traffic to both routers.

The first device that would respond with an ok gets the connection and the traffic would never reach the other device because of it.

What you want to do is create a range of ports and dedicate that to one of the routers, and create a seperate range and dedicate that to the other router.

For example all ports from 10000-11000 are for router 1 and ports 12000 to 13000 are for router 2. DMZ is not used at all.

If this is not acceptable, put all networks on the first router and make it do the port forwarding as required.

LPChip

Posted 2018-01-21T10:51:56.330

Reputation: 42 190

I was planning on using different ports anyway. How would you select the range of ports for specific routers ? – TermoZour – 2018-01-21T11:57:13.093

1Normally you open no ports. You only open a port when necessary, and then, because of the demand, you know what ports you need to open. Opening a select range of ports to the 2nd and 3rd router, allows you to only require to modify the port forwarding rules on those routers rather than on the entire path (modem to router 1 to router 2). Any port that is not in use can be forwarded to a different router. Do note, some devices require a specific port to be open from the WAN (internet) side. In those cases, you really need to set it up everywhere. – LPChip – 2018-01-21T12:04:06.667

This is only true of dumb consumer routers. If you're using any kind of full routing OS (such as pfSense or IPFW), a DMZ is a physically isolated network segment, not a single host on the main network. – Austin Hemmelgarn – 2018-01-21T16:10:58.733

@AustinHemmelgarn I work a lot with Mikrotik routers, which I consider to be enterprise networks, and even there, I cannot set DMZ to more than one ip address or network interface. – LPChip – 2018-01-21T20:53:17.207

@LPChip If there's an option labeled 'DMZ', it's usually a single host, because that's the only reason you need some special option for it to begin with. When done as an actual 'zone', a DMZ segment is no different from any other independent network segment. pfSense for example has no special 'DMZ' option, because they expect you to use a physically isolated network (because it's far more secure to do so) and treat it like any other internal network segment. – Austin Hemmelgarn – 2018-01-22T20:18:56.247

@AustinHemmelgarn yeah, I thought so. Which means your comment does not actually address the question of the OP. OP asks: can you have 2 DMZ, no you cannot. – LPChip – 2018-01-22T20:50:32.470

@LPChip The OP's question is dependent on exact interpretation of terminology though. If DMZ refers solely to the single-host routing option you discuss, then you are correct and you cannot have 2 DMZ hosts. If instead it follows standard industry practice and refers to an isolated network segment which uses different routing rules than the main internal network, then the answer is yes, you can have two DMZ zones. – Austin Hemmelgarn – 2018-01-23T14:04:46.687

What do you even need 3 routers for? Wouldn't A be enough? – user1686 – 2018-01-21T11:48:56.560

Are you truly accepting unsolicited inbound connections on so many ports that you want to "DMZ everything" instead of using port forwarding rules? – I say Reinstate Monica – 2018-01-22T04:18:34.987

They are still blocked on router B. It was just easier to DMZ 1 router, and do the port forwarding from that specific router instead of port forwarding all the ports I need twice – TermoZour – 2018-01-22T08:07:04.787

How can I DMZ 2 routers at the same time under 1 router?

Answers