On a more sophisticated network, the DMZ (Demilitarized Zone) is a specific area of the network where services are provided in a secure way. However, in Tomato, DMZ has a more simple effect. When enabled, all unknown ports on Tomato's WAN are forwarded to the defined DMZ host IP, instead of each being dealt with individually. Consider DMZ a “lazy” and potentially dangerous approach to port forwarding, due to the large security hole it opens.
Enable DMZ: This turns the DMZ function on or off.
Destination Address: This is the LAN IP address of the device meant to receive all these forwarded ports.
Destination Interface: This is the VLAN/bridge where the above host resides.
Source Address Restriction: If specified, this will limit DMZ activity to the defined source IP address range. The Default is empty, which means ports from any IP or range will be forwarded.
Leave Remote Access: If enabled, will force SSH (TCP port 22) and HTTP (TCP port 443) traffic to always be answered by the Tomato router, regardless of DMZ settings.