DMZ & Secure zones in home LAN

By Odyssey
May 18, 2010
  1. I have the following groups of devices on my LAN:

    1) WiFi router, TIVO, Aluratek Internet Radio

    2) 1 Linux and 2 Windows XP computers

    3) Apple Mac Mini (used solely for photos and online banking)

    I want Group 1 to be in a DMZ, isolated from Groups 2 & 3, and want to be able to use the Apple as the only device online when doing banking.

    I am thinking of this setup:

    Switch #1 to the WAN and connected to:

    - Router #1 for Group 1 (this is the wireless router)
    - Router @2 for Groups 2 & 3 (this router wired only)

    Behind Router #2:

    - using one port for Switch #2 for all of the Group 2 devices
    - using one port for the Apple Mac Mini

    The plan is that Group 1 should not have access to Groups 2 & 3 at any time, AND any time banking is to be done:

    - Router #1 is unplugged from Switch #1 AND
    - Switch #2 is unplugged from Router #2

    leaving only the Apple online and only requiring unplugging of two ethernet cables.

    This may seem like equipment overkill, but I have all the switches and routers that are needed, most of which are unused at the moment.

    I don't understand enough about switches and routers to know whether one port of either device is effectively isolated from the other ports of the same device. So my question is how to improve/simplify the setup without compromising the objectives, or is this perhaps the minimum configuration to meet the objectives?
  2. jobeard

    jobeard TS Ambassador Posts: 11,128   +982

    A router *MUST* be the first device attached to the modem; a switch or router can then be attached to the first router.

    A DMZ is an "open" system which sees everything, and therefore is only protected by its firewall.
    For the normal home user, the DMZ is not the first (or best) choice.

    modem====[B]router#1[/B] ==== r[B]outer#2 [/B]- - - up to four wired devices
                 |           | 
                 |           + ----- wifi connections :: group 1 devices -- up to ten connections
              group 2
             +          +
               (you can place 3 devices here w/o a switch)
    the router#1 connection to the modem will have a public IP provided by your ISP.
    You set the LAN side ip address for the router (suggest
    and the DHCP range for all the systems that attach to it (eg: 2-9)

    router#2 will have its own ip address
    suggest (notice the 3rd digit is the sequence of devices from the modem
    which clarifies the layout.

    the WAN connection on router#2 can be static and must be at least +1 to the DHCP range
    You manage the WAN side configurage manually;
    set the gateway = router#1 address (
    set the mask
    set the DNS addresses to the same (

    the DHCP range for router#2 can be large, but suggest not;
    restrict the DHCP range to one more than you have devices AND
    use the MAC filtering to ensure that ONLY your devices can make a connection
    (this is another control and encryption is yet another).

    Let router#2 manage the LAN side.

    As an extra step, set all firewalls to deny access from all

    Conditions from the above:
    all devices can have Internet Access
    group#2 devices can not see or share resources from group#1

    no wiring or power-off conditions are required to isolate one group from the other.
  3. jobeard

    jobeard TS Ambassador Posts: 11,128   +982

    oops; I got it backwards :( it should be
    modem====[B]router#1[/B] ==== [B]router#2 [/B]
               |                 |
               |                 +---- group 2--- wired connections
               + ----- wifi connections :: group 1 devices -- up to ten connections
    Not only can you avoid fooling with the firewalls in the systems, but systems in group1
    can not even ping systems on group2; there's not routing unless you force one.
    Each router has a default route causing traffic from the LAN side to move to the WAN side,
    and thus a system on 192.168.1.x can NEVER access 192.168.2.x

    The isolated systems are always on the last router in the chain :wave:
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...