2

I have my ISP modem which is connected to Router A. I have 2 more routers: Router B and Router C. Router A is set as DMZ Host for Router B

How can I set both Router B and Router C to get connections from all ports and then from each router individually allow connection to it's own computers ?

Improve this question
3
  • What do you even need 3 routers for? Wouldn't A be enough?
    – grawity_u1686
    Commented Jan 21, 2018 at 11:48
  • Are you truly accepting unsolicited inbound connections on so many ports that you want to "DMZ everything" instead of using port forwarding rules?
    – I say Reinstate Monica
    Commented Jan 22, 2018 at 4:18
  • They are still blocked on router B. It was just easier to DMZ 1 router, and do the port forwarding from that specific router instead of port forwarding all the ports I need twice
    – TermoZour
    Commented Jan 22, 2018 at 8:07

1 Answer 1

Reset to default
5

You cannot, because its technically impossible.

Routers are not smart enough to be able to identify when incoming traffic for a port has a special destiny on your LAN. So in order to know for the router where traffic needs to go, you forward incoming ports to a destination.

DMZ basically says: forward all ports to one IP. You can't just DMZ 2 ports and expect the router to copy the traffic to both routers.

The first device that would respond with an ok gets the connection and the traffic would never reach the other device because of it.

What you want to do is create a range of ports and dedicate that to one of the routers, and create a seperate range and dedicate that to the other router.

For example all ports from 10000-11000 are for router 1 and ports 12000 to 13000 are for router 2. DMZ is not used at all.

If this is not acceptable, put all networks on the first router and make it do the port forwarding as required.

Improve this answer
7
  • I was planning on using different ports anyway. How would you select the range of ports for specific routers ?
    – TermoZour
    Commented Jan 21, 2018 at 11:57
  • 1
    Normally you open no ports. You only open a port when necessary, and then, because of the demand, you know what ports you need to open. Opening a select range of ports to the 2nd and 3rd router, allows you to only require to modify the port forwarding rules on those routers rather than on the entire path (modem to router 1 to router 2). Any port that is not in use can be forwarded to a different router. Do note, some devices require a specific port to be open from the WAN (internet) side. In those cases, you really need to set it up everywhere.
    – LPChip
    Commented Jan 21, 2018 at 12:04
  • This is only true of dumb consumer routers. If you're using any kind of full routing OS (such as pfSense or IPFW), a DMZ is a physically isolated network segment, not a single host on the main network.
    – Austin Hemmelgarn
    Commented Jan 21, 2018 at 16:10
  • @AustinHemmelgarn I work a lot with Mikrotik routers, which I consider to be enterprise networks, and even there, I cannot set DMZ to more than one ip address or network interface.
    – LPChip
    Commented Jan 21, 2018 at 20:53
  • @LPChip If there's an option labeled 'DMZ', it's usually a single host, because that's the only reason you need some special option for it to begin with. When done as an actual 'zone', a DMZ segment is no different from any other independent network segment. pfSense for example has no special 'DMZ' option, because they expect you to use a physically isolated network (because it's far more secure to do so) and treat it like any other internal network segment.
    – Austin Hemmelgarn
    Commented Jan 22, 2018 at 20:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .