Configuring NAT, DMZ or Virtual Servers on ASMAX AR1004g

This is a very short brief on how to properly setup NAT functions on ASMAX AR1004g router, i.e. how to route all (or part of) incoming traffic to a specific machine in your local network. In this text, I assume that your router is available under 192.168.1.1 static IP address in your local network and you want to route all traffic using FTP protocol to your video-player, available under 192.168.1.3 and all traffic using HTTP to another computer, that is accessible under 192.168.1.4 static IP address in your local network. Adjust this assumption to your actual situation.

Note: To test your changes, you have to trully access your router (network) from "outside", i.e. use machine or device NOT connected to your local network, where your router is also available. For example, test everything using GPRS access. Keep in mind, that even if you call your external IP address from computer attached to the same local network, router will always respond itself, no matter what routing rules or settings you have set. Understanding this took me a lot of time.

Virtual Servers

Log into your router and go to Advanced Setup > NAT > Virtual Servers. Check if entries already defined (if any) doesn't suit your need. There is no edit option here (whole ASMAX AR1004g web control panel looks like would be designed twenty years ago or more!), so, if you want to change some entry, you have to select it (last column), delete and define again, with different settings, using Add button:

  1. Click on Add.
  2. select FTP Server in Select a Service list.
  3. Add 192.168.1.3 into Server IP Address.
  4. Click on Save/Apply.
  5. Repeat these steps, selecting Web Server (HTTP) and putting 192.168.1.4 next time.

Note, that there is an extremely large list of some old games in Select a Service list, so you'll have to dig deeply to find "real" services.

Now, go to Management > Access Control > Services and make sure, that all protocols that you're planning to use (i.e. HTTP, FTP, maybe SSH) are "opened" (checked) in WAN column. If not, check proper options and click Save/Apply.

That's actually all. It should start working immediately, but sometimes may require router to restart.

Now, if you use your external IP address (remember opening note -- connect from a device NOT connected to the same local network as your router), or a dynamic name, defined in Advanced Setup > DNS > Dynamic DNS, in a browser (HTTP protocol), you should get response from your computer behind 192.168.1.4 address (you have to have actual web server running there). If you initiate FTP connection from some FTP Client (for example the one build into Total Commander), using the very same external IP address (or dynamic name), you should be redirected to your video player (behind 192.168.1.3).

Though you're using the very same address (but different protocols), you're being router by router to a different device (IP address). This is one of the coolest things in Virtual Servers. Of course, you're not limited to only one type of service or protocol. You can have for example five different web server, behind five different local IP addresses (physical machines) and you can create a virtual server for each of them. The only thing is, that only one of them will be accessible on default port (80) and for the rest you have to define port (different than 80) and use it in address, when connecting.

Demilitarized Zone

If, instead of above solution, you want to route all traffic coming from "outer" (WAN side) to the very same IP address, use DMZ. Instead of adding entry in virtual servers for each protocol and port, simply enter destination IP address to the field at Advanced Setup > NAT > Host and click Save/Apply. Don't forget to enable required protocols on the WAN side in Management > Access Control > Services.

Note that using DMZ is considered as security flaw by many administrators, mainly because you actually route all traffic from WAN side to a particular computer in your local network, thus giving a potential attacker an ability to cross boundaries of your router (local network) and access inner machine from the "outside". So, considering this, I would suggest (if you haven't got many protocols and ports, that you'll be using), that adding them in Virtual Servers is far more secure than using DMZ.

Once again, remember: Use machine or device NOT connected to the same local network, as your router is connected to. Use GPRS or other ways to access your router from "outside". If you omit that, your router will always respond itself, no matter what routing rules or settings you have set.

Leave a Reply