• October 13, 2024, 03:07:44 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: 1 [2]

Author Topic: DMZ behavior - DMZ machines should not have LAN access  (Read 25261 times)

pounce

  • Guest
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #15 on: November 11, 2008, 04:50:44 PM »

I changed a post because there was some misspelled words. I didn't change any content.

You are right. I don't accept the responses of a forum poster as the actual position of the Dlink product team or marketing. I understand that person has an opinion and you seem to have a consistent agenda of bein***es man (read through your posts).

Seems we have a couple of people with closed minds here. People who like to accept things and beat down good ideas.

Seriously, wouldn't it be cool if a person could file and enhancement request for a true DMZ feature that could be enabled on a single switch port and have Dlink engineers say "hey, cool. I think we can do that because it might help us sell more of these products and make our customers happy"....

Why kill the idea out of the gate? Seriously.
Logged

pounce

  • Guest
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #16 on: November 11, 2008, 04:53:32 PM »

You asked a question and where told no to the question.  You didn't like that answer and proceeded with more ranting.  Its very simple, this router won't ever do what you want it to do, its not meant to.  Take yours back to the store or put it on Ebay and buy yourself the exact piece of equiptment that you want.  Just be prepared to spend a lot of money for what you want.

Do you think it's inappropriate to want to open an enhancement request? Do you think that Fatman is always correct and should be the one that decides what is and what is not included in future releases of the firmware?
Logged

Fatman

  • Level 9 Member
  • ****
  • Posts: 1675
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #17 on: November 11, 2008, 05:15:45 PM »

This is a physical limitation.  Enough snideness twords our other customers and implication of wrongdoing by myself.  It's like asking that we apply a firmware fix that puts a hundred dollar bill inside the router, physically impossible.

Lycan please lock this thread so tight that we will never know the status of the cat inside.
Logged
non progredi est regredi

Lycan

  • Administrator
  • Level 15 Member
  • *
  • Posts: 5335
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #18 on: November 12, 2008, 09:22:57 AM »

Here is the END of this thread. The answer is IT IS IMPOSSIBLE to create and ISOLATED interface on a NON-LAYER-3 Switch.

What you get in a home class router is VERY simple to understand. The DIR-655 comes with either a VITESSE or REALTEC 5 port unmanaged switch.
The switch drivers and the NAT drivers (ubicom solution) are loaded on a 16Mb NVRAM. This leaves VERY LITTLE space for user defined instruction. That being said the unit itself also needs memory for things like statetables, MAC's of the connected clients and DHCP.

What you're asking for is in fact a change to the kernel of the Ubicom OS. To allow the DMZ to be VLANed from the LAN also does not make it a TRUE DMZ. It's simply a VLAN. A true DMZ is a seprate physical interface and completely bypasses the core NAT and statetable. Obviously this can not be done. Now on to the VLANing, I could request that the DMZ be isolated from the rest of the NAT. However, as I mentioned that this is a Ubicom based platform I would need quite a few requests of this nature to "encourage" Ubicom to change the very Kernel of thier OS. Obviously we want you to enjoy the product, if you feel that it falls short of your needs or expectations by all means return it and purchase something that is more fitting.

Lastly, home class devices very rarely have true DMZ's on them and more often then not (as with us) their whats referred to as NAT'd DMZ. The Cone of the NAT can be adjusted to allow for less restriction of incoming WAN traffic but it can not be isolated from the LAN currently.
Some companies offer "business class" features on their home class products and while this is convienant for the end user in some situations it blurrs the line between what is home class and what is not. I could also get in to cost effectiveness vs marketablity but I believe that I made my point.
Any further situations or comments about this thread can be PM'd to me and if I decide to unlock it I will.
Logged

pounce

  • Guest
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #19 on: November 12, 2008, 11:14:07 AM »

Lycan,

Thanks for the informative post. Semantics aside my objective is to have to be able to put a machine in the DMZ and have it isolated from the LAN. This is what I wanted to request as an enhancement request. Maybe the posters here don't have experience with the concept of an "enhancement request" and understood my postings as demands for changes to the product. It is exactly as it sounds. Enhancement Request. What customers don't want to hear from customer support is reasons for not accepting a reasonable request for changes. What Dlink does with the request is another story. I think little was being done in this thread to really address the customers feedback.

Can we all at least agree that the documentation on this product does not mention the limitations and LAN access risks of the Dlink or Ubicom implementation? I don't think it's unreasonable to point out and issue that can be corrected and will improve future customer service inquiries. What I have gotten here is a defensive reaction to pointing out an area of improvement. Taking this tack on issues is not going to build a better customer experience over time.

The response I should have gotten with my inquiry about opening an enhancement request as a customer is "Please do open an enhancement if you feel the product is lacking. Please document your request and send it to XXX. We take all enhancement requests seriously as we value our customers and their needs. All enahncement requests will be evaluated and prioritized by the product team and there are no guarantees that any requests will be implemented in the identified product". I don't think anyone here is going to disagree that that's really what you guys wanted to say ;)

Please log an enhancement request on my behalf to have a feature added to the DIR-655 router firmware that prevents LAN access as much as technically possible given the hardware of the device by any machine placed in the DMZ. I am able to do this with openwrt and a cheap router and I would like to do this with the DLink DIR-655.

I'd also like to log an enhancement request for your documentation for consumer grade products that contain your current DMZ implementation to better detail the differences between Default port forwards and open LAN access VS what most think of when talking about DMZ which is something that is isolated. Customers would benefit from a security point of view. The omission of the LAN access by machines in the DMZ could be harmful to the average user.
Logged

Lycan

  • Administrator
  • Level 15 Member
  • *
  • Posts: 5335
Re: DMZ behavior - DMZ machines should not have LAN access
« Reply #20 on: November 12, 2008, 12:02:45 PM »

The request for the augmentation of the DMZ has been made. I bleieved that it's both outside the standard of the "home class" for our products but also the Ubicom kernel currently does not support it. I understand your feature request and the reason behind it. Unfortunatly I don't think its within the realm of possiblity for that router currently.

I await PM's response.
Logged
Pages: 1 [2]