Gateway DMZ <---> WAN isolation?

Bugsy123 · ‎12-13-2019

I was hoping to setup a guest wifi network that is completely isolated from the LAN. I presumed, wrongfully it seems now, that the DMZ feature, offered by the Gateway, would prevent traffic from the DMZ host ever reaching the internal LAN. My tests proove otherwise as I was able to ping computers on my LAN from the DMZ host. I did confirm that DMZ was working as external traffic aimed at the gateway's WAN address reached the DMZ host.

QUESTION: Is this expected?

If it is, then it seems like a dangerous and irresponsible setting for Comcast to offer as others might make the same assumption about network isolation.

darkangelic · ‎12-15-2019

The setting is enabled mostly for troubleshooting purposes, e.g. isolating a problematic connection issue.

Plus you're explicitly warned that this is a security risk. For example:

Enabling DMZ (a demilitarized zone) may resolve a device communication issue, but it's a security risk. If a device needs to be accessible to outside sources, we recommend using port forwarding instead.

I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!

Gateway DMZ <---> WAN isolation?

Re: Gateway DMZ <---> WAN isolation?