Sharing the WAN without sharing the LAN: A DMZ leads to a successful plan

I’m writing this particular post on Memorial Day here in the United States. I live in the northwest corner of Lake Tahoe, a popular tourist destination. And my recently constructed two-car garage includes a self-contained studio living space above it. As a result, I frequently entertain visitors, especially on extended weekends such as this one.

When I had the garage built, I also installed a conduit running between the garage and the house, containing (among other things) a span of Cat 6 Ethernet cable connected to my router, so that studio residents could tap into my broadband Internet (i.e. WAN) connection. But I don’t want guests to have access to the other resources on my LAN, notably the multiple NASs on which I have stored my personal finance records, my music and photo libraries, and other digi-valuables. How to open up the WAN without simultaneously exposing the LAN became my objective, and I thought you all might be interested in my success story … since the July 4^th weekend is coming up in a bit over a month, after all.

Newer routers support so-called “guest” mode, which natively accomplishes this objective. But mine’s a second-generation Apple Airport Extreme ‘N’ model; Apple didn’t add the Guest Network feature until the third-generation model 1.5 years later. My particular router generation doesn’t even comprehend simultaneous 2.4 GHz and 5 GHz support; I have the router set up in 5 GHz 802.11n (with 802.11a backwards-compatibility) mode, with a separate 802.11b/g access point (channel 1) handling 2.4 GHz clients. And anyway, a wireless “guest” mode beacon emanating from a router in the house wouldn’t reliably stretch to the studio in the garage next door … nor would it support a wired “guest” mode network connection option.

One slick feature that the Airport Extreme ‘N’ does support, however, is Default Host mode, which is more generally known as DMZ mode:

As the relevant Wikipedia entry explains, “The hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, web and Domain Name System (DNS) servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network in order to protect the rest of the network if an intruder were to succeed in attacking any of them.” I’m not using Default Host mode for this particular reason. However, the subsequent sentence is more relevant; “Hosts in the DMZ have limited connectivity to specific hosts in the internal network, although communication with other hosts in the DMZ and to the external network is allowed.”

The device located in the router’s DMZ receives a forwarded copy of all port and protocol traffic coming over the WAN connection; it’s not subject to the router’s firewall restrictions, although it’s firewalled from the rest of the LAN (as such, Apple’s implementation appears to be a pure DMZ, not the more limited DMZ host mode).

My brainstorm was the idea that I could put a second router in the DMZ, thereby creating a dedicated LAN for the studio. I still had a Linksys WRT54G-TM router sitting in the garage from my mid-2007 T-Mobile HotSpot @Home experiment, so I put DD-WRT third-party firmware on it (a task made particularly simple in my case because Mac OS X includes a built-in TFTP client). My existing LAN uses the 10.0.1.xxx subnet, so I assigned the router the static WAN IP address 10.0.1.5. I then entered that same IP address into the Default Host assignment box on the Apple Airport Extreme ‘N’ router, enabling the feature in the process.

To avoid subnet conflicts, I configured the WRT54G-TM router to create a LAN using the 10.0.0.xxx subnet. And to avoid any potential 2.4 GHz spectrum interference between the house and studio, I configured the WRT54G-TM to broadcast its wireless beacon on channel 6. I also wanted to retain access to my own LAN from the garage, so I additionally set up an Airport Express ‘N’ access point on channel 11 (channels 1, 6, and 11 are the only non-overlapping channels in the 2.4 GHz 802.11 scheme). And ahead of both the WRT54G-TM and Airport Express ‘N’, I placed a D-Link 5-port 10/100 Mbps switch.

The setup works perfectly. Devices on the studio network not only get access to the Internet, they can also “see” each other, the latter a capability that the built-in “guest” mode of newer routers doesn’t always implement. But studio network-connected devices can’t “see” my LAN.

This means, for example, that they can’t tap into my print server. But instead, I put a spare printer in the studio, along with a length of USB cable. The approach I chose enabled me to cost-effectively employ gear that I already had in my possession, versus buying new replacements. And I also learned a few things about networking in the process. A winner all the way around!