การนำ Public IP เข้ามาใช้ที่ขา LAN ของ Vigor 2000 Series
General Router FAQ
or "Getting a Public IP Address LAN-Side"
What is the True-DMZ facility?
In the most common Vigor router scenario, your private LAN is isolated
from the Internet in its own private IP subnet (normally 192.168.1.0). Then,
only reciprocal data can get inside your network from the Internet,
providing inherent security and the NAT system manages all of the LAN-to-WAN
mappings. Data leaves your PC on a private IP address and ends up on the
network on your single public IP address, as per figure 1.
Figure 1 - Typical NAT Router Scenario
There may be scenarios where you need to host a server or put a secondary/larger
firewall behind your router. Often, the NAT 'Port Forwarding' method will be
adequate, particularly when it's a single service that is being forwarded (for
example a web server inside your LAN). This retains the NAT keepstate
At other times, however, it is essential that your public IP address is
not only routed through to an internal (LAN-side) device, but also that the
LAN-side device inherits the public IP address for itself.
In order that data is forwarded to the internal host and
the internal host has the public IP address, various Vigor routers have a
sophisticated feature called True-DMZ, which does exactly that. The diagram
below shows two examples of True-DMZ in use. Note how although there is only
one public IP address allocated by the ISP (188.8.131.52), the PC in Figure
2 and the Firewall in Figure 3 have that IP address. All incoming data to
your public IP address ends up at the True-DMZ host. In the case of the
firewall in figure 3, that public IP address becomes its 'WAN' IP address:
Figure 2 - PC as a True-DMZ Host
Figure 3 - Larger Firewall as a True-DMZ Host
The Vigor has another 'trick' up its sleeve! With the public IP address
being inherited by your internal True-DMZ host, you'd expect that you can't
have other internal clients, but with the Vigor, the NAT system continues to
operate so you can still have other internal Clients accessing the internet
from internal private IP addresses, as normal. This is shown in figure 4:
Figure 4 - True DMZ and NAT Clients Simultaneously
How do I set up a True-DMZ Host?
Firstly, check if your specific router model supports the True-DMZ
facility as it is not available on all models, or older models. Then,
setting up the True-DMZ host is very easy. It uses the standard DHCP server
facility in the router, simply pre-setting your True-DMZ host's allocation.
That host (PC, other firewall etc.) is identified by its MAC Address - that
is a 6-octet address which is hardcoded into every Ethernet interface. You
need to know the MAC address of the device in question. Sometimes it is
printed on the device itself, but be sure that the MAC address you take down
is that of the interface you're connecting (some firewalls will have several
For PCs and Vigor Firewalls, you can also determine the MAC address via
their web interfaces, from a connected PC (see later).
Once you have the MAC address, you just need to enter it into the Vigor's
router's True-DMZ screen and enable the feature, as shown below:
Your True-DMZ host will then need either rebooting or IP renewal and
assuming it is set as a DHCP client, it should then receive the public IP
address from your Vigor Router.
Finding out a MAC address from a device
Figure 6 - Checking a Vigor3300's WAN MAC address
Figure 7 - Checking a Windows PC's WAN MAC address