LAN Gateway: one client, multiple machines on your internal network

By default, every SuperDMZ client exposes services running on 127.0.0.1 — that is, on the machine where the client itself is installed. That covers most cases.

But many scenarios want to expose things sitting on other machines in the same network:

• Windows Server with SQL Server at 192.168.0.10
• Synology NAS at 192.168.0.50
• IP camera at 192.168.0.21
• Printer at 192.168.0.100

Installing the SuperDMZ client on all 4 is complicated (most don't run Windows/Linux). LAN Gateway solves it: you install the client on a single always-on machine (any PC or server) and it routes to the others.

How it works

When you create a tunnel, instead of "127.0.0.1" you pick "Another machine on the internal network" and enter the destination IP. The local client, on receiving a tunnel connection, does net.Dial straight to the LAN IP — the routing is handled by the OS, not SuperDMZ.

Defense in depth

Before any non-loopback dial, the client requires an explicit opt-in from the owner of the machine:

• Windows: "Gateway" switch in the local panel (http://127.0.0.1:16500)
• Linux/macOS: sudo superdmz -allow-gateway

Without that local opt-in, any non-loopback dial attempt is refused and logged as "BLOCKED Gateway dial". This protects you even if an attacker compromises your SuperDMZ account — they can't turn your client into a proxy for the rest of your LAN.

What's accepted and what isn't

The panel only accepts RFC 1918 private IPs:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16

Any public IP is rejected both by the panel and by the client — SuperDMZ cannot become an open proxy.

Availability per plan

• Free, Starter — Gateway not available
• Pro — up to 20 gateway tunnels, /32 scope (1 IP per tunnel)
• Business — up to 100 gateway tunnels, scope up to /16 (entire subnet)