Back to Portfolio
Home Lab Windows Server Networking DMZ RRAS

🔐 My "Secure" Network Wasn't Actually Secure

I built a DMZ lab to prove I understood network isolation. The website loaded without NAT, without port forwarding, without any rules. That moment of confusion taught me more than six months of reading ever did.

Shibu A
Shibu A · 9 min read · May 2025 · views
The Confidence Problem

🧠 I Thought I Already Knew This

There's a specific kind of overconfidence that comes from reading too many diagrams. You look at the boxes, follow the arrows, nod along — "yes, DMZ, isolated zone, NAT, port forwarding, got it" — and somewhere along the way your brain files it under "understood."

I had that problem with network segmentation. I'd read about DMZs. I'd drawn the architecture on paper. I could explain it to someone else. So one weekend I thought: let me actually build it, just to confirm what I already know.

⚠️
Spoiler: I did not confirm what I already knew. I found out what I didn't know — which was considerably more interesting.
The Plan

🏗️ What I Was Building

The objective was textbook DMZ stuff. Expose a web server to the outside world without letting the outside world anywhere near the internal network. Classic. Clean. Shouldn't be complicated.

One Windows Server to rule them all — acting as the backbone with RRAS, Active Directory, DNS, and DHCP all on one machine. Three network cards. Three completely separate worlds.

🖥️
Master Server — The Brain of the Lab
RRAS — Routing & Remote Access Active Directory DNS Server DHCP Server
NIC 1 — Internal  192.168.10.10 NIC 2 — DMZ     192.168.20.10 NIC 3 — External  192.168.230.10
📐 Lab Architecture — Three Isolated Zones
🖥️
Internal Network
192.168.10.0/24
Windows Client 192.168.10.100 (DHCP)
Private — no external access
RRAS
routes
🌐
DMZ Network
192.168.20.0/24
Web Server (IIS) 192.168.20.20
Exposed — controlled access only
NAT &
Port Fwd
☁️
External Network
192.168.230.0/24
NAT IP: 192.168.230.10 "The Internet"
Simulated external user

The web server sits in the DMZ at 192.168.20.20, running IIS. External users hit 192.168.230.10 — RRAS picks it up, port-forwards TCP 80 into the DMZ, DMZ server responds. The internal network at 192.168.10.0/24 never enters the picture. Clean isolation.

That was the plan, anyway.

Something's Wrong

😐 The Website Loaded. That Was the Problem.

I set up RRAS. Configured the three NICs. Installed IIS on the DMZ server. Set up routing. Felt pretty good about the whole thing.

Then I opened a browser on the external machine and navigated to 192.168.230.10.

💀
The website loaded.

No port forwarding configured. No NAT rules. No explicit routing to the DMZ.

Still worked.

Most people at this point would think "great, it works!" and move on. I almost did. But something felt wrong. If the DMZ is supposed to be isolated, and I hadn't actually built the isolation yet — why was the traffic getting through?

Either my DMZ was magic, or I was testing something completely different from what I thought I was testing.

The Real Problem

🔍 Traffic Was Never Reaching the DMZ

I started tracing the actual packet path. Where was this traffic actually going when it hit 192.168.230.10?

💡
The answer: Nowhere near the DMZ. The request was hitting RRAS — which had IIS installed on it — and RRAS was serving the page locally. The DMZ server was completely bypassed. The whole time I thought I was testing a DMZ architecture, I was just talking to the router.

IIS was installed on the master server — the same machine running RRAS. So when external traffic arrived at 192.168.230.10, the OS went: "Oh, port 80? I have IIS running right here, I'll handle that myself." Never forwarded. Never routed. Just… answered locally.

📦 What I thought vs what was actually happening

Expected flow:

💻
External
User
192.168.230.x
1
HTTP :80
🔀
RRAS
(NAT/FWD)
192.168.230.10
2
Fwd to DMZ
🌐
DMZ Web
Server
192.168.20.20
3
Response
💻
External
User

What was actually happening:

💻
External
User
192.168.230.x
1
HTTP :80
🖥️
RRAS serves
IIS locally
192.168.230.10
2
Local response
💻
External
User

⚠️ The DMZ server was never involved. At all.

Once I understood what was happening, the fix was obvious: uninstall IIS from RRAS completely, keep it strictly on the DMZ server, then build the actual port forwarding rules. After that, direct access to 192.168.20.20 was blocked — and access through 192.168.230.10 via NAT actually worked properly for the first time.

Real isolation. Finally.

DMZ Lab Architecture — Windows Server RRAS NAT DMZ
📐 Full lab architecture diagram — three isolated network zones with RRAS handling NAT and port forwarding
More Problems

⚠️ Of Course, That Wasn't the Only Issue

Fixing the IIS problem was just the beginning. Because the moment I had real isolation working, three more things broke. Which, honestly, is how you know a lab is actually teaching you something.

01
IIS on the wrong server — the one that started it all
❌ What happened

Website loaded without any NAT or forwarding rules. Traffic appeared to work perfectly. The DMZ seemed operational. It wasn't.

✅ Root cause & fix

IIS was running on the RRAS server itself — 192.168.230.10. OS served the request locally, DMZ was never contacted. Fixed by moving IIS exclusively to 192.168.20.20 and configuring actual port forwarding rules.

02
DHCP gateway misconfiguration — clients couldn't route anywhere
❌ What happened

Internal clients got IP addresses from DHCP fine, but couldn't reach external networks. Routing felt broken even though RRAS was configured correctly.

✅ Root cause & fix

The DHCP scope was handing out the wrong gateway. Clients had no idea how to reach RRAS. Fixed by setting the default gateway in the DHCP scope to point to the RRAS internal interface: 192.168.10.10.

03
Duplicate IP — APIPA appeared out of nowhere
❌ What happened

A machine suddenly showed 169.x.x.x — APIPA. Couldn't communicate with anything. Looked like a DHCP failure but DHCP was running fine.

✅ Root cause & fix

IP conflict. Two devices had the same IP. Windows detected the conflict, released the address, and fell back to APIPA since DHCP didn't respond in time. Fixed by assigning a unique static IP to the conflicting device.

04
RRAS ≠ firewall — the assumption that changed everything
❌ The assumption

I expected RRAS to enforce security between the networks. Block unwanted traffic between zones. Act as a gatekeeper at the segmentation boundary.

✅ The reality

RRAS routes traffic — it doesn't filter it. Transit traffic between zones passes through without inspection. Security controls must live at the endpoints (Windows Firewall on each machine) or on a dedicated firewall appliance sitting between zones.

What Changed

🔄 Before and After This Lab

The difference between reading about something and building it — then watching it break — is the difference between recognising a word and knowing its weight.

😶 Before the lab
I "understood" DMZ from diagrams
Assumed NAT = security
Thought RRAS filtered traffic
Never questioned "it works"
Theory lived in my head, untested
💡 After the lab
I know exactly what isolation actually means
NAT controls access, not security
RRAS routes — firewall is a separate concern
"It works" is a question, not an answer
Broken things teach more than working ones

🧠 The Four Things That Actually Stuck

🗺️
Network segmentation is deliberate
Subnets don't automatically isolate anything. You define what can reach what — explicitly. If you don't, RRAS will happily route everything everywhere.
🎭
NAT hides, it doesn't protect
NAT makes services reachable through a single IP. Port forwarding controls what's exposed. Neither of these is a firewall. Don't confuse exposure with security.
📦
Services go exactly where you put them
If IIS is on the router, the router serves pages. The architecture you draw only works if the services actually live where you put them in the diagram.
🛡️
RRAS is a road, not a bouncer
Routing moves packets. Filtering requires explicit rules at the endpoints. If you want a zone boundary to mean something, you need endpoint firewalls or a dedicated appliance.
What's Next

🚀 Where This Lab Goes From Here

This setup works — properly now. But it's a foundation, not a finish line. There's a lot more to add before it resembles anything close to a real production environment.

🔥
Zone firewall rulesExplicit allow/deny between Internal ↔ DMZ ↔ External zones at the endpoint level
📊
Traffic monitoringLog inter-zone traffic so I can actually see what's moving where instead of just assuming
⚔️
Attack simulationsTry lateral movement from DMZ into Internal — then see if the controls actually stop it
☁️
Hybrid cloud extensionExtend this architecture into a cloud VPC — same principles, different tools

Reading about networking gives you vocabulary. Building a broken network gives you understanding. They feel like the same thing until you try the second one.

Still exploring. Still breaking things. Still learning — just now with a much healthier distrust of "it works."

Shibu A
Shibu A
Support Engineer & Infrastructure Admin. I break things in my lab so they don't break in production. Based in Doha, Qatar.
LinkedIn Twitter

💬 Discussion

Built a similar lab? Hit the same RRAS wall? Drop it below.

👤
0 / 1200