Re: DMZ / Firewall question

Apologies, it is an FXV538
We are using ADSL, and the reason we want this PC/server to be "local" is so
that we don't have to upload what are very large files across a 256k
upstream link.
I guess the question is if we attach the PC to the DMZ port (192.168.10.x)
can we still access it from the LAN (192.168.0.x) ?

"Chuck" <none@xxxxxxxxxxx> wrote in message
On Thu, 2 Mar 2006 18:53:02 -0000, "Mike Lloyd-Jones" <mike@xxxxxxxxxxx>

"Chuck" <none@xxxxxxxxxxx> wrote in message
On Thu, 2 Mar 2006 09:00:28 -0000, "Mike Lloyd-Jones" <mike@xxxxxxxxxxx>

Not strictly related to XP, but maybe someone can help ?

Have a Netgear DSL modem/router with a DMZ port.
LAN side of the router has a number of XP PCs.
We want to connect a PC to the router so it is publicly accessible to
Internet for customers to download files.

Guess we have 2 options:

1) Port forwarding to allow FTP or whatever through, directed to that
Problem here is that since the PC is still connected to the LAN this
up a potential security risk to the rest of the network

You are correct. NAT routers are great security when all that you do is
the Internet. When you need to run an Internet server from a NAT router
you have to open a hole in the router, and this will indeed expose your

2) Connect the PC to the DMZ port on the router. This keeps it secure,
we still need to be able to copy files to this from the LAN side (for
customers to download). Can a route generally be configured from the LAN
the DMZ which is "one-way" so that we can copy files up to DMZ computer
no access the other way?

On most NAT routers (and here the model of the Netgear might be useful)
"DMZ" is really just a virtual server port, protected by the firewall
(if your router has any such), and connected openly to the rest of the
routing or firewall rules are necessary, or are possible.

In most domestic DSL LANs, you will find it best to host any server
# Security, as noted above, is not easily done with a typical DSL modem
# Asynchronous DSL, which is what most DSL is, provides for most
support surfing of the Internet (downward bandwidth). What little
bandwidth in
the other direction (upward) is generally taken up by surfing, and if
surfing is going on the upward bandwidth (which is what your customers
depend upon for their downloads) is unlikely to be available in any
# Some DSL services explicitly prohibit servers for this reason.

In short, you can connect a server to your modem / router. Depending
model, you may or may not be able to do this without exposing your LAN.

Thanks for the reply
It's a Netgear FVX318. We want a PC connected to it's DMZ port so we can
upload files to it from the LAN PCs and so that external customers can
access those files..

OK, Mike,

Do you maybe have a FVS318? I can't find anything about an FVX318.

From what I'm reading about the FVS318, is that it is not a simple NAT
it's more of a firewall with NAT built in. That should make your DMZ an
separate VLAN, potentially, and you should indeed be able to put an
server on one port, and have that server isolated from the others.

I'll stand firm with my advice about using DSL (do you have ADSL or SDSL?)
serving data across the Internet. Co located servers are similar in
concept to
edge hosting, they move the traffic closer to the clients. Many ISPs
provide co
location, in various autonomy and service levels, for reasonable prices.

But, if you do go with your personally hosted server, you can make your
secure while doing the hosting.

Chuck, MS-MVP [Windows - Networking]
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.


Relevant Pages

  • Re: Possible to secure WEP?
    ... It doesn't have to be a "server". ... this IP cannot be in the same class C IP block as your own LAN. ... To keep it simple, my gateway router, ... Ethernet adapter Local Area Connection: ...
  • Re: Server/Network setup question
    ... currently the users are getting IP addresses from DHCP on the router. ... SBS server a static IP address in the same range as the router. ... be in a subnet that is different from the SBS LAN (with their own Internet ...
  • Re: Simultaneous DSL and cable modem access on a SBS network...sorf ot.
    ... Your existing router would be surplus to requirements. ... Cable connection. ... I have my MX records pointing to the DSL line, ... The server and the fax (the line the DSL modem ...
  • Re: Simultaneous DSL and cable modem access on a SBS network...sorf ot.
    ... Your existing router would be surplus to requirements. ... Cable connection. ... I have my MX records pointing to the DSL line, as primary, ... The server and the fax (the line the DSL modem ...
  • Re: Advise on setup of small office locally or via VPS
    ... I would connect a Debian box with 3 nics to the ISP router to serve as ... The wan nic would have 1 public IP, LAN ... DMZ ... If the email server is public already, ...