Can someone please explain to me in simple english what the difference is between having a DMZ in nat mode or routing mode?

I have a webserver configured in the DMZ which needs to be able to communicate with a sql server on the internal lan and i'm confused about which option to go for/how i set this up. would really appreciate some advice.

thanks

Hi mattp999,

In NAT Mode, the the router will translate between the address of ur web server and the sql server. In other words, the sql server sees the webserver as being the same address as ur firewall intrernal address, and the web server sees the sql srver as having the address of ur firewall dmz interface..

In routed mode, the sql server and web server communicate using their actual addresses.

Just on the back of this, we have a 3300 with a box in DMZ in "Routing mode". Does this mean the 3300 just passes all traffic and ignores the firewall rules? No matter what combination of "WAN->DMZ" block rules I put in place, traffic always seems to get through to the box in the DMZ.

What am I missing here? Surely the 3300V applies firewall rules to DMZ bound traffic?

Hi KristanM,

No, the firewall does not ignore the firewall rules.
Lets say their is a Web server on the dmz with private address 192.168.2.254, and the dmz interface is 192.168.2.1 then the default gateway for the webserver would be 192.168.2.1, ok?
Similarly, a client woukstation on the inside network could have ip address 192.168.100.100 and gateway 192.168.100.1 (ip address of inside interface of firewall).

To communicate, in routing mode, the client will simply send packets directed at the webserver's real adddress of 192.168.2.254. But because its on a different network, the packets will be forwarded to the gateway (192.168.100.1) which will ROUTE the packets to the correct interface. And viceversa for the webserver contacting the client.

You can still specify firewall rules for communication between the inside clients and the dmz, the same way you would for inside clients and the internet or internet and dmz.

Hope this help,
Ace

Hi Ace,

Thanks for that, but I think there's something going wrong somewhere - the setup is this :

Draytek has a public address, say 200.0.0.10 on a /29 subnet (200.0.0.8-15)
with 200.0.0.9 as the default gateway. This is into WAN1.

WAN3 is set as a DMZ in "routing mode". I specify three IP's, 200.0.0.11, .12 and .13. These are given to the servers, and are setup with the same subnet and using the Draytek as the default gateway (.10).

When the DMZ servers try to contact boxes on the LAN, the rules work fine, I have to put pinholes in to allow them access to the internal servers. When I try to restrict access to the DMZ servers from the internet however, the rules seem to have no effect - it's like the Draytek is just passing the traffic without looking at it, it's like it's just bridged the WAN1 and WAN3 ports.

Maybe I'm asking a bit much, but the 3300V is supposed to be an enterprise bit of kit, and I can't see many enterprises being happy exposing servers to the internet without some kind of firewalling!

As a fix, I've ended up putting a Mikrotik in and configured it to act as a transparent firewall - this works perfectly. Those little boxes are life savers!