General Router FAQ

What is the True-DMZ facility?

In the most common Vigor router scenario, your private LAN is isolated from the Internet in its own private IP subnet (normally 192.168.1.0). Then, only reciprocal data can get inside your network from the Internet, providing inherent security and the NAT system manages all of the LAN-to-WAN mappings. Data leaves your PC on a private IP address and ends up on the network on your single public IP address, as per figure 1.

Figure 1 - Typical NAT Router Scenario

There may be scenarios where you need to host a server or put a secondary/larger firewall behind your router. Often, the NAT 'Port Forwarding' method will be adequate, particularly when it's a single service that is being forwarded (for example a web server inside your LAN). This retains the NAT keepstate security method.

At other times, however, it is essential that your public IP address is not only routed through to an internal (LAN-side) device, but also that the LAN-side device inherits the public IP address for itself.

In order that data is forwarded to the internal host and the internal host has the public IP address, various Vigor routers have a sophisticated feature called True-DMZ, which does exactly that. The diagram below shows two examples of True-DMZ in use. Note how although there is only one public IP address allocated by the ISP (184.72.102.14), the PC in Figure 2 and the Firewall in Figure 3 have that IP address. All incoming data to your public IP address ends up at the True-DMZ host. In the case of the firewall in figure 3, that public IP address becomes its 'WAN' IP address:

Figure 2 - PC as a True-DMZ Host   Figure 3 - Larger Firewall as a True-DMZ Host

The Vigor has another 'trick' up its sleeve! With the public IP address being inherited by your internal True-DMZ host, you'd expect that you can't have other internal clients, but with the Vigor, the NAT system continues to operate so you can still have other internal Clients accessing the internet from internal private IP addresses, as normal. This is shown in figure 4:

Figure 4 - True DMZ and NAT Clients Simultaneously

How do I set up a True-DMZ Host?

Firstly, check if your specific router model supports the True-DMZ facility as it is not available on all models, or older models. Then, setting up the True-DMZ host is very easy. It uses the standard DHCP server facility in the router, simply pre-setting your True-DMZ host's allocation. That host (PC, other firewall etc.) is identified by its MAC Address - that is a 6-octet address which is hardcoded into every Ethernet interface. You need to know the MAC address of the device in question. Sometimes it is printed on the device itself, but be sure that the MAC address you take down is that of the interface you're connecting (some firewalls will have several Ethernet interfaces).

For PCs and Vigor Firewalls, you can also determine the MAC address via their web interfaces, from a connected PC (see later).

Once you have the MAC address, you just need to enter it into the Vigor's router's True-DMZ screen and enable the feature, as shown below: