One way traffic

Discussion in 'Networking Issues' started by techmanblues, Sep 21, 2005.

  1. techmanblues

    techmanblues Network Guru Member

    I have a 5-static-ip account DSL. I have a bunch of computers that NAT off 1 of the 5 IPs. I have one Windows XP Pro machine that I want to act as a webserver to host my company website. I decided to give this webserver 1 of the remain 4 public IPs. My problem now is how do I connect to the webserver to upload files into it to serve? We are not talking about a few smaller modifications here, but megabytes of stuff. (It's a graphics firm). Because the webserver and the set of LAN PCs are each behind two Linksys routers that plug into the same modem, no PCs in the LAN can upload files directly to the webserver using the local transfer as opposed to using the Internet to transfer files.

    I have an idea and I want to see if any of you think it will work. Remember, I am looking for an easy and fast way to upload large files to another computer that is physically in the same LAN, but logically they are not.

    I can put a 2nd NIC on the webserver. The 1st NIC gets an IP of and is connected to a LAN port of its own router. This is the "front-end"" NIC that interacts with the Internet indirectly through a router that forwards port 80 to the webserver.

    The second NIC gets and is connected to the WAN of another router (router #2) whose WAN IP is set as static as The LAN side of this 2nd router is which is in the same subnet as the LAN of the rest of the computers. The rationale here is I want any of the computers in the 192.168.0.x network be able to access the webserver as an "out-bound" connection from LAN to WAN and therefore can upload big files without the need to go to the Internet and makes a U-turn and deposit files on the webserver.

    Modem with 5 IPs <--> (public IP) router ( <--> [( NIC1 -- ( NIC2] <--> ( router LAN( <--> any computer in the LAN
  2. dethomas143

    dethomas143 Network Guru Member

    It sounds like you're making this a bit too complicated. Why do you have 2 routers? If it is to make use of the 2nd static address then the best solution would be a router that can handle more than one address on the WAN side. Then you forward whatever ports you need on the 2nd static address to the webserver.

    If that's not possible then you should be able to implement what you need with a single static for both the outoing NAT stuff and the web server. Have incoming port 80 (or 443 if it's ssl) sent to the webserver. I've seen fairly large organizations run this way with not problem on a single IP. You'll only need the 2nd if you need two incoming port 80's (or whatever) each pointing at different machines.

    With either of these two solutions the workstations to webserver traffic exists entirely on the LAN.

    David E. Thomas
  3. techmanblues

    techmanblues Network Guru Member

    I think you have misunderstood me. Most of the time when a company runs a webserver in-house, the webserver is a stand-alone in its own subnet or in the DMZ so that if the server is taken over by hackers, the other machines in the LANs are not effected. This webserver is maintained by one person in the company who does data entry from previously copied data to an external harddrive or CD. Basically, the webserver administrator uses sneakernet to update the server.

    However, what I want to do is to have anyone in the LAN to have the ability to upload files into the webserver directly from their computer over the network. But I do not want the server has the ability to connect to any of these computers. Hence the one-way traffic.

    Since a NAT router is designed not to allow any unsolicited incoming data through its WAN port from the "Internet," but it has no problem letting out data from its LAN, I want to put this webserver in the "Internet" zone from the perspective of this router. This way, the people in the LAN can deposit files -- big files -- onto the webserver, but whoever controls the webserver cannot access any of the LAN machines behind that router.

    This situation brings up the idea of the DMZ. I still do not understand the need for it. Let's say a NAT router that supports DMZ. Physically all the computers in the LAN are connected to the LAN ports of this router. However, one of these computers, a webserver for example, is placed in the DMZ of the router. What does this mean? I mean the DMZ machine still is in the same subnet as the rest of the machines, right? What exactly that separates this DMZised machine from the other non-DMZised ones? Are all the ports open to this DMZised machine? I can achieve the same by not enable DMZ but rather using port forwarding and forward all incoming data from the Internet at port 80 be forwarded to this webserver while blocking all other ports. This works great. I have had setup a few webservers that does this without the need to put the server in the DMZ zone. So far, I still do not understand what the heck does DMZ do.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice