"The 2nd WAN port of RV042 can be configured with "DMZ Range", where the  hosts in the DMZ are configured with static IP addresses in the same  subnet as the first WAN port. Here is a screenshot as an example."

So if I understand this correctly, I have servers directly plugged into the internet with their own static public IP's.  The "DMZ Range" function allows connections to internal resources from those IP's, and all other IP's are not allowed access.  Sounds like a simple whitelist to me and not a DMZ.  This scheme leaves all ports on the public servers wide open.  What is the "Subnet" option for under the DMZ setup?  A nice feature where I can whitelist the Comcast top level domain if I wanted too?

"If you need two WAN ports for load balancing and still need a DMZ for  hosting public facing servers, you can use 1-to-1 NAT, where the servers  are configured with private IP addresses that are mapped to public IP  addresses through 1-to-1 NAT."

This doesn't segregate the public servers from the LAN subnet which is the intent of a DMZ is it not?  I've tried defining a second subnet with the intent of placing that on a VLAN but the NAT function appears to only support NAT to the LAN subnet.  Not much use there....

If my assumptions are correct here, then the RV042 is not a business class device.  A true DMZ function with one-to-one NAT to all subnets would be so easy to include with this router.  It's obvious it's dumbed down for it's price point.  It's basically a home firewall with "Business" slapped on the label.

The hosts in the DMZ Range of RV042 are protected by the stateful firewall of RV042, and access rules can be added to limit the TCP/UDP ports exposed to the internet.

Domain whitelist can be supported on RV042 with the optional ProtectLink Web service.

DMZ Subnet works similar to DMZ Range, except that the hosts are configured with public IP addresses in a different subnet than the WAN1 port. In this case, the ISP will route the traffic to the DMZ subnet through the WAN1 port.

The saga continues.

I've setup a DMZ Range of 66.x.x.188 to 66.x.x.189.  I have a single server plugged into the DMZ port and it's set at static 66.x.x.189 with gateway set to 66.x.x.161. 

The other ports are:

LAN: 10.x.x.254

WAN: 66.x.x.190

Gateway: 66.x.x.161

From the DMZ host on 66.x.x.189 I can ping the RV LAN port and public IP's.  I cannot ping to my LAN subnet nor can I ping from the LAN subnet to 66.x.x.189.  I cannot ping from the WAN to 66.x.x.189.  Ping and DNS is open from DMZ to ALL in the ACL.  As my DMZ host DNS is pointing to my internal name servers on the LAN subnet, I'm not getting name resolution since this is being blocked also.  I can browse the internet from the DMZ host but only by IP address.

The ACL:

Priority Enable Action Service Source Interface Source Destination Time Day Delete

12 Allow Ping [255] DMZ Any Any Always 12 Allow DNS [53] DMZ Any Any Always Allow All Traffic [1] LAN Any Any Always Allow All Traffic [1] WAN Any 66.x.x.188 ~ 66.x.x.189 Always Deny All Traffic [1] WAN Any Any Always Deny All Traffic [1] DMZ Any 10.x.x.0 ~ 10.x.x.255 Always Allow All Traffic [1] DMZ Any Any Always

What am I missing? 

Can anybody at Cisco comment on my post from Friday?  Why is the RV042 blocking ping and dns between DMZ and LAN even though I clearly have these opened in the ACL?

This router is going back to the vendor.   If anybody researching the RV042 for use as a firewall with a DMZ function, I'd recommend you pass on this device.  Issues are insufficient documentation, no routing between LAN and DMZ, and lack of knowledgeable support from Cisco.

If the hosts in the DMZ need to access the resources in the LAN, you could use the 1-to-1 NAT feature and place the hosts in the LAN.

Hmm I have also been struggling with this DMZ function.

I have an Exchange Edge Transport server (static 10.0.10.106) plugged into the DMZ(/Internet) port.

This server needs to relay SMTP over port 25/TCP (two-way) with the Hub Transport server (static 10.0.10.15) in the LAN segment.

In the firewall settings, I have opened port 25/TCP from my Edge Transport server, to my Hub Transport server.

This seems to be working.

Additionally, the Hub Transport server should be able to push Active Directory information to the Edge Transport server over port 50636/TCP.

According to the default Access Rules in the firewall settings, all traffic from LAN to DMZ is allowed, so this shouldn't be a problem.

Still I am not able to sync between the two servers.

The weird thing is, when I switch the DMZ setting from "Range" to "Subnet" (and press Save), and I switch it back to "Range" (and press Save), the synchronisation between the servers works for like 1 or 2 minutes. After that it fails again.

Can anyone tell me what DMZ settings I should use?

Please note that I have only 1 public IP address.

SETUP:                                 

ADSL MODEM (10.0.10.1)----------->  Internet port (static 10.0.10.250)

Edge Transport server (10.0.10.106) ----------->  DMZ/Internet port (Range DMZ & WAN within same subnet 10.0.10.100 to 10.0.10.110)

Hub Transport server (10.0.10.15) -------> LAN1