Documentation :: DMZ
Demilitarized zone or DMZ is a network segment with white addressing, separated by a firewall from the Internet and the organization’s local network. In the DMZ, servers are usually placed that should be accessible from the Internet, for example, a mail server or a web server. Since the servers in the DMZ network are separated from the local network by a firewall, if they are hacked, the attacker will not be able to access the resources of the local network.
The demilitarized zone is created in the "providers and networks" module. When creating it, you need to specify the IP address of the Internet Control Server and the mask of the DMZ network, as well as select the network interface for the DMZ. For security reasons, a separate network interface is usually used for the DMZ.
By default, servers located in the DMZ do not have access to the Internet and local network, so access for them must be configured by firewall rules.
The “NAT from Local Area Networks” checkbox allows you to manage the translation of local addresses to a DMZ network. By default it is disabled, i.e. the NAT service for the DMZ network interface does not work, the addresses are translated without changes.
Important: Actually NAT for the DMZ network on the external interfaces of the VIC is disabled, therefore, white ip-addresses should be used for its addressing. Configuring a DMZ network makes sense if you need to control access from the outside to a server on the local network that has white ip addresses. In all other cases, the usual local area network is configured.