Can the Internet interface on a BR200 be configured for DMZ?

  • 1
  • Question
  • Updated 5 years ago
  • Answered

I'd like to configure a DMZ network on my BR200 which terminates my Internet connection on my network. The configuration I'd like to utilize is to have all Internet traffic on all ports go to a specific IP address on my network.

If this isn't a capability, is there a way I can use a eth port as a DMZ?

I'm on HiveManager Enterprise 6.1r1 and my BR200-WP is at 6.1r1.1247

Thank you in advance.
Photo of Shawn Collier

Shawn Collier

  • 2 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Shawn Collier

Shawn Collier

  • 2 Posts
  • 0 Reply Likes
I'll add one more question to that.. is there a way I can turn on UPNP on the BR?
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
I haven't tried this myself, but I believe that you CAN use eth2, 3, or 4 as a DMZ interface. I would have to steer you to our support organization if no one else here jumps in with step-by-step instructions.

Sorry, I don't believe there is a Universal Plug-N-Play agent within our devices. That's typically a SOHO feature, not an enterprise feature (very few network administrators want arbitrary holes opened in their firewalls without their knowledge).
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
I don't understand what you are trying to do in your initial case. Can you clarify further?

As for your backup scenario, you can define one of the ETH ports to act as a DMZ of sorts, which you can isolate via firewall policy and create port forwarding rules for any servers/services you want accessible from the Internet

I'm pasting the help file on port forwarding below, taken from this link

Enable port forwarding through the WAN interfaces: (select)
Port forwarding on the WAN interface of a BR100, BR200, AP330, or AP350 in branch router mode allows remote computers on the public network to connect to a specific host, such as an HTTP server, on the private network behind the router.
The Aerohive branch router has a single public IP address on its WAN interface and performs NAT on all outbound traffic to the Internet. If you require access to your LAN behind the router, you can use port forwarding to map inbound traffic to the internal IP address and port number of servers on the private LAN.
A router accomplishes this by mapping incoming traffic to a specific destination port on its WAN/ETH0 interface to a host on the private LAN connected to one of its LAN interfaces.
To set up port forwarding, configure the IP addresses to which hosts send traffic the destination port number, the local host IP address, internal host port number, and traffic protocol.
For example, Site 2 operates an HTTP server on port 8080. By default, the router denies all incoming connections to avoid exposure to potential security risks. In this example, you can configure a port forwarding rule that maps all incoming TCP connections to port 8080 on the WAN/ETH0 interface to port 80 of the host at If a client at initializes an HTTP connection request to, which is the IP address of the WAN/ETH0 interface on the router and the destination port number in the port forwarding rule, the router translates the destination to For the HTTP response, the router reverses the translation from to

For each WAN interface, the current port forwarding feature allows you to map up to 16 ports to the first 50 reserved static IP addresses that you excluded from the larger DHCP address pool for access to certain branch devices.
Click View Aerohive Ports to display the ports on the WAN interface.
Click the New and enter the following parameters to map inbound traffic to an internal host, and then click Apply:
Destination Port Number: Select and enter the destination port number of the inbound traffic. Map WAN interfaces inbound traffic to an internal host based on the destination port number.
Local Host IP Address: Enter the private IP address of the internal host, such as that of an HTTP server. The IP address of the host must be among the excluded addresses at the start of the DHCP pool. If DHCP is not enabled for the subnetwork, all IP addresses are considered excluded.
Internal Host Port Number: Enter the port number on which the host receives traffic. This can be the same as the destination port number or a different one.
Traffic Protocol: Use the drop-down list to choose the protocol of the inbound traffic: Any, TCP, or UDP.