DMZ host validation error and strange behaviour

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

Post Reply
throughwalls
Posts: 89
Joined: Thu Apr 22, 2010 3:24 pm

DMZ host validation error and strange behaviour

Post by throughwalls »

I am running 1.4.2. I have a default DHCP subnet of 192.168.1.xxx

Bug report:
I tried setting up a DMZ host (Firewall menu, Port Forwarding page). When I typed 192.168.1.255, the validation code makes it glow red and refuses to allow it. When I choose 192.168.1.254, it is happily accepted. I assume this is a field validation error. Or is there some reason .255 is not allowed?

And then strange behaviour:
I actually have no machine with either DMZ IP address. So what happens?

I was reading a previous thread on grc.com "stealth" and Gargoyle. When I normally do the scan normally (no DMZ defined) you get a few ports in green "stealth mode" (maybe that is my ISP?) and most ports in blue "closed mode".

When I do a scan with this non-existent DMZ host defined, I get very odd almost random port behaviour.
grcScanWithDMZ.PNG
grcScanWithDMZ.PNG (32.75 KiB) Viewed 4651 times
Is the router dealing with those decisions, or is something else happening?

I had, a while ago tried this on another router, and everything "looked" like it was in stealth mode.

I realize I do not want to leave this DMZ defined, but I wonder about the results.

User avatar
DoesItMatter
Moderator
Posts: 1373
Joined: Thu May 21, 2009 3:56 pm

Re: DMZ host validation error and strange behaviour

Post by DoesItMatter »

Yes, there are restrictions on using .0 and .255 for an IP

You're usually using .1 thru .254 as normal IP's

Firewall rules are NOT dependent on a machine existing with that IP

You can set up any IP's, even if not being used currently.

Don't worry about the Stealth mode.

As long as the ports show closed, that's good.

Open ports - yes, take care of those as soon as possible.

If you read more about stealth ports, you will see that if you are under
attack from hosts, stealth can actually slow down your connection.

It's actually better for your connection to reject the packets.

Why are you messing with the DMZ?

DMZ is usually used for 1 specific PC that you want to connect
directly to the internet - usually for a server that you want
FTP / HTTP access. When doing that though, you need to make
sure that there is a firewall on that PC that you can define the
rules yourself. DMZ bypasses any other firewall rules you
configure or setup in the router.

Also, if you setup a DMZ IP of 192.168.1.254 and there is no machine
using that IP, the results from grc.com are either hitting your
modem or router instead, not actually using that IP address.
:twisted: Soylent Green Is People! :twisted:
2x Asus RT-N16 = Asus 3.0.0.4.374.43 Merlin
2x Buffalo WZR-HP-G300NH V1 A0D0 = Gargoyle 1.9.x / LEDE 17.01.x
2x Engenius - ESR900 Stock 1.4.0 / OpenWRT Trunk 49400

throughwalls
Posts: 89
Joined: Thu Apr 22, 2010 3:24 pm

Re: DMZ host validation error and strange behaviour

Post by throughwalls »

DoesItMatter wrote:Yes, there are restrictions on using .0 and .255 for an IP

You're usually using .1 thru .254 as normal IP's
Interesting. I did not know this. And so I find http://en.wikipedia.org/wiki/IPv4#Addre ... n_0_or_255
DoesItMatter wrote:Why are you messing with the DMZ?

...

Also, if you setup a DMZ IP of 192.168.1.254 and there is no machine
using that IP, the results from grc.com are either hitting your
modem or router instead, not actually using that IP address.
Normally I have no DMZ definited as I provide no steady service to the outside world. But I wanted to test and see what happened. It was reverted as soon as I sent the earlier message.

throughwalls
Posts: 89
Joined: Thu Apr 22, 2010 3:24 pm

Re: DMZ host validation error and strange behaviour

Post by throughwalls »

DoesItMatter wrote:Also, if you setup a DMZ IP of 192.168.1.254 and there is no machine
using that IP, the results from grc.com are either hitting your
modem or router instead, not actually using that IP address.
This does not make sense to me.

If I configure a DMZ machine and it happens to be powered off (or in this case non-existent), why would the packets be routed somewhere else? And to a random destination?

And why, in the picture above, is there no consistent behaviour for the ports tested? I have never seen a machine with such random results, including a stretch of a few rows of solid green.

User avatar
DoesItMatter
Moderator
Posts: 1373
Joined: Thu May 21, 2009 3:56 pm

Re: DMZ host validation error and strange behaviour

Post by DoesItMatter »

Here is a port-scan from grc.com with a default config.

All I did is setup the wireless.

No firewall rules, etc.

I suggest to try and reset your router to defaults and do a test first.

Then configure any firewall rules, etc.
Attachments
grc-port-scan.jpg
grc-port-scan.jpg (182.5 KiB) Viewed 4637 times
:twisted: Soylent Green Is People! :twisted:
2x Asus RT-N16 = Asus 3.0.0.4.374.43 Merlin
2x Buffalo WZR-HP-G300NH V1 A0D0 = Gargoyle 1.9.x / LEDE 17.01.x
2x Engenius - ESR900 Stock 1.4.0 / OpenWRT Trunk 49400

throughwalls
Posts: 89
Joined: Thu Apr 22, 2010 3:24 pm

Re: DMZ host validation error and strange behaviour

Post by throughwalls »

I fully understand the results you posted the picture of. I get (almost) the same results, with the exception that my ISP seems to block some different ports.

But I still do not understand the results from my original picture, when I have a DMZ host specified which is not available on the network. Who is receiving those packets?

User avatar
DoesItMatter
Moderator
Posts: 1373
Joined: Thu May 21, 2009 3:56 pm

Re: DMZ host validation error and strange behaviour

Post by DoesItMatter »

throughwalls wrote:I fully understand the results you posted the picture of. I get (almost) the same results, with the exception that my ISP seems to block some different ports.

But I still do not understand the results from my original picture, when I have a DMZ host specified which is not available on the network. Who is receiving those packets?
It should be the router. The router is sending all the network traffic
to some host that matches the IP.

But if no IP exists, it seems the router itself, or maybe your modem,
is answering those probes.

Set the DMZ to one of your machines, then re-do the test.
:twisted: Soylent Green Is People! :twisted:
2x Asus RT-N16 = Asus 3.0.0.4.374.43 Merlin
2x Buffalo WZR-HP-G300NH V1 A0D0 = Gargoyle 1.9.x / LEDE 17.01.x
2x Engenius - ESR900 Stock 1.4.0 / OpenWRT Trunk 49400

Post Reply