General Question regarding DMZ and QoS

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

tbrock47

Occasional Visitor
So I have a basic question that I was unable to answer via my Google sleuthing.
How do the DMZ and QoS work together when both are enabled on the router? I have a device in my DMZ that I also want to have a fairly high priority in the QoS hierarchy. I have a feeling that DMZ devices are either ignored by QoS or are given the highest priority by default. Can someone correct and/or clarify this for me?

Quoting the DMZ description in my ASUS router below, inbound doesn't appear to matter to QoS since it gets all inbound packets anyway, but how are DMZ outbound packets treated? Will DMZ outbound packets still benefit from a QoS priority?
Virtual DMZ allows you to expose one computer to the Internet, so that all the inbounds packets will be redirected to the computer you set. It is useful while you run some applications that use uncertained incoming ports. Please use it carefully.

Thanks in advance.
 

SomeWhereOverTheRainBow

Very Senior Member
So I have a basic question that I was unable to answer via my Google sleuthing.
How do the DMZ and QoS work together when both are enabled on the router? I have a device in my DMZ that I also want to have a fairly high priority in the QoS hierarchy. I have a feeling that DMZ devices are either ignored by QoS or are given the highest priority by default. Can someone correct and/or clarify this for me?

Quoting the DMZ description in my ASUS router below, inbound doesn't appear to matter to QoS since it gets all inbound packets anyway, but how are DMZ outbound packets treated? Will DMZ outbound packets still benefit from a QoS priority?


Thanks in advance.
hopefully this link might help you a little bit.

Purpose of a DMZ

The DMZ Network exists to protect the hosts most vulnerable to attack. These hosts usually involve services that extend to users outside of the local area network, the most common examples being email, web servers, and DNS servers. Because of the increased potential for attack, they are placed into the monitored subnetwork to help protect the rest of the network if they become compromised.


Hosts in the DMZ have tightly controlled access permissions to other services within the internal network, because the data passed through the DMZ is not as secure. On top of that, communications between hosts in the DMZ and the external network are also restricted to help increase the protected border zone. This allows hosts in the protected network to interact with the internal and external network, while the firewall separates and manages all traffic shared between the DMZ and the internal network. Typically, an additional firewall will be responsible for protecting the DMZ from exposure to everything on the external network.
 

ColinTaylor

Part of the Furniture
@tbrock47 Sorry, I can't answer your question regarding QoS.

However I did want to clarify @SomeWhereOverTheRainBow's post regarding DMZ. The description of DMZ by Barracuda is what I would regard as a "real DMZ". The DMZ feature implemented on Asus and other home routers is nothing like this, they are not even remotely similar. What these home routers call DMZ is nothing more than port forwarding of all ports to a specific client. There is no additional isolation, firewalls, access restrictions, etc. that a real DMZ provides.
 

SomeWhereOverTheRainBow

Very Senior Member
@tbrock47 Sorry, I can't answer your question regarding QoS.

However I did want to clarify @SomeWhereOverTheRainBow's post regarding DMZ. The description of DMZ by Barracuda is what I would regard as a "real DMZ". The DMZ feature implemented on Asus and other home routers is nothing like this, they are not even remotely similar. What these home routers call DMZ is nothing more than port forwarding of all ports to a specific client. There is no additional isolation, firewalls, access restrictions, etc. that a real DMZ provides.
So basically there is no essential protection from the exposed client to the rest of the Internal Network (unless configured on the client itself)? so that sounds to me like the client still uses QoS.
 

ColinTaylor

Part of the Furniture
So basically there is no essential protection from the exposed client to the rest of the Internal Network (unless configured on the client itself)?
Correct.

so that sounds to me like the client still uses QoS.
I would expect that to be the case. Ignoring any unsolicited inbound traffic via the DMZ (port forwarding) for the moment, the DMZ client is no different than any other client on network.

The only exception to the above that I can think of is if Asus have some "special" code inside their closed source components the treats a DMZ client differently than a regular client. But I think that's highly unlikely, as it would be rather pointless.
 

SomeWhereOverTheRainBow

Very Senior Member
Correct.

I would expect that to be the case. Ignoring any unsolicited inbound traffic via the DMZ (port forwarding) for the moment, the DMZ client is no different than any other client on network.

The only exception to the above that I can think of is if Asus have some "special" code inside their closed source components the treats a DMZ client differently than a regular client. But I think that's highly unlikely, as it would be rather pointless.
I can see where you are coming from. If there was any special differences, you would be able to observe it inside the firewall(iptables) and how the traffic is routed by observing the routes. With that being said, IF i was going to use this for a client, I would definitely turn on trendmicro specifically for
1606764164373.png

I would also make sure the Client has a well configured firewall as well as Fail2ban configured.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top