Skip to content

linksys

Q&A: DMZ In Consumer Routers

My Linksys router has the option to set up a DMZ, is there any thing I should know before making use of it?

Excerpt from Wikipedia

The purpose of a DMZ is to add an additional layer of security to an organization’s¬†Local Area Network¬†(LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

A DMZ is commonly used to offer Internet facing services like HTTP and FTP, while at the same time isolating the exposed host from the Local Area Network. Although some consumers routers advertise the capability to offer a DMZ what they call a DMZ is far from the truth.

WRT54 GLThe use of the word DMZ is not accurate, it’s not a DMZ at all. Enabling the DMZ feature on a Linksys device actually decreases the security of the LAN by creating a large security hole. This is because consumer routers misuse the word DMZ for what is acutally known as One to One NAT(1:1), meaning all ports will be forwarded from the WAN to a specific IP inside the LAN. Unlinke port forwarding which only forwards a specific port from the WAN, 1:1 NAT forwards all ports into the specified IP address while doing nothing to isolate the exposed host from the rest of the LAN.

Port forwarding is a safer option than One to One NAT by reducing the attack surface to the specified ports. If you still want a DMZ then consider a better solution such as pfSense or the Cisco ASA series.