Home network DMZ host


I need to open up a port to the internet on a raspberry pi. For that Pi to be isolated I see the following options:

  • Buy a second router and create a first subnet (DMZ) and then plug the current router (internal LAN) into that. I guess the WAN port on the internal LAN router goes to the new DMZ router / switch. Any tips for cheap routers for this purpose ? I just need Gigabit and literally 1 port for the DMZ subnet
  • Connect the Pi directly to the internet and keep my router and internal lan as is. For this option, how would I access the Pi ? (I guess it would need DynDNS or something so I can log in to it / copy files etc.)


You want the pi to be isolated from your LAN?

Yes, it will have to open itself up to the internet for incoming connections. However it won’t have anything I worry about on it.

And what router do you have? You may be able to put openwrt on there, and have the control over multiple subnets and proper firewall rules.

A DMZ seems excessive, I would only open the bare minimum ports to the internet.

Yea it’s hard to find a safe solution without overkill. My current router is: netgear WNR3500v2

Ideally I wouldn’t put it in the DMZ, because that means it’s completely exposed to the internet on all ports. That’s probably OK if you don’t have anything of interest on the RPi and turn on security auto-updates, but I wouldn’t feel totally comfortable leaving it wide-open like that.

The best solution would be to put the RPi on a separate VLAN, which is isolated from your primary intranet, and then port-forward whatever ports you need to its IP in your router. That’s what @SudoSaibot was referring to. Your router can probably do it with an alternate firmware.

Nope, take it off. All Pi’s have a known vuln with a default password backdoor (IIRC), but they are also easily compromised. If you put that on the DMZ it will for sure get pwned. Then say good bye to your upload bandwidth as you’ll then contribute to a botnet.

Only way to secure a pi is to have is dark or behind a NAT + firewall.

Just being on the network can make it a target. Even if there is nothing else of value to you on the device, the fact that it’s connected to the Internet is of value to an attacker. An unsecured device is open to automated harvesting by worms. It may become part of a botnet, or it could be used as an anonymous relay to attack other sites. This makes the attacker more difficult to trace, until an investigation comes demanding information from you. You probably don’t want to deal with that. So don’t leave your devices open to it.

As proof, here is a step-by-step guide on how to easyly pwn a rpi connected to a network via metasploit.

So please, don’t stick that thing on DMZ.

SOHO routers DMZ just does a 1:1 NAT. meaning your Public IP --> Device Private IP.

Doesn’t isolate it from your internal network at all.

Become handy with iptables.

I have my RPI behind my modem then I have a multi port centos machine as my router/firewall.

Regarding RPi security, you secure them like any other linux box. Whatever python POS is running on port 4321, block access via iptables or turn it off.

Jesus :slight_smile:

OK I get it, better get that second router so … the last thing I want to do is open ports to my internal LAN.

Yes, well I was going to only keep SSH (with key) and also a transmission-daemon port open. So with all other ports closed that exploit doesn’t work ?

The exploit would still technically work, if unpatched and running, but for someone on the internet to access it they would first have to penetrate your perimeter elsewhere.

Regarding transmission, if you mean the port that Bittorrent uses for incoming connections, it’s fine to open that to the internet, but I would not expose any web UI.

Interesting. The perimiter would (should) only be those 2 ports, as the RPi would be connecting directly to the fiberbox (internet). Unless there are exploits that don’t even need ports open…

Then my normal LAN router would be connected to the same Fiberbox (internet), hiding the LAN with no ports need to come in to that.

If it’s connected directly to the internet, there is no perimeter, it’s fully exposed. You would have to firewall off connections locally through iptables.