Most consumer routers have a feature they call a DMZ, or demilitarized zone. You may hear networking types talk about the DMZ at work. So what is a router DMZ, exactly?
What is a router DMZ?
Both at home and at work, the DMZ refers to the part of a computer network directly exposed to the Internet. Your home PC doesn’t talk directly to the Internet. It talks to the router, which talks on the computer’s behalf. The idea is that data shouldn’t come from the Internet that your computer didn’t ask for. One of your router’s jobs is to block that kind of incoming data.
Think about what’s happening right now. You’re sitting at your computer, on your home or corporate Internet connection, interacting with a server on my home network, sitting in my basement. Your computer can talk to my server all it wants, but your computer can’t interact with the old Dell laptop I used to write this post.
Is it safe to use?
There is a danger with the way most routers implement their DMZs, however. Many routers forward all 65,535 ports from the Internet to the computer in the DMZ. That’s generally not good. I’m fine with your computer talking to my server on ports 80 and 443, which is where web traffic lives. I don’t want your computer talking to my server on port 25, which is where e-mail lives.
So if you use the DMZ feature on your router and you use it, make sure your server has its own firewall running on it to ensure the server doesn’t talk on ports you don’t intend.
I don’t actually use the DMZ feature, myself. Instead, I forward ports 80 and 443 from my router to my server. And if I wanted to run an e-mail server for some reason, I could forward port 25 to a different server. That’s actually a better approach most of the time.
One exception to this is when your ISP provides a residential gateway that doesn’t provide all the features you want. AT&T’s DMZ feature is the key to using your own router with AT&T Fiber.