Home Router- DMZ/Transparent Mode

Published: May 1, 2020

The first Intro to Security Analysis- HomeIDS article focuses on configuring a home router for DMZ or transparent mode. This allows us to send all traffic destined for our public IP to an internal resource. This resource could be anything… A software based firewall, or in my case, a Sophos Home hardware UTM. This allows us to better control and analyze network traffic.

You may not have my AT&T home router or Sophos firewall, but these steps should allow you to ask the right questions and successfully google your setup.

This first thing we want to take note of is our public IP address. Your local ISPs router will contain this info as well:

Google 
what is my ip 
Q All Books @ News Maps 
About 2,330,000,000 results (0.68 seconds) 
Your public IP address 
Learn more about IP addresses

Connect an ethernet cable from an open port on your ISP’s router to your machine, or WAN port of your intended firewall.

Browse to your routers IP. My AT&T routers’ default IP is 192.168.1.254. So I browsed to http://192.168.1.254

Home 
Services 
Settings 
Site Map 
Key Things to do Using Your Ga teway 
Smart Home Managec 
Troubleshoot 
Wi-Fi 
Restart your System 
Home Network 
Customize Firewall 
Gateway Status 
- Control your home network from one easy-to-use app 
- Co to online support, troubleshooting & AT&T eRepair 
Modify security or settings 
Reboot the gateway 
- Find a computer, share a file 
- Adjust firewall settings for gaming and applications 
Refresh Page 
More Info 
Connection 
Battery 
to AT&T 
Up 
Battery is not present 
Restart

Then I browse to Settings -> Firewall

Home 
Services Settings 
System Info Broadband LAN 
Site Map 
Firewall Logs 
Diagnostics 
Status Applications, Pinholes and DMZ Advanced Configuration Firewall Rules 
Firewall Status 
Firewall Active 
The firewall actively blocks access of unwanted activity from the Internet. 
Current Applications, Pinholes and DMZ Settings: Custom 
Parental Control

And choose “Applications, Pinholes and DMZ”

Home Services Settings 
System Info Broadband LAN 
Site Map 
Firewall Logs 
Diagnostics 
Status Applications, Pinholes and DMZ Advanced Configuration Firewall Rules 
Allow device application traffic to pass through firewall 
Parental Control 
By default, the firewall blocks all unwanted access from the Internet. You can allow access from the Internet 
to applications running on computers inside your secure home network by enabling firewall pinholes. 
Opening firewall pinholes is also known as opening firewall ports or firewall port forwarding. To do this, 
associate the desired application with the computer below. If you cannot find a listing for your application, 
you can create a user-defined application With the protocol and port information. 
To allow Internet traffic or users through the Firewall to your LAN devices, applications and servers

First step is to select a computer (Sophos FW in my case)

l) Select a computer 
Choose the computer that will host applications through the firewall 
Choose 
Choose 
Choose 
unknown485A8640FECC 
DESKTOP-MOD610C 
indi-ubuntu

The Sophos FW showed up as:

Since the name wasn’t descriptive I had to confirm this on the routers DHCP page, based on the IP

Step two is to edit the firewall settings

2) Edit firewall settings for this computer 
Maximum protection - Disallow unsolicited inbound traffic 
O 
Allow individual application(s) - Choose the application(s) that will be enabled to pass through the 
firewall to this computer. Click ADD to add it to the Hosted Applications list. 
Filter Applications by 
Application List 
Hosted Applications

Continue scrolling down and select “Allow all applications (DMZplus mode)”

@ Allow all applications (DMZplus mode) - Set the selected computer in DMZplus mode. All inbound traffic, 
except traffic which has been specifically assigned to another computer using the "Allow individual 
applications" feature, Will automatically be directed to this computer. The DMZplus-enabled computer is less 
secure because all unassigned firewall ports are opened for that computer. 
Note: On LAN devices which have a Private IP address, once DMZplus mode is selected and you click save, the 
system will issue a new IP address to the selected computer. The computer must be set to DHCP mode to 
receive the new IP address from the system, and you must reboot the computer. If you are changing DMZplus 
mode from one computer to another computer, you must reboot both computers. 
Save

Click Save, enter your Access code/password, and the configuration is saved!

Home Services Settings 
System Info Broadband LAN 
Site Map 
Firewall Logs 
Diagnostics 
Status Applications, Pinholes and DMZ Advanced Configuration Firewall Rules 
Configuration Successful 
o 
Allow device application traffic to pass through firewall 
Parental Control 
By default, the firewall blocks all unwanted access from the Internet. You can allow access from the Internet 
to applications running on computers inside your secure home network by enabling firewall pinholes. 
Opening firewall pinholes is also known as opening firewall ports or firewall port forwarding. To do this, 
associate the desired application With the computer below. If you cannot find a listing for your application, 
you can create a user-defined application with the protocol and port information. 
To allow Internet traffic or users through the Firewall to your LAN devices, applications and servers

All traffic destined for your router should now be forwarded to your destination resource (my Sophos FW).

Now, we’ll login to the firewall and configure the WAN and LAN interfaces. This is my Sophos UTM welcome screen:

SOPHOS 
search 
Dashboard 
Management 
Definitions & Users 
Interfaces & Routing 
Network Services 
Network Protection 
Web Protection 
Email Protection 
UTM 9 
Dashboard for Sunday, February 23, 2020 | 
sophos.pfarrside.com 
o 
Model: 
ASG Software 
License ID: 
1725844 
Subscriptions: Base Functionality 
Email Protection 
Network Protection 
Web Protection 
Webserver Protection 
Wireless Protection 
Endpoint AntiVirus 
Uptime: 
19d 14h 21m

Under Interfaces & Routing – Interfaces
My ATT_WAN interface IP address matches my external IP address and our default gateway is pre-populated. This means the settings are being forwarded.

Interfaces & Routing 
Interfaces 
Quality 01 Service (QoS) 
Uplink Monitonng 
I pv6 
Static Routing 
Sort by: Name asc 
P ATT_WAN [UPI on ethl 
MTLI 1500 DEFAULT GW 
Delete 
Clone

Default settings for this interface in my FW:

Edit Interface 
Name 
Type 
Hardware 
Dynamic IPv4 
IPv4 Default GW 
Comment 
9] Advanced 
ATT WAN 
Ethernet 
ethl Intel Corporation 121 
Save 
X Cancel

Now I’ll create a new internal interface with the following info:

New Interface... 
Edit Interface 
Name 
Type 
Hardware 
Dynamic IPv4 
IPv4 address 
IPv4 Netmask 
IPv4 Default GW 
Comment 
9] Advanced 
Internal 
Ethernet 
etho Intel Corporation 121 
192168.0.1 
/24 (255255.255 0) 
Auto-created on installation 
Save 
X Cancel

This internal interface (eth0) will be connected to a switch on my network. My home computers and all my VMs are connected to this switch, which I use to mirror and analyze traffic in Security Onion.

In the Sophos UTM, we have to enable some things before the network is operational. I’ll add the network to DNS
Interfaces & Routing -> Network Services -> DNS
Add: Internal (Network)

Interfaces & Routing 
Network Services 
ONS 
DHCP 
Network Protection 
Web Protection 
Email Protection 
Advanced Protection 
Honeynet (Network) 
Internal (Network) 
VPN Pool ESL)

Configure a DHCP Server (Internal)

Network Services 
ONS 
DHCP 
Network Protection 
Web Protection 
Email Protection 
Advanced Protection 
Edit 
Delete 
Clone 
Edit 
Delete 
Clone 
sort by: Gateway esc 
Honeynet [Range 17216 0 1 through 172_16 0 254) 
ONS 1: 1721601 ONS 2: 0000 DefaultGateway: 1721601 
Internal [Range 192168.0_1 through 
ONS 1: ONS 2: 0000 Default Gateway: 
Added by installation wizard 
WINS: 0000 
WINS: 0000 
X

The last thing required is to setup masquerading to NAT all outbound traffic as our public IP:

NAT 
Masquerading NAT 
New Masquerading Rule... 
sortby: Position asc 
Internal (Network) BATT_WAN 
X Delete 
Clone

Now we can setup our firewall rules, and determine what our internal network can communicate with:

sort by: 
Position asc 
Edit 
Delete 
Clone 
Internal (Network) 
Any 
ONS 
HTTPS

So what are the benefits?

Commercial/Home edition firewalls have better UI’s, controls and features than most ISP routers. Maybe you’re familiar with a particular brand or looking to learn a new interface. For me, using the Sophos Home UTM adds IPS, web protection, WAF, email, ATP, wireless and VPN features. All of which I’ve tested for research, and most of which I currently use.  I also output all of my firewall traffic and logs to Splunk for further analysis. Here’s an example of UTM reports.

Web Filter:

Neb Protection Statistics - Today 
Top Applications 
Total packets: 1 005 728 
Top Application Categories 
Total packets: 1 005 728 
Total traffic 
222.6 MB 
67.7 MB 
32_6 MB 
29.2 MB 
lg_g MB 
14_6 MB 
13_1 MB 
12.8 MB 
11_6 MB 
10.5 MB 
44 14 
1343 
6 46 
5 79 
261 
2 54 
230 
2.08 
Total traffic 
337_1 MB 
86.3 MB 
29_3 MB 
14.8 MB 
14_3 MB 
10.4 MB 
MB 
MB 
g94_o kB 
22.3 kB 
o 
66 84 
1711 
581 
2 84 
2 05 
1 30 
ogl 
019 
10 
Application 
HTTP 
sophos LITM up20ate 
MS Office 365 
• Slack 
O DoubleClick 
Google APIs 
Sophos Webedmin 
O Google 
4 
10 
Group 
Web Services 
Networking 
Messaging 
Streaming Media 
O Remote Access 
O Unclassified 
O Social Networking 
File Transfer 
• Mail 
O Collaboration

Network Protect and IPS:

Network Protection Statistics - Today 
Top Dropped Source Hosts 
Total dropped packets: g 679 
Source User/Host 
189-30-232-98smace701_ 
Top Dropped Destination ServiceslHosts 
Total dropped packets: g 679 
Destination User/Host 
ATT_WAN (Address) 
ATT_WAN (Address) 
all-systems_mcast net 
4 
10 
dsltrasiltelecomnetbr 
AT&TModem 
log 
108 
11285 42.72 
dns156r8sbcglobal_net 
dns157r8_sbcglobaLnet 
194_26 29.130 
a-0001. a-msedge_net 
2 648 
354 
84 
54 
48 
27.36 
3.66 
1_62 
1.57 
1_21 
0.87 
0_83 
0.62 
0_56 
0.50 
4 
10 
igmp 
O tcP/1433 
tcp/4567 
O tcp/80 
ATT 
ATT 
ATT 
ATT 
ATT 
ATT 
ATT 
WAN (Address) 
WAN (Address) 
WAN (Address) 
WAN (Address) 
WAN (Address) 
WAN (Address) 
WAN (Address) 
Packets 
3647 
2 650 
354 
290 
58 
35 
33 
22 
21 
IPS: Top Blocked Attacks 
Total attacks blocked: 1 
Rule ID Rule Description 
1 50137 OS-WINOOWS Microsoft Windows ROP MS_T120 channel bind attempt 
IPS: Top Attackers 
Total attacks blocked: 1 
Source IP 
216 
Rule group 
OS / Windows 
o 
37.68 
27.38 
3_66 
3.00 
1_25 
0.60 
0_36 
0.34 
0_23 
0.22 
o 
100.00 
o 
100.00

ATP:

Weekly 
Displaying data up to February 23, 
2020 
10:00 
17 Mon 
O Analyzed Malicious 
Cache 
19 Red 
Mal icious 
20 Thu 
hours per bar 
Analyzed 
CI ean 
22 sat 
Cache Clean 
23 sun 
O Excluded

Firewalls will have different features out of the box, but I’ve found a lot of success with the Sophos UTM for home use. I recommend you give it a try as a VM or on a spare machine.
https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

In the next article, we’ll look at setting up our managed switch in preparation of mirroring traffic to a local IDS: Security Onion.