On 2/2/2015 6:29 PM, Always Learning wrote: > On Tue, 2015-02-03 at 13:16 +1100, Kahlil Hodgson wrote: > >> >A DMZ in this context is a network that has been isolated from the >> >rest of your local network. You can access it from your local >> >network, it can access the rest of the world, but it can't access your >> >network. The idea is that, if a machine in the DMZ is compromised, it >> >can only access other machines in the DMZ. > Thanks. Now I know. That sort of operation can be done via the router > and by selecting a wifi option on the same router (Asus RT-AC68U). Wifi > is off by default. An Asus RT-whatever is a home internet gateway, not a proper firewall router, and it has no provision for a proper DMZ as it doesn't have a port for it. This has *nothing* to do with wifi. implementing a proper DMZ requires a firewall router with multiple zones, at a minimum WAN (internet), LAN (your regular network), and DMZ, used for your public facing internet servers. The DMZ uses its own network switch (or VLAN) separate from your LAN switch(es), so traffic from LAN<=>DMZ has to go through the firewall router. You define firewall rules such that DMZ servers are blocked from accessing anything on your WAN except specific services they need (if any), but you usually allow systems on the LAN side access to everything on the DMZ side. I've seen configurations where even LAN to DMZ was tightly controlled, so for example only administrator workstations could ssh into the DMZ servers. -- john r pierce 37N 122W somewhere on the middle of the left coast