Connecting Public and Private Segments (DMZ)

The following example takes a commonly issued block of 14 IP addresses and breaks it into two subnets. This type of configuration is quite advanced and requires prior knowledge of IP subnetting. As an alternative one may consider assigning additional IP addresses to the Internet interface and have WinRoute perform port mapping by listening on specified IP addresses.

Public and Private networks scenario:

WinRoute settings:

It is necessary to perform advanced NAT settings so WinRoute will not perform NAT for packets going to and from the public segment. To do this go to menu Settings=>Advanced=>NAT.

In the advanced NAT settings you will specify that any traffic leaving the NAT'd interface that has a source IP address of the DMZ segment must not be NAT'd. At that point WinRoute becomes a neutral router for the DMZ segment, as incoming traffic to an IP address in the DMZ will pass through NAT. Under this scenario you may consider packet filters to firewall the DMZ.

The final step in the DMZ configuration requires the addition of static routes to WinRoute's default gateway. Most ISPs will require you to contact them to have such routes added. In the example above the router at 169.1.1.1 will have a mask of 255.255.255.240. It will therefore have a route statement indicating that for the destination network 169.1.1.0/28 to use the interface at 169.1.1.1. By inserting the WinRoute PC between the DMZ and the Internet gateway (your ISP's router) it is necessary to add static routes to the Internet router/gateway indicating that for each IP host on the DMZ it must use the WinRoute computer (e.g. 169.1.1.4) as the gateway. An example route would look as follows: network 169.1.1.5 mask 255.255.255.255 gateway 169.1.1.4 interface 169.1.1.1.

If you have additional questions regarding this type of scenario please email your network diagram to support@kerio.com.

Important: Do not include any IP address of the WinRoute computer within the DMZ when defining your advanced NAT rule. In the above screen shot notice the first IP of the range does not include 169.1.1.4!