D-Link Forums
D-Link Wireless Routers for Home and Small Business => Information => Archive => Topic started by: pounce on November 11, 2008, 11:53:22 AM
-
I want to put a machine in the DMZ. I do not want this machine to have any LAN access. I want this machine to only have WAN access and accept any traffic not assigned elsewhere through port forwading etc. Can I do this with DIR-655 and if so how?
Thanks!
-
No you can not do this as this would require a different physical interface on the DIR-655. The LAN ports on this device are connected through an unmanaged switch to a single interface on the DIR-655. What you are thinking of is more of a business class Router/Firewall DMZ interface as opposed to a home router DMZ which is just a default forward.
-
Thanks for the speedy response. With that said, how exactly is the Guest feature working in this regard? It is my understanding that the Guest feature only allows WAN access for "wireless" connections.
Is the absence of this true DMZ feature an explicit choice? It seems to me that it's careless to offer DMZ for a machine with LAN access. It's hard for me to imagine why this would be offered.
Is a true DMZ on this product something that the the product team could add in a software rev? If so how do I file a formal enhancement request?
-
The guest feature is not going to be a whole lot of help as it is a wireless interface feature.
Given we would need a separate interface to keep the unmanaged switch portion of this device from allowing LAN communication this would not be a software fix.
The DMZ feature of this device is designed mostly for people who have some service they are serving from their LAN PC as a home project. Or for troubleshooting purposes. It is not designed to act as a full DMZ interface, if you want such an interface you will need to look at business class equipment regardless of vendor.
-
You didn't answer my questions and I am not interested in using the guest feature.
Is it an explicit choice by DLink not to have a proper DMZ on this router?
How do I file an enhancement request?
I raise the issue of the Guest feature because it's essentially doing a vlan. The router *can* do a proper DMZ because it's almost there with the guest feature. There is nothing stopping the Dlink engineers from adding a real DMZ to this hardware. It would not take a lot to specify port 1 in the switch to be a fixed IP in a separate vlan and then have the router treat this port as a real DMZ.
Dlink should not be referring to their DMZ feature as DMZ. It's not a DMZ and from what I can tell there are not enough warning about the security risks. Risks are mentioned but there is nothing in the documentation that explicitly states that any machines in the dlink DMZ have access to the rest of the network and therefore if they are comprised due to their exposure that the rest of the network is exposed.
-
All of the home routers I had (Tornado, 2x Asus, Linksys) implement DMZ more or less like D-link did...but that's only afaik. You can make the router launch a nuclear missle...if you choose to implement it ;D
-
I generally ignore arguments like "but all my friends are doing it...".
Whatever they have for DMZ on this router is *not* a DMZ. That said if the router can't do a proper DMZ today and I can open an enhancement request to have one added I'll do that. I'll also raise the issue that Dlink is not being responsible enough with it's customers on the topic of security wrt their DMZ feature on this and any other router that is not actually isolating the DMZ machine from the rest of the LAN.
-
In case I have not made myself clear I will try this one last time, then I am going to hunt Lycan down because this is getting ridiculous.
THIS SWITCH'S LAN PORTS ARE ON AN UNMANAGED SWITCH. IT IS NOT POSSIBLE TO CREATE AN ISOLATED INTERFACE ON AN UNMANAGED SWITCH. IMPOSSIBLE. THERE IS NO FEATURE REQUEST TO ELEVATE AS IT WOULD TAKE ANOTHER PHYSICAL INTERFACE TO PERFORM AS YOU REQUEST. I AM GOING TO ADD ANOTHER IMPOSSIBLE FOR CLARITY.
If you want a DMZ interface buy an firewall with a DMZ interface instead of a product designed to forward unspecified traffic to a LAN host as a last ditch effort for troubleshooting and setting up server software you know nothing about.
I mentioned the guest network feature because you asked me about it.
Every consumer level router (which is what this product is) that I have ever seen has this very feature and refers to it as DMZ, so the "but all my friends are doing it..." argument is not only valid, its as good as law.
While we are drumming up things we are liable for telling every customer should we add a list of every piece of network exploit software ever written in the manual. Perhaps we should require that they understand firewall theory to buy our product. Or better yet, we have to warn them that they are "bad people" on the other side of that wire.
You purchased the wrong product for your purposes, return it and buy a product that does what you require instead of expecting your consumer grade equipment to match your ridiculous expectations. The number for Customer Service is 1 800 326 1688 ext. 6314, they can figure out who I am based on my handle.
-
I generally ignore arguments like "but all my friends are doing it...".
Whatever they have for DMZ on this router is *not* a DMZ. That said if the router can't do a proper DMZ today and I can open an enhancement request to have one added I'll do that. I'll also raise the issue that Dlink is not being responsible enough with it's customers on the topic of security wrt their DMZ feature on this and any other router that is not actually isolating the DMZ machine from the rest of the LAN.
"All my friends are doing it" confirms and supports that fact that is a home router and not some freak attempt by D-Link to mislead the consumer. But it seems that you would like to see this pro feature also on home routers?
It's a fact that Real DMZ on home routers is 99% never a feature.
Thus I doubt your disqualification about D-Link. I guess D-link is not claiming anywhere that their home routers (how the DIR655 is advertised) feature the professional DMZ features you mention, they offer a different line of products for that purpose (professional and secured environments). Unless I've missed the latest edition of the "Bible on Required Specs and Morals for Home routers" ofcourse. ???
Apart from that theoretical morals and values discussion, could you provide an example of D-Link misrepresenting this feature to the consumer?
Just a question: Pounce is a.k.a. Audituner?
-
Fatman, You are incredibly rude. I find your tone and remarks offensive. I'd wager your posts in no way reflect the attitude Dlink would want you to have toward the general public.
You assume it's easy to understand the capability of the Dlink products by reading the product description. I challenge you to actually look at the product description and the manual and tell me where a reasonable person would find that the DMZ feature of the DIR-655 router does not block lan traffic on the DMZ IP.
You really need to step back and take a breath and realize how you come across to the public. Maybe you are just too close to all of this stuff to imagine a different view of the world.
Bottom line is I am a customer. I asked about a feature that did not behave as expected. I asked if this was expected behavior and if it was by design. I asked how to file an enhancement request to have the feature added to the product. This is all very reasonable.
Your actions are rude and you better believe I will raise this to your management.
It is absolutely possible for your developers to add a true DMZ to this hardware despite your all caps rant that it is not. You are wrong and this makes your posting and attitude all the more revolting.
-
"All my friends are doing it" confirms and supports that fact that is a home router and not some freak attempt by D-Link to mislead the consumer. But it seems that you would like to see this pro feature also on home routers?
It's a fact that Real DMZ on home routers is 99% never a feature.
Thus I doubt your disqualification about D-Link. I guess D-link is not claiming anywhere that their home routers (how the DIR655 is advertised) feature the professional DMZ features you mention, they offer a different line of products for that purpose (professional and secured environments). Unless I've missed the latest edition of the "Bible on Required Specs and Morals for Home routers" ofcourse. ???
Apart from that theoretical morals and values discussion, could you provide an example of D-Link misrepresenting this feature to the consumer?
Just a question: Pounce is a.k.a. Audituner?
I'm not sure why anyone on this board who owns this router would argue a defense for not wanting a true DMZ. The reactions I am getting here are bizarre. I don't know the "culture" on this board but it sure doesn't seem professional or customer focused.
What's an Audituner?
-
I'm not sure why anyone on this board who owns this router would argue a defense for not wanting a true DMZ. The reactions I am getting here are bizarre. I don't know the "culture" on this board but it sure doesn't seem professional or customer focused.
What's an Audituner?
If I wanted a true DMZ I wouldn't have bought the D-Link. If I wanted true bandwidth throttling I would not have bought the D-Link. "Everything is possible" is just a very easy answer to all global issues.
You seem to be taking the discussion towards the redefinition of 'home routers' and their features. And as a simple user trying to help other users out, I think this forum might not be the right place for that subject. If people want professional DMZ and features they need to buy a different product. If you want to win (or even race) the Formula 1 in Monaco you don't line up a Fiat 500...but in daily use the Fiat will do fine, or do you also request FIAT to rebuild the model to enter the GP?
PS: You still haven't answered my question where/how D-Link is misleading its customers.
-
Well, you seem to be taking the discussion towards the redefinition of 'home routers' and their features. And as a simple user trying to help other users out, I think this forum might not be the right place for that subject. If people want professional DMZ and features they need to buy a different product. If you want to win (or even race) the Formula 1 in Monaco you don't line up a Fiat 500...but in daily use the Fiat will do fine.
PS: You still haven't answered my question where/how D-Link is misleading its customers.
You know, I'm still having a hard time understanding why you don't think it's reasonable that a customer should be able to ask for an enhancement request so that a feature could be added to a product. I'm puzzled. You are not helping really. You just seem to be stirring the pot, honestly.
Where did I use the term "misleading"?
-
You know, I'm still having a hard time understanding why you don't think it's reasonable that a customer should be able to ask for an enhancement request so that a feature could be added to a product. I'm puzzled. You are not helping really. You just seem to be stirring the pot, honestly.
Where did I use the term "misleading"?
You've already seen the answer from D-Link: True DMZ-> other product line ("You purchased the wrong product for your purposes"). Apparently you don't seem happy with the answer (you changed one of your post in which you accused Dlink by the way) and keep pounding on adding a pro feature to a SOHO product. So who's stirring the pot here?
-
You asked a question and where told no to the question. You didn't like that answer and proceeded with more ranting. Its very simple, this router won't ever do what you want it to do, its not meant to. Take yours back to the store or put it on Ebay and buy yourself the exact piece of equiptment that you want. Just be prepared to spend a lot of money for what you want.
-
I changed a post because there was some misspelled words. I didn't change any content.
You are right. I don't accept the responses of a forum poster as the actual position of the Dlink product team or marketing. I understand that person has an opinion and you seem to have a consistent agenda of bein***es man (read through your posts).
Seems we have a couple of people with closed minds here. People who like to accept things and beat down good ideas.
Seriously, wouldn't it be cool if a person could file and enhancement request for a true DMZ feature that could be enabled on a single switch port and have Dlink engineers say "hey, cool. I think we can do that because it might help us sell more of these products and make our customers happy"....
Why kill the idea out of the gate? Seriously.
-
You asked a question and where told no to the question. You didn't like that answer and proceeded with more ranting. Its very simple, this router won't ever do what you want it to do, its not meant to. Take yours back to the store or put it on Ebay and buy yourself the exact piece of equiptment that you want. Just be prepared to spend a lot of money for what you want.
Do you think it's inappropriate to want to open an enhancement request? Do you think that Fatman is always correct and should be the one that decides what is and what is not included in future releases of the firmware?
-
This is a physical limitation. Enough snideness twords our other customers and implication of wrongdoing by myself. It's like asking that we apply a firmware fix that puts a hundred dollar bill inside the router, physically impossible.
Lycan please lock this thread so tight that we will never know the status of the cat inside.
-
Here is the END of this thread. The answer is IT IS IMPOSSIBLE to create and ISOLATED interface on a NON-LAYER-3 Switch.
What you get in a home class router is VERY simple to understand. The DIR-655 comes with either a VITESSE or REALTEC 5 port unmanaged switch.
The switch drivers and the NAT drivers (ubicom solution) are loaded on a 16Mb NVRAM. This leaves VERY LITTLE space for user defined instruction. That being said the unit itself also needs memory for things like statetables, MAC's of the connected clients and DHCP.
What you're asking for is in fact a change to the kernel of the Ubicom OS. To allow the DMZ to be VLANed from the LAN also does not make it a TRUE DMZ. It's simply a VLAN. A true DMZ is a seprate physical interface and completely bypasses the core NAT and statetable. Obviously this can not be done. Now on to the VLANing, I could request that the DMZ be isolated from the rest of the NAT. However, as I mentioned that this is a Ubicom based platform I would need quite a few requests of this nature to "encourage" Ubicom to change the very Kernel of thier OS. Obviously we want you to enjoy the product, if you feel that it falls short of your needs or expectations by all means return it and purchase something that is more fitting.
Lastly, home class devices very rarely have true DMZ's on them and more often then not (as with us) their whats referred to as NAT'd DMZ. The Cone of the NAT can be adjusted to allow for less restriction of incoming WAN traffic but it can not be isolated from the LAN currently.
Some companies offer "business class" features on their home class products and while this is convienant for the end user in some situations it blurrs the line between what is home class and what is not. I could also get in to cost effectiveness vs marketablity but I believe that I made my point.
Any further situations or comments about this thread can be PM'd to me and if I decide to unlock it I will.
-
Lycan,
Thanks for the informative post. Semantics aside my objective is to have to be able to put a machine in the DMZ and have it isolated from the LAN. This is what I wanted to request as an enhancement request. Maybe the posters here don't have experience with the concept of an "enhancement request" and understood my postings as demands for changes to the product. It is exactly as it sounds. Enhancement Request. What customers don't want to hear from customer support is reasons for not accepting a reasonable request for changes. What Dlink does with the request is another story. I think little was being done in this thread to really address the customers feedback.
Can we all at least agree that the documentation on this product does not mention the limitations and LAN access risks of the Dlink or Ubicom implementation? I don't think it's unreasonable to point out and issue that can be corrected and will improve future customer service inquiries. What I have gotten here is a defensive reaction to pointing out an area of improvement. Taking this tack on issues is not going to build a better customer experience over time.
The response I should have gotten with my inquiry about opening an enhancement request as a customer is "Please do open an enhancement if you feel the product is lacking. Please document your request and send it to XXX. We take all enhancement requests seriously as we value our customers and their needs. All enahncement requests will be evaluated and prioritized by the product team and there are no guarantees that any requests will be implemented in the identified product". I don't think anyone here is going to disagree that that's really what you guys wanted to say ;)
Please log an enhancement request on my behalf to have a feature added to the DIR-655 router firmware that prevents LAN access as much as technically possible given the hardware of the device by any machine placed in the DMZ. I am able to do this with openwrt and a cheap router and I would like to do this with the DLink DIR-655.
I'd also like to log an enhancement request for your documentation for consumer grade products that contain your current DMZ implementation to better detail the differences between Default port forwards and open LAN access VS what most think of when talking about DMZ which is something that is isolated. Customers would benefit from a security point of view. The omission of the LAN access by machines in the DMZ could be harmful to the average user.
-
The request for the augmentation of the DMZ has been made. I bleieved that it's both outside the standard of the "home class" for our products but also the Ubicom kernel currently does not support it. I understand your feature request and the reason behind it. Unfortunatly I don't think its within the realm of possiblity for that router currently.
I await PM's response.