Setting up DMZ with multiple static IPs on an office LAN using DD-WRT

Note: This post should be an article in the DD-WRT wiki. If it looks OK, I’ll post it there later – its here so people can comment on it.

This is the story of how I managed to setup a DD-WRT powered router for my office LAN, with multiple static IPs (from a DSL connection) on a DMZ. It was kind of trial and error because I couldn’t find a good reference on how to do such a thing (or in any way use static IPs without port mapping or DNAT) – so I decided to write one.

Things that you’ll need

  • A router running DD-WRT v23 SP2
  • A DSL connection, recommended with a static IP
  • An additional block of static IPs mapped to your DSL connection by your ISP
  • An SSH client to connect to the router – I use Linux, so I got one with the operating system, and so do MacOS-X users. MS-Windows users can download the free Putty client, or use some commercial software.

This is my current setup

  • I got a Linksys WRT54GL v1.1 router. Installing DD-WRT on it was not difficult and its clearly explained in The DD-WRT installation manual. If you break anything, its easy to reflash the router using TFTP (also explained there), so don’t worry too much. Do make sure to download both the “mini” version of the firmware and the one you finally would want to install (I used the “vpn” version) before you start as it will save you a lot of time
  • I got a DSL connection from an Israeli provider named Netvision. They are notorious for their lousy tech support, and couldn’t help me one little bit – but most chances are you’re not going to need tech support help for this – you can mess up on your own ;-). I have a static IP on a PPPoE connection, which shall hence forth be known as
  • I got an additional block of 8 IP addresses, which I shall dub (also known as as the first address is the network address and the last is the broadcast address, leaving 6 usable IPs)

Basic Setup
The first thing you need to do is to setup your router to dial up to the DSL. This should be fairly easy if you’ve ever done this before, and the DD-WRT interface for setting up the network is almost identical to the original Linksys interface – to the point that if your browser saved you the dial-up user name and password when you set it up before, it will gladly fill them up for you again in the DD-WRT setup. I’m assuming the rest of the configuration you are doing from a computer connected to the first LAN port of the router. Note that the first LAN port is the port farthest away from the WAN port, and not the one that is connected to the led marked in “1” (see discussion below).

Once that done, we can go on to the interesting stuff – start by setting up the administrator password by going to “Administration->Management”. Enter ‘root’ as the username and some complicated password as many times as needed. Also enable the “SSH Management” in the “Remote Access” section. Then click on “Save Settings” at the bottom of the page. Doing this would disable the telnet interface (which is always open without a password – this is a bad thing) and would enable the SSH access (that is secure and encrypted – this is a good thing). Note that the SSH access is open by default to all networks – LAN, DMZ and the public internet. I don’t mind so much and so this article would say nothing more about this, but its possible to limit access in several different ways.

Setting up the DMZ virtual LAN interface
Now we need to set up our VLAN – we will use the router’s built-in switch’s VLAN capabilities to setup one port on the switch to serve as a DMZ area, saving 3 ports for the LAN. You can setup different ports, by changing the VLAN configuration as we’ll discuss immediately, but it is sometimes tricky to get it right, and easy to lock yourself outside the router. At any point always keep port number 1 on the vlan0 port list, as some routers would refuse to be reflashed from TFTP if that is not the case – making it impossible to fix a broken router.

Start by checking out your current VLAN configuration – SSH to the router, which should have the IP address of (if you haven’t changed it) – type ‘root’ as the username and whatever you put in the web interface as the password. Then type at the command prompt:

nvram show | grep vlan.ports

This should show you your current vlan configuration as it is stored in the router’s NVRAM (non-volatile RAM – where the router stores its configuration). It should look like this:

vlan0ports=0 1 2 3 5*
vlan1ports=4 5

The WRT router has 6 ports on its internal switch – 4 ports are used as the LAN ports, 1 as the WAN port, and the last one is hardwired into the router’s network interface. The ports are then split into VLANs – one VLAN allows the router to have its own network interface talk to the WAN (wide area network – the external interface), and another VLAN lets the router talk with devices on the local area network (LAN). When router sends a packet, it marks the packet with the VLAN that it should go out on – so packets destined to the public internet are marked as VLAN 1 and are sent from port 5 to port 4, while packets destined to the local network are marked with VLAN 0 and are sent to the switch from port 5 to be distributed to the correct device in ports 0, 1, 2 or 3. Its important to note that the 5 external ports are ordered from 0 near the power port to 4 which is the WAN port – exactly the opposite of what the leds for the ports are marked, with led “1” being physical port 3 and led “4” being physical port 0.

Now to create our new vlan – lets say we want to take port 3 (the right most port, looking at the front of the router, the one closest to the WAN port) and make it into our DMZ VLAN – we will execute the following commands:

nvram set vlan0ports="0 1 2 5*"
nvram set vlan2ports="3 5"
nvram set vlan2hwname=et0
nvram commit

The first two commands reassign port 3 to the newly created vlan2. The third command assigns vlan2 to the first network interface (eth0 – the et0 shorthand is a vxworks legacy name that was kept by the OpenWRT guys for their nefarious purposes). The last commands writes all the changes to the persistent configuration memory.

Now that we built our new vlan, its time to tell DD-WRT about it – open the web interface for the router again, and under “Setup” goto “VLANs”. Note that in the web interface, the port numbering is different once more – the WAN port is marked with a W, and the LAN ports are marked as 1 to 4 which corresponds to physical ports 0 to 3, and leds 4 to 1 (leds are exactly reversed then the port numbers in the DD-WRT configuration). Because we set port 3 to VLAN 2, we need to change the VLAN port configuration in the DD-WRT web interface by unchecking the port “4”/VLAN 0 checkbox and checking the port “4”/VLAN 2 checkbox. Then hit “Save settings”.

On to the new DMZ network
It not strictly necessary to have a static IP on the DSL connection for additional IPs to be assigned, but its probably what you are going to get – and anyway I don’t think the configuration is different for dynamic IP as we don’t mess around with the DSL connection. The additional static IP address block your ISP assigned to you should already be routed through your DSL dial-up connection so no extra setup should be necessary – we will simply setup the router’s DMZ leg (the vlan2 network interface) with one IP address – usually the first one, the other devices on the network with the other addresses, and let the Linux TCP stack in the WRT router do the rest – with a little help from us.

The first step is to setup the IP address for the router – from the router web interface choose “Administration” and then “Commands”. Now in the “Command Shell” box, type this:

ifconfig vlan2 netmask up

The above example sets up the first host IP (after the network address) of an 8 IPs block, and its netmask. As a reminder, the IP block assigned to us is to, with as the network address and as the broadcast address, with the valid host addresses between them – this results in a netmask of (or 29 network bits). If you get a different number of IP addresses, you’d have to compute your netmask yourself. The GNU command line utility ipcalc is very useful, but if you don’t have a Linux computer handy then there are lots of web based tools to address the problem.

Now hit “Save Startup” – the script above will now be run at the end of the router startup sequence, and it will setup the IP address on the vlan2 network interface – the one assigned to the DMZ VLAN.

This should be enough for basic routing to work, but the standard DD-WRT firewall is very restrictive and won’t let you do much of anything with the new interface – so we’d need to fix the firewall. Type the following commands back into the “Command Shell” box:

# add input rules to mimic br0 behavior
iptables -I INPUT 4 -j DROP -p udp -i vlan2 --dport 520
iptables -I INPUT 7 -j logaccept -i vlan2 -m state --state NEW
# allow packets from the network, destined to the DMZ
iptables -I INPUT 8 -j ACCEPT -d -m state --state NEW

# allow access from LAN to DMZ
iptables -I FORWARD 4 -j ACCEPT -i br0 -o vlan2 -m state --state NEW
# allow access from DMZ to WAN
iptables -I FORWARD 3 -j ACCEPT -i vlan2 -o ppp0
# allow access from WAN to DMZ
iptables -I FORWARD 4 -j ACCEPT -i ppp0 -o vlan2

# disable masquerading on real IPs in DMZ
iptables -t nat -I POSTROUTING 0 -j ACCEPT -o ppp0 -s

Then click on “Save Firewall”. The first section sets up our new vlan2 interface to be able to receive IP packets from the WAN, in a very similar fashion to how DD-WRT does by default for the LAN interface (including the dropping of UDP port 520, which I’m not sure what it does). The second section sets up what kind of interactions between the 3 different networks we allow: we want to be able to access the DMZ from the LAN, but not the other way around, and we want to be able to access the DMZ from the WAN and vice versa. The last section disables the masquerading for the DMZ – by default the router assigns private (non-routeable) addresses to the LAN and then uses “masquerading” – a technique to translate private to real IP addresses and back – to hide the private IPs when you access the internet. Because the DMZ uses real IP addresses assigned to you by your ISP, we don’t want to have masquerading enabled for these.
Theoretically, I don’t need to specify the IP address range for the POSTROUTING rule, and I probably don’t want to – I can use a “mangle” rule to mark incoming packets from VLAN2 and have the POSTROUTING rule match on the mark – but I couldn’t get it to work: it didn’t want to mark packets from my DMZ, so I gave up on it.

Additional Services
The last step is to setup DNS services for your DMZ network – for devices on your DMZ network you’d want the simplest network setup possible, and unless you’re going to equip every server on the DMZ with a resolving DNS server, then you probably want the router to do DNS caching for you. Once you have that setup, network setup on DMZ devices is very easy – just setup the IP address as 5.5.5.x, netmask, DNS and thats it.

For this to work, we need to tell the WRT’s internal DNS server to listen on the vlan 2 – so, under “Administration” in the web interface, find “Services” and find the “DNSMasq” section. In the “Additional DNS option”, on a line of its own, add:


And click “Save Settings”.

That’s it – configuration is complete. Once the router has saved the last settings change, its a good time to reboot the router – just click on the “Reboot Router” button and wait. Due to the more complex setup, it takes the router about a minute more after the web interface comes back, for the new network configuration to take effect.

To test it, you can now point your web browser to the router’s DMZ address – (while you are still using the computer connected to the LAN port). You should get the router’s web interface again, if so everything is working – you just need to connect some sort of switch to your DMZ port and start setting up your server. If it doesn’t come up – go back and make sure you have completed all the steps correctly.

Possible Problems
There are a few issues with this setup, which I don’t think are major but there are security implications:

Due to the fact that the DMZ is completely exposed to the public internet, the router’s DMZ leg is exposed to both the LAN, the DMZ and the WAN. the first two are unavoidable, but people would probably be less comfortable with having the internal interface of the router exposed to the public internet, especially with the web interface and all. To disable that, you can go back to the “Commands” panel and click on “Edit” in the “Firewall” box. The web interface now has the firewall configuration in the “Command Shell” box. Now add at the bottom of the box, the following lines:

# make the router's DMZ leg inaccessible to the world
iptables -I INPUT 5 -j DROP -i ppp0 -d -p tcp --dport 80

The above would work if you want only to disable access to the web interface. If you want to stop all access to the router’s DMZ ip address, then use this:

# make the router's DMZ leg inaccessible to the world
iptables -I INPUT 5 -j DROP -i ppp0 -d

After saving the firewall script, wait a couple of minutes for the firewall to refresh – there’s no need to reboot.

Another issue is that devices on the DMZ can access the router’s leg on the LAN – the private internal ip address of the router, which is by default. DMZ devices can’t access anything else on the LAN, but the default firewall setup of the DD-WRT explicitly allows anything to get to (presumably so you wont lock yourself out of your router configuration interface), and I didn’t want to mess with it.

That’s it, we’re done here. I’d appreciate any comments on this article – especially if you’d like to try this at home and tell me how it went. Good luck!

14 Responses to “Setting up DMZ with multiple static IPs on an office LAN using DD-WRT”

  1. Joksi:

    Nice tutorial

    However,this could be done in an easier way.

    Just move one of the LAN ports from vlan0 to vlan1, and thats it.
    This port will be a direct second WAN port,without any firewall problems.

  2. Guss:

    Indeed, and that is what the first section of the article is about (moving the LAN port – recent DD-WRT versions offer an GUI for this but I found it to be not working as advertised). After you have dedicated the DMZ port, you’d need to map the ISP’s static IP range to that port and for that you’d need the IPTables hookup as discussed above.

  3. Joksi:


    iptables -I INPUT -s -p tcp -dport 80 -j DROP

    Will indeed block all access to the router interface on both and for all vlan2 clients, while still be open for vlan0 clients. 🙂

    Also, to best apply this guide to the latest DD-WRT v24 sp2 everything can be followed, except the nvram commands for moving a LAN port and creating a vlan, this nowadays works flawlessly from the web UI.

  4. Oded:

    Thanks for the update!

  5. Miker:

    Excellent article. I’ve been looking for a week for some info on how to do this. Where is the documentation on the vlan 0 1 2 3 …. stuff so I can understand what’s going on inside the kernel rather than blindly following the instructions?

  6. miker:

    Ok, I’m working on this right now. I will go through your receipe and comment/edit the article as I find stuff.

    My setup is WRT54G-TM
    Dynamic WAN ip address (fake)
    locked to the MAC address of whatever is on the
    end of the wire.
    WAN is a /24 with x.1 gateway
    routed (fake)

    email me and I’ll send you an edited word doc of your article
    so it’s a little closer to publications in the WIKI

    BTW, port 520 is RIP, it is blocked so that internal
    routing info is not available to snoopers.

    Best regards,

  7. miker:

    Setting up DMZ with static public Sub-Net using DD-WRT

    This article borrows heavily from the procedure written Oded Arbel at:

    The assumption for this follow-up is that you already know how to flash your WRT54G* with DD-WRT. I began the procedure with the WRT54G loaded with dd-wrt.v24_mega_generic.bin .

    The starting pieces: WAN – dynamic or static IP, tested both ways routed over WAN to bridge

    WRT54G-TM Linksys/T-mobile router

    Desired configuration on completion
    * *
    * WRT54G DD-WRT *
    * *
    * DMZ ****** LAN *
    | |
    V V

    This particular configuration has a static or dynamic IP address on the WAN side that is not in the same range as the routed subnet. This is a common provision in the US for AT&T and (probably others as well). Other providers may use similar methods of delivering service using PPOE.

    Hardware Description before we begin

    The labeling of ports on various flavors of WRT54G is different, however the physical position of the ports remains the same. In this document I will refer to the PHYSICAL ports as seen by the operating system.


    and note that the case labeling is different on the two variants however the internal structure and labeling of the ports remains the same. Likewise, the LED’s may be numbered the reverse of what you expect.
    Some clarification…. Ports are numbered internally as 0 – 5 with port 0 being the one next to the power connection. This is the port that used by default for connection using TFTP. This port MUST remain on vlan0.
    Make sure to get the port numbering scheme straight, ideally labeling the ports so you don’t screw up. If port 0 somehow gets disconnected from vlan0, if you BRICK YOUR ROUTER you will be unable to re-flash it.

    Setting up VLAN for DMZ

    Start by checking out your current VLAN configuration – telnet to the router, which should have the IP address of (if you haven’t changed it) – type ‘root’ as the username and whatever you put in the web interface as the password. Then type at the command prompt:

    nvram show | grep vlan.ports

    You should get a response something like this:

    vlan0ports=0 1 2 3 5* or vlan0ports=3 2 1 0 5*
    vlan1ports=4 5 vlan1ports=4 5

    Before attempting to change the VLAN setup I recommend that you disable port 2 as follows and use that information to confirm where each port is physically on your device and which LED corresponds to each port. Then LABEL everything.

    nvram set vlan0ports=”0 1 2 5*”
    nvram commit

    Use a single cable and ping the LAN side interface to determine which of the ports is no longer operational. This will be physical device number 2 and will also allow you to identify which LED’s correspond to each physical port.

    Now to create our new vlan – we will split the output ports and put physical ports 2 and 3 (the right most 2 ports, looking at the front of the router, the onee closest to the WAN port on the back of the router) and make them into our DMZ VLAN. Execute the following commands:

    nvram set vlan0ports=”1 0 5*”
    nvram set vlan2ports=”3 2 5″
    nvram set vlan2hwname=et0
    nvram commit

    With this complete, we must tell the DD-WRT software about the change. Open the web interface to the router.

    Sigh….. note that the numbering of this section is again out of whack.

    • Physical port 5 = WAN (W)
    • Physical port 4 = not used
    • Physical port 3 = 4 on menu
    • Physical port 2 = 3 on menu
    • Physical port 1 = 2 on menu
    • Physical port 0 = 1 on menu

    • Click SETUP — on the sub-menu
    • Click VLANs
    • VLAN 0 – assign labeled ports 1, 2 to LAN
    • VLAN 1 – assign labeled port (W) to None
    • VLAN 2 – assign labeled ports 3, 4 to LAN
    • Auto-Negotiate – all checked
    • Enabled – all checked
    • Wireless LAN
    • Link Aggregation on Ports 3 & 4 – No

    Save this configuration.

    Notes on IPTABLES

    The default operating mode for DD-WRT is for the router to act as a GATEWAY. In this mode, the OS inserts a number of default rules into IPTABLES. The difference between GATEWAY and ROUTER modes really boil down only to the NAT rules applied to the LAN ports. Telnet to the router and execute the following command to view the IPTABLES rule-set.

    iptables –nvL |less
    and for the NAT rules
    iptabes –t nat –nvL

    Go to the SETUP web page and Click – Advanced Routing. Select – Router mode and then save the selection. This will eliminate most of the unneeded rules in iptables. You can add back in those the are needed for your specific installation.

    Setting up the DMZ and NAT for LAN

    The first step is to set up an INIT script to apply an IP address for the DMZ vlan. Go to the web interface and:

    • Click – Administration
    • On the sub-menu Click – Commands

    Paste this script (altered for your static sub-net address) into the Command Shell box.

    ifconfig br0:1 netmask up

    • Click – Save Startup

    The above example sets up the first host IP (after the network address) of a 16 IPs block, and its netmask. As a reminder, the IP block assigned to us is to, with as the network address and as the broadcast address, with the valid host addresses between them – this results in a netmask of (or 28 network bits). If you get a different number of P addresses, you’d have to compute your netmask yourself. The GNU command line utility ipcalc is very useful, but if you don’t have a Linux computer handy then there are lots of web based tools to address the problem.

    Now we must fix the firewall. Paste this script (altered for your static sub-net address) into the Command Shell box.


    # allow established traffic
    iptables -A INPUT -s -m state –state ESTABLISHED,RELATED -j ACCEPT

    # drop DMZ access to LAN
    iptables -A INPUT -s -d -j DROP

    # allow bridge access from bastion host (OPTIONAL)
    # iptables -A INPUT -s -j ACCEPT

    # allow ping and icmp
    iptables -A INPUT -p icmp -j ACCEPT
    # drop all other access to bridge from everywhere
    iptables -A INPUT -d -j DROP
    # allow packets from the network, destined to the DMZ
    iptables -A INPUT -d -m state –state NEW -j ACCEPT

    # allow access from everywhere else to DMZ
    iptables -I FORWARD 4 -d -j ACCEPT

    # nat for LAN (to DMZ interface address)
    # first rule NAT’s to DMZ interface, if the rule is commented out,
    # then third rule NAT’s to WAN interface
    iptables -t nat -A POSTROUTING -o vlan1 -s -j MASQUERADE
    iptables -t nat -A POSTROUTING -o br0 -m pkttype –pkt-type broadcast -j RETURN
    iptables -t nat -A POSTROUTING -o br0 -s -j MASQUERADE

    • Click – Save Firewall

    The first section allows established traffic to the DMZ from anywhere. The second section drops attempts by DMZ to reach the LAN side of the router. The third section allows OPTIONAL access to the bridge (web interface, etc…) from the bastion host in the DMZ. This is not recommended but can be useful (note that it is commented out). The fourth section allows only ICMP traffic from anywhere to the router’s DMZ interface and passes NEW connections to the DMZ sub-net. The fifth section forwards traffic from anywhere to the DMZ. The sixth and last section NAT’s the LAN range to the router DMZ interface.

  8. Oded:

    Miker – thanks for the article.

    The formatting is broken a bit though. Where is this posted? Maybe I would just link there instead of having the article in the comment box – or maybe you’d rather I post this as an article page on my site?

  9. miker:

    It’s only posted here at the moment. Please feel free to use it any way you like. I had a lot of trouble when I first tried your method, then noticed that you’d configured vlan2 with ifconfig rather than assigning it to the bridge and letting vlan2 float like the private net. Once I made that change it was pretty easy.

    Since the policies in DD-WRT and most other similar packages are all ACCEPT, it is difficult to do this with the router in gateway mode. Changing that takes most of the rules out of the table and makes it pretty easy to just append rules. It also removes most of the nat rules which aren’t just the way they should be.

    My rules above are pretty skimpy. I’ve added more in my real installation, right where the PING rule is…. that one obviously is not really needed but does make debugging easier. A lot of rules can be stuck in to firewall the DMZ and control packets that are not correct ! -syn NEW, etc… but for clarity I left all that stuff out.

    I’m going to post this it in the DD-WRT forum but having a clean article would be nice for people as well.

    Best regards,


    • Adam:

      Hello, Michael
      Hello, Michael
      Could you help me with my small problem. Let me explain. The ISP give me address with for this disscusion) as a gateway, after connect this addresses and configuring WAN on static IP everything works fine. But in one destination I’ve 3 different clients which every of them want own public IP, so I wrote to ISP and ask them for few anothers ip. They created additional bloc of addresses I try run this addresation by connecting link to the switch and configuring switch (i had the same situation in other location and i made this using cisco business-series switch) but this switch could not do it ( or I didn’t know how do it) . So I took my old wrt flash them on dd-wrt v24 and try to made properly configuration. First time i tried to configure as a router ( for disabling NAT) and I configure LAN for and WAN on A WAN port of second router I connected to LAN 4 phisical 3 (closest to WAN port) and configure as a with a gateway 104 (then I changed addressing on for dd-wrt and for ASUS router). Of course things are not that simple and it dosn’t work. So I looked for solution and i came here. I made everything the same as you (except addresses ) but it dosn’t work. The situation is now I that I can ping from pc behind the ASUS router to address on a dd-wrt regardless did I plug ASUS WAN to LAN 4 or LAN 1(labels from case)on dd-wrt but I have not connection to Internet and when I connect PC to WiFi on dd-wrt I can not ping the router’s ASUS WAN port. Of course I tried connecting WAN port to every LAN on dd-wrt. Where I made mistake?

      • Oded:

        Adam, it was very hard to follow what you did, but it looks like you set the addresses wrong – both your DMZ networks are supposed to be on the router VLANed ports, otherwise the router won’t know how to route them.

        A few other things:
        1) your address lists don’t sound correct – is not a correct CIDR specification – its either or does sound fine.
        2) you have to allocate one IP address from each DMZ block for the DMZ port on the router, as the gateway that the other DMZ hosts. Due to this, a 30 bit network doesn’t make much sense, because from 2 host bit – which are 4 addresses – 1 is taken by the network base address, 1 is the broadcast address, 1 is the gateway and you are left with room for only one DMZ host – hardly a network that can grow.

        If we assume that you were allocated the valid network block, and you’d use the last host address in each DMZ block for your router’s DMZ port (the one immediately before the broadcast address, it is also common to choose the first host address), and following my article but with 2 DMZ vlans (ports 3 and 2), your router IP address configuration should look something like this:

        Router Port IP Address Usage
        4 PPPoE local peer address
        3 DMZ 1 gateway (vlan2)
        2 DMZ 2 gateway (vlan3)
        1 LAN switch port
        0 LAN switch port
  10. Oded:

    Ok, many many thanks for your work on this 🙂

    I’ll do some formatting clean up later this week and post it on a page somewhere around here, for reference.

  11. Matthias Krells:

    Realy nice i will come back greetings from berlin Matthias

Leave a Reply