Setting up an http server that is isloated from the LAN

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by hossfeathers, Oct 25, 2006.

  1. hossfeathers

    hossfeathers LI Guru Member

    I have the wrt54gs v1, with the current firmware from linksys. I would like to have an http server on port 80, a separate box from all other workstations. I have a pretty thin understanding of networking issues but here are my impressions. I'd config the wrt54gs to use port fowarding for port 80 to the ip address of the http server box. In fact I've been able to do that.

    However I had thought that it was better to have the http server on in a dmz, which is often implemented by giving the http server an ip address that was off the lan range. So if my LAN is, the http server might be given a static ip of something like (not sure but is that called a different subnet?). I don't seem to be able to port forward ip addresses that are off the regular LAN range in the linksys config...all I'm able to do is change the last part of the range.

    It's not so much important to me that I be able to set this up like I was trying to, but I would very much appreciate any advice re how to configure the http server port forwarding so that it's reasonably secure, however that's best accomplished.

  2. ifican

    ifican Network Guru Member

    Well you are correct on many fronts, and yes that would be a different subnet. Now to get straight to the point your current software on that router will not give you the capability to do what you are asking. Some third parties will but i have not used them personally (the ones that will that is). However there are only a couple reason to segment the server the way you are asking, the two that come to mind are 1) to keep local users from access the server and 2) to help protect your internal lan if your server gets compromised. Now since you dont have the ability to really seperate it out (the server) to a true dmz then just make sure you have the sever pathced to date and have antivirus current. That in itself should workout just fine, stay on top of updates and vulnerabilities and you really shouldnt run inta any significant issues.

    As far as keeping portforwarding secure, lots of ways to do this but none that i can think of without rewritting code or using other equipment to limit access to just specific host. If its going to be a true web server (for any and everyone) then just stay on top of the forementioned vulnerabilities.
  3. hossfeathers

    hossfeathers LI Guru Member

    OK, thanks for that clear reply. Since one tends to hear the drumbeat in favor of DMZs, it's a little hard for me to just trust in keeping windows patched. Hmmm...I've played with smoothwall but found it took more of my time than I was willing to part with. Do you have a recommondation for a low cost device that would provide me with 'real' dmz protection? Or, do you really think it's not needed? I'm sure that's a personal call...but no-dmz just seems to run counter to most network savvy advice I've heard before.
  4. ifican

    ifican Network Guru Member

    Hopefully someone that has a good idea will pop in here, for me i take care of my needs via other devices, but low cost is all a perception. Low cost for what i needed was a couple hundred for you that may not be so. There is nothing that i know of other then getting a machine and running an app such as smoothwall that would run any where near the cost of a linksys router. Well there are several linksys buisness class routers that will run several vlans at once and server your needs. But again i believe they run around 150 or so.
  5. hossfeathers

    hossfeathers LI Guru Member

    150-200 or so is not a problem; vpn would be nice too, if there is one that has that. I'd keep the wrt54gs for the wireless aspect, run it downstream from the new router. Any specific models you might recommend? Thanks for the info you've shared.

    Smoothwall was great but I found it taking a lot of my time as a newbie and ended up feeling that I'd be better off buying something...also wan't fond of leaving an extra pc on all day, power consumption vs the linksys router I had (and reverted to).
  6. hossfeathers

    hossfeathers LI Guru Member

    One reason I'm looking for guidance re which unit is that it's very hard to tell from the marketing stuff what a router really does. For instance, my wrt54gs *has* a dmz capability, but even linksys recommends using the port forwarding instead, and I'd never know that neither is capable of using a separate subnet. If I didn't know better I'd think from the listed capabilities that my existing router was just the ticket.

    But a guess...the LINKSYS RV042, is the the sort of unit? Any comparable unit I should consider? Reviews for that unit are pretty mixed. The D-Link DFL-200 might be another option?
  7. ccbadd

    ccbadd Network Guru Member

    You could look at the WRV200 also. It was a real dud when it was released, but with the release of 1.0.23 (actually 1.0.21) firmware you get an awful lot for ~$70US. IPSEC Vpn, QuickVPN clients, wireless and wired vlans, MIMO wireless and great throughput.
  8. hossfeathers

    hossfeathers LI Guru Member

    OK...but I don't see a dedicated dmz port on that unit, which is what I'm after (unless this unit has a more substantial DMZ arrangment in some other manner). My current wrt54gs has dmz also but it's not a very serious implementation, as far as my understanding goes.
  9. ccbadd

    ccbadd Network Guru Member

    You should be able to put your server on a different vlan from the rest of your network and dmz it. I think this will accomplish what you want, but I really don't know why you would want to expose all ports rather then just port 80? The DMZ for the WRV200 is a software DMZ, not a hardware DMZ port like some have but it should work fine.
  10. mervincm

    mervincm Network Guru Member

  11. hossfeathers

    hossfeathers LI Guru Member

    Yes IPCop is very good, but it's a fork of smoothwall which I've used before, and I found it was taking a lot of my time to configure sw. Also wasn't eager to have to run an addtl pc all day (power consumption).

    I was after a dmz on a distict subnet for security reasons, or I'd be ok with using my current wrt54gs port forwarding (that's what I am doing at this time in fact). At least ifican was of the opinion that what I was hunting for would be somewhat more secure, so the question becomes, what device?

  12. ifican

    ifican Network Guru Member

    You know i forgot about the wrv200, it is a great little device i actually own one and took a quick peek. You wont have a port that is dmz specific, however you do have the ability to vlan off ports thereby creating a dmz withing your same ip space in your lan. You can even set it up to that one port that you are going to use for a dmz will not be allowed to communicate with any other port on the network (segmenting your server from you lan even though its the same ip space). If you have any other direct questions about it feel free to contact me offline and ill be happy to answer then specifically, that way we keep this thread for what it was truely about. Also you asked about other devices, no very easy to learn but once you do they are awesome, is i love the cisco pix and the juniper netscreen.
  13. Maitoga

    Maitoga LI Guru Member

    Looking for info about rv042

    hi guys,

    i'm newbie and i am looking for some info about this rv042, because i have to share a computer with cctv circuit, but the software nedds a lot of ports to be opened, then i am considering to use a DMZ, but i dont want to risk my network only for this machine

    my question is can i use the dedicated port dmz on rv042 to demilitarize this computer and keep my network safe?
    or do i need to make another kind of configurations over this router?

    i need all help that i can because i have to make a choice and buy it soon

    any help will be welcome thanks
  14. hossfeathers

    hossfeathers LI Guru Member

    I think I might go for the D-Link DFL-200, somehow I like the dedicated dmz port and the more traditional setup. Question, the D-Link DFL-200 is not listed as a DHCP server, so there is some mention of that capability...if it's not good for that, am I right in thinking that I'll be able to use my wrt54gs for DHCP and wireless after the DFL-200?

    I've been thinking about pix 501 for a while but it looks a little complicated form me at this point and I probably should opt for something that is simpler (or simplified).
  15. hossfeathers

    hossfeathers LI Guru Member

    I'm going to create a separate post here re how to config the two units to work together (D-Link DFL-200 and WRT54GS)
  16. ifican

    ifican Network Guru Member

    Dhcp server or not, as long as the DFL-200 has a lan ip you can use as a default gateway for the wrt then yes you can use the wrt for whatever you like behind it. And for the record i love the pix overall depending on what you what to do, they really are not that bad to configure once you understand what is going on. The command line can be a little disturbing until you get the hang of it, but the gui is fairly straighforward.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice