|
||||||||||
Rodman Frowert wrote: > Melvin wrote: > >> As you've already pointed out you could add another NIC, but from the >> sounds of things your concept of the DMZ doesn't really match what I >> would expect either. DMZ would normally indicate public servers with >> some protection from the outside, but accessible to everyone. Why >> would you have the portal enabled there? Perhaps I've just missed >> the point, but I would expect to see it enabled on the LAN side, not >> the DMZ. If you wanted multiple LAN segments, then it might make >> sense, but then I wouldn't expect to see servers in that group. >> >> -- > > > The reason I have a captive portal enabled in the DMZ is because it is > being used as a public hotspot for wi-fi internet access. My LAN is > only used for my employees so I have no need for a portal in there. > Obviously, I needed an area to put the hotspot so that it was off my > LAN and the DMZ seemed to be like the best logical place. I am > wanting to add a few servers into the DMZ now (i.e. web, dns, mail, > etc...). > > It will probably make more sense now to add another NIC to the box > setting up a second DMZ for the servers... OK. I agree that this is an issue if the hotspot is there, but I would be concerned about putting servers on that leg, essentially for the same reason I wouldn't want the hotspot on the LAN. I think the new NIC is the best solution. I also see how not being able to ping things there would be an issue. Perhaps rather than only blocking certainly ports, a better choice would be the ability to allow specific ports/protocols, which you would define as whatever your choice for diagnostics would be. -- Melvin Backus Principal Wizard Sleepy Dragon Enterprises -- Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup! -- |