-   Linux - Networking (
-   -   General question about DMZ and NAT (

5pike 12-07-2011 05:47 AM

General question about DMZ and NAT
Hi all,

I have a DMZ with two firewalls (Zentyal). The second one protects the LAN from the internet and DMZ. My question is, should the second firewall mark the DMZ interface as "External" and therefore be doing NAT? Or should I mark it as "Internal" and create the required rules in the firewall?

Many thanks,

zooppoop 12-07-2011 06:14 AM

I think you are going to have to provide more details on what you are doing and what you want an answer to. I have not dealt with a zentyal firewall before so not sure if there is some special requirements. But in general you should not have to NAT unless you design your network in a way that requires it. eg) you are using a private network and trying to talk to the internet. Their are many different NAT examples. Then as far as DMZ,Internal, External These are just labels you can call it whatever you like normally. Personally if this was my network I would probably use 1 firewall(s) with three interfaces. On Internet facing one for your DMZ and one for the rest of your LAN. 1 firewalls being a redundant pair. Let us know a little more information on what you are looking for.

jefro 12-07-2011 04:12 PM

I think you have a software distribution that can act as a few devices.

Zentyal Linux small business server can be configured as a Gateway, Unified Threat Manager (UTM), Infrastructure Manager, Office Server, Unified Communications Server or a combination of them.

For the most part you would never want to use a DMZ. In a normal setup, you set some nic as the external nic. Then you set one or more as internal. Between the two you configure the firewall and rules and logs and such so that the two connect.

5pike 12-08-2011 07:48 AM

Hi chaps,

Thanks both for your replies. So if I understand correctly, it doesn't really matter / it's a design choice? What are the pros and cons? I'm guessing it uses more resources to do NAT the whole time but provides a bit more security by way of hiding protected computers IP addresses etc.?

I currently have the DMZ interface on the second-layer firewall marked as "External" which automatically does NAT and implements the firewall rules. I think I would prefer to mark it as "Internal" (no changes) and manually enter the firewall rules with no NAT. Do you see any problems with this or should I keep the NAT?

Greatly appreciate your input and opinions.


zooppoop 12-08-2011 07:36 PM

Yes it is a design choice. I am still not sure about your design and what you are doing. To really give an answer I need to understand your IP addressing. Are you using all public IP's or using Private IPs. If you are using all public IPs for your computers there is in my "opinion" no reason to do NAT. Some people like it though as they feel more secure with it. Do as you wish. If you are using private IP's you are going to have to do NAT to get to the Internet, but at that point you do not have to do NAT to your DMZ. Your DMZ can route between the private network and public network without using NAT. NAT can be troublesome for some protocols, but if you prefer the "security" of NAT then you might want it.

Good luck.

All times are GMT -5. The time now is 06:35 AM.