General Question regarding DMZ and QoS

[tbrock47]

So I have a basic question that I was unable to answer via my Google sleuthing.
How do the DMZ and QoS work together when both are enabled on the router? I have a device in my DMZ that I also want to have a fairly high priority in the QoS hierarchy. I have a feeling that DMZ devices are either ignored by QoS or are given the highest priority by default. Can someone correct and/or clarify this for me?

Quoting the DMZ description in my ASUS router below, inbound doesn't appear to matter to QoS since it gets all inbound packets anyway, but how are DMZ outbound packets treated? Will DMZ outbound packets still benefit from a QoS priority?

Virtual DMZ allows you to expose one computer to the Internet, so that all the inbounds packets will be redirected to the computer you set. It is useful while you run some applications that use uncertained incoming ports. Please use it carefully.

Thanks in advance.

 

[SomeWhereOverTheRainBow]

So I have a basic question that I was unable to answer via my Google sleuthing.
How do the DMZ and QoS work together when both are enabled on the router? I have a device in my DMZ that I also want to have a fairly high priority in the QoS hierarchy. I have a feeling that DMZ devices are either ignored by QoS or are given the highest priority by default. Can someone correct and/or clarify this for me?

Quoting the DMZ description in my ASUS router below, inbound doesn't appear to matter to QoS since it gets all inbound packets anyway, but how are DMZ outbound packets treated? Will DMZ outbound packets still benefit from a QoS priority?


Thanks in advance.

hopefully this link might help you a little bit.

DMZ Network

Discover the role of a DMZ network in adding an extra layer of security to your organization's local-area network. Learn how it works and why it's essential.

www.barracuda.com

Purpose of a DMZ

The DMZ Network exists to protect the hosts most vulnerable to attack. These hosts usually involve services that extend to users outside of the local area network, the most common examples being email, web servers, and DNS servers. Because of the increased potential for attack, they are placed into the monitored subnetwork to help protect the rest of the network if they become compromised.


Hosts in the DMZ have tightly controlled access permissions to other services within the internal network, because the data passed through the DMZ is not as secure. On top of that, communications between hosts in the DMZ and the external network are also restricted to help increase the protected border zone. This allows hosts in the protected network to interact with the internal and external network, while the firewall separates and manages all traffic shared between the DMZ and the internal network. Typically, an additional firewall will be responsible for protecting the DMZ from exposure to everything on the external network.

 

[ColinTaylor]

@tbrock47 Sorry, I can't answer your question regarding QoS.

However I did want to clarify @SomeWhereOverTheRainBow's post regarding DMZ. The description of DMZ by Barracuda is what I would regard as a "real DMZ". The DMZ feature implemented on Asus and other home routers is nothing like this, they are not even remotely similar. What these home routers call DMZ is nothing more than port forwarding of all ports to a specific client. There is no additional isolation, firewalls, access restrictions, etc. that a real DMZ provides.

 

[SomeWhereOverTheRainBow]

@tbrock47 Sorry, I can't answer your question regarding QoS.

However I did want to clarify @SomeWhereOverTheRainBow's post regarding DMZ. The description of DMZ by Barracuda is what I would regard as a "real DMZ". The DMZ feature implemented on Asus and other home routers is nothing like this, they are not even remotely similar. What these home routers call DMZ is nothing more than port forwarding of all ports to a specific client. There is no additional isolation, firewalls, access restrictions, etc. that a real DMZ provides.

So basically there is no essential protection from the exposed client to the rest of the Internal Network (unless configured on the client itself)? so that sounds to me like the client still uses QoS.

 

[ColinTaylor]

So basically there is no essential protection from the exposed client to the rest of the Internal Network (unless configured on the client itself)?

Correct.

so that sounds to me like the client still uses QoS.

I would expect that to be the case. Ignoring any unsolicited inbound traffic via the DMZ (port forwarding) for the moment, the DMZ client is no different than any other client on network.

The only exception to the above that I can think of is if Asus have some "special" code inside their closed source components the treats a DMZ client differently than a regular client. But I think that's highly unlikely, as it would be rather pointless.

 

[SomeWhereOverTheRainBow]

Correct.

I would expect that to be the case. Ignoring any unsolicited inbound traffic via the DMZ (port forwarding) for the moment, the DMZ client is no different than any other client on network.

The only exception to the above that I can think of is if Asus have some "special" code inside their closed source components the treats a DMZ client differently than a regular client. But I think that's highly unlikely, as it would be rather pointless.

I can see where you are coming from. If there was any special differences, you would be able to observe it inside the firewall(iptables) and how the traffic is routed by observing the routes. With that being said, IF i was going to use this for a client, I would definitely turn on trendmicro specifically for

I would also make sure the Client has a well configured firewall as well as Fail2ban configured.