Creating a DMZ without having a static public IP

SOLVED
trunolimit
Building a reputation

Creating a DMZ without having a static public IP

I have an MX60 and I need to create a DMZ inside my network but I don't pay for a static public IP. 

 

How can I create a DMZ without having it break every time my public IP changes? I've got cheap off the shelf routers that allow me to create a DMZ without any hassle. Even the ISP supplied Fios routers have a DMZ section in their GUI that just let you put the internal IP of the device you want to be included in the DMZ. Why can't the MX create a DMZ without specifying a public IP?

1 ACCEPTED SOLUTION

@trunolimit

 

What you have described isn't a DMZ issue, it is an issue with the MX not handling everything that comes down the line from your ISP. DMZ Creation using MX

 

The simplest way to deal with this issue is to place a small configurable router/security gateway ahead of the MX, the one I use has only 3 ports which may be configured as LAN or WAN and NAT may be configured on a per port basis.

Net Split.jpg

This arrangement keeps the secure stuff secure. On a selective basis there are ephemeral links created to initiate activities on the insecure side of the network. There are also links between devices in the different networks, but not involving IP network protocol or USG. A display may be connected (HDMI/DP) to both networks to provide access to the functionality provided by an insecure device.

 

It also opens up access to a great many people who have dealt with and found solutions to the problem you have described.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

View solution in original post

11 REPLIES 11
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't understand your issue. Why can't you use a simple VLAN?
trunolimit
Building a reputation

I need unfiltered WAN access to a device inside my Network. By default any router has a stateful firewall that keeps inbound connections from getting into the LAN from the WAN. This is why I need a DMZ. A simple VLAN doesn't accomplish this. Also I can't do port forwarding because no one knows the ports on which the FIOS router operates on. I've spent a lot of time on DSL reports to try and find out without luck. 

 

We have a lot of clients with Meraki MXs in their homes. The only way to get remote DVR to work is to put the Verizon router in front of the MX and then inside the Verizon GUI place the MX in their DMZ so we have full access to the MX from the WAN side (Site to Site and Client VPN only work if the MX is placed in the Verizon DMZ).

 

I don't like the Verizon FIOS router in front of the MX because it's unreliable. I've had to go onsite and reboot a few of them from time to time. Also if the Verizon router gets an update that wipes the settings the MX VPN features stop working. 

 

I've tried to reach out to Verizon about this but all they tell me is their Remote DVR only works if their router is the gateway to the WAN. 

 

I have read that their might be a way to do it through MAC address spoofing but this is another feature that basic off the shelf routers have that Meraki MX doesn't have. 

To get to the bottom of how the Verizon setup plays with 3rd party kit - look around the forums where this information is explained. They will explain how to configure everything.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

First I’d like to thank you for the reply, I have seen the guide on DSL reports but the only solution to this problem involved MAC address Spoofing which Meraki is incapable of. But there seems to be some more recent posts about this subject that I haven’t seen. So I’ll go through those.

Skimming through the posts I see a lot of Port Forwarding trial and error stuff that has to be done on my part. A simple DMZ would resolve this. But how to set up a DMZ without an additional static IP?

@trunolimit

 

At present there are certain things which the MX does not handle, but free (ISP supplied) routers do handle. There are also some eminently affordable and capable devices (routers and security gateways) that can be used with the MX to correctly distribute the services the ISP provides.

 

In my case, I put a BrandX security gateway ahead of the MX. This started off as a way of getting around the reality that there are certain flavours of SSM (source specific multicast) that the MX makes no attempt to handle, although the switch handles it fine. Very quickly I realised that splitting the local network into 2 distinct LANs gave me some real benefits.

 

All the doubtful kit (wireless speakers, HVAC control, smart TVs, smart home paraphernalia, Chromecast, Alexa, light bulbs) communicates via the dodgy doofa LAN, and the secure stuff sits behind the MX. The MX connects to the ISP through a port on the BrandX gateway. I have the choice of either having the MX handle NAT for its own dependent clients and specifying that the traffic from that port is not NATted when routed out the WAN port, or letting BrandX do all the NATting. At the moment I have the MX doing the NATing. I need to avoid double-NATting.

 

For services such as Chromecast and Bonjour, carefully configured VLANs allow access from a secure network hosted wireless client to a Chromecast capable device on the dodgy network, so music plays, or whatever, and once it has started, the device on the secure network can disconnect.

 

Much as we might like to, we cannot ignore the smart gadget phenomenon. I discovered, by accident, that "smart" light bulbs exist; I can't imagine there is a property manager out there who isn't attracted by that sort of capability. One of the problems is that the people who make speakers and bathroom scales and such are not interested in the security implications of networking. So better to put all that stuff in purdah and keep them away from what matters.

 

I have secure network devices that interact with the dodgy doofa kit by HDMI 2 alone, It works fine, we have large monitors that cope with this seamlessly. If I wanted to, and I don't, I could route the SSM link to a playout attached to the secure network.

 

Keeping the sheep from the goats is a good idea.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

IoT is going to be if not already the bane of our existence. Right now there are 2 types of IoTs. The ones that are strictly cloud based, the client talks to the cloud which in turn talks to the IoT and vice versa. Then you've got the IoT stuff that communicates on the local LAN so you're kind of stuck if the IoT device relies on layer 2 communications. So far most of the IoT stuff I encountered doesn't need to be on the same LAN except for the Bonjoure stuff. Interestingly enough I just learned that apple devices use bluetooth to take care of what Bonjoure is supposed to do. 

 

I had an installation where unbeknownst to me the client installed an Apple TV and placed it on the guest SSID. The guest SSID is set up so no one can see each other. I was freaked out when I saw that Airplay worked on the Guest wifi.  After a lot of poking around I turned off bluetooth on my MacBook and saw that airplay no longer worked. 

 

I a bit confused about your set up. How do you avoid double NAT with the BrandX gateway in front of the MX. I adamantly don't know what a brandx gateway even is.  


@trunolimitwrote:

 

 

I a bit confused about your set up. How do you avoid double NAT with the BrandX gateway in front of the MX. I adamantly don't know what a brandx gateway even is.  


The BrandX gateway conveniently allows NAT to be configured on a per-port basis, so the MX uplinks to LAN2 which has NAT disabled.

 

A BrandX  gateway is a security gateway from a brand that is not Meraki (or Cisco). I had some of their kit sitting in the chuck shed so I dusted it off and discovered that it appears to solve a problem common to many Meraki users in Europe and East Asia, where, unlike the US, SSM is commonly used by network providers. SSM is used by some US ISPs but less commonly than elsewhere.

 

I only mention BrandX because it solves a specific problem, multicast and the avoidance of double NATting, which, at the moment, Meraki has no solution to.  The ability to keep the insecure devices even further removed from the secure parts of the network is a bonus. The component cost is slight, but not everything can be done with a GUI, which isn't for everybody.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Uberseehandel
Kind of a big deal

@trunolimit

 

You could use a DDNS to achieve what you require. However, my own best practice is to put anything that others need access to in a rack in a data centre with a public address. In fact, anything that looks remotely like a server(real or virtual) lives in a data centre somewhere else. My currently preferred location has its own solar array, and co-incidentally, over a decade ago I arranged for it to become the first certified carbon-neutral hosting business in the UK.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

My use case in nothing as serious as a server. If it were I'd just have the clients pay for a public IP and be done with it. Actually one of our clients did just that. It was an office that had Verizon FIOS installed. The FIOS boxes don't like to be behind another router. Remote DVR, TV guide, and on demand videos don't work if the FIOS router is not installed. TV guide and VoD can easily be fixed by using a MoCA adapter or simply putting the FIOS router on its own VLAN behind the MX

However, the remote DVR services only work if the FIOS router is on the WAN unfiltered.

I will look into using DDNS as you suggested but I was under the impression that you could only use IP numbers in the DMZ section on the dashboard, not URLs.

maybe explain to me exactly how to use DDNS to build a DMZ, Please.
trunolimit
Building a reputation

Regardless of why I want to do it I gather there is no way to do it. 

 

You need a separate public IP to set up a DMZ on the meraki platform. 

@trunolimit

 

What you have described isn't a DMZ issue, it is an issue with the MX not handling everything that comes down the line from your ISP. DMZ Creation using MX

 

The simplest way to deal with this issue is to place a small configurable router/security gateway ahead of the MX, the one I use has only 3 ports which may be configured as LAN or WAN and NAT may be configured on a per port basis.

Net Split.jpg

This arrangement keeps the secure stuff secure. On a selective basis there are ephemeral links created to initiate activities on the insecure side of the network. There are also links between devices in the different networks, but not involving IP network protocol or USG. A display may be connected (HDMI/DP) to both networks to provide access to the functionality provided by an insecure device.

 

It also opens up access to a great many people who have dealt with and found solutions to the problem you have described.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels