Hi
Not strictly related to XP, but maybe someone can help ?

Have a Netgear DSL modem/router with a DMZ port.
LAN side of the router has a number of XP PCs.
We want to connect a PC to the router so it is publicly accessible to the
Internet for customers to download files.

Guess we have 2 options:

1) Port forwarding to allow FTP or whatever through, directed to that PC.
Problem here is that since the PC is still connected to the LAN this opens
up a potential security risk to the rest of the network

2) Connect the PC to the DMZ port on the router. This keeps it secure, but
we still need to be able to copy files to this from the LAN side (for
customers to download). Can a route generally be configured from the LAN to
the DMZ which is "one-way" so that we can copy files up to DMZ computer but
no access the other way?

Probably a really dumb question, but be grateful for any input !

Thanks

In most cases, a router is one-way, so that you should be able to access the DMZ pc from the LAN.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Mike Lloyd-Jones" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
Hi
Not strictly related to XP, but maybe someone can help ?

Have a Netgear DSL modem/router with a DMZ port.
LAN side of the router has a number of XP PCs.
We want to connect a PC to the router so it is publicly accessible to the
Internet for customers to download files.

Guess we have 2 options:

1) Port forwarding to allow FTP or whatever through, directed to that PC.
Problem here is that since the PC is still connected to the LAN this opens
up a potential security risk to the rest of the network

2) Connect the PC to the DMZ port on the router. This keeps it secure, but
we still need to be able to copy files to this from the LAN side (for
customers to download). Can a route generally be configured from the LAN to
the DMZ which is "one-way" so that we can copy files up to DMZ computer but
no access the other way?

Probably a really dumb question, but be grateful for any input !

Thanks

On Thu, 2 Mar 2006 09:00:28 -0000, "Mike Lloyd-Jones" <(E-Mail Removed)> wrote:

>Hi
>Not strictly related to XP, but maybe someone can help ?
>
>Have a Netgear DSL modem/router with a DMZ port.
>LAN side of the router has a number of XP PCs.
>We want to connect a PC to the router so it is publicly accessible to the
>Internet for customers to download files.
>
>Guess we have 2 options:
>
>1) Port forwarding to allow FTP or whatever through, directed to that PC.
>Problem here is that since the PC is still connected to the LAN this opens
>up a potential security risk to the rest of the network

You are correct. NAT routers are great security when all that you do is surf
the Internet. When you need to run an Internet server from a NAT router LAN,
you have to open a hole in the router, and this will indeed expose your LAN.

>2) Connect the PC to the DMZ port on the router. This keeps it secure, but
>we still need to be able to copy files to this from the LAN side (for
>customers to download). Can a route generally be configured from the LAN to
>the DMZ which is "one-way" so that we can copy files up to DMZ computer but
>no access the other way?

On most NAT routers (and here the model of the Netgear might be useful) the
"DMZ" is really just a virtual server port, protected by the firewall components
(if your router has any such), and connected openly to the rest of the LAN. No
routing or firewall rules are necessary, or are possible.

In most domestic DSL LANs, you will find it best to host any server offsite.
# Security, as noted above, is not easily done with a typical DSL modem /
router.
# Asynchronous DSL, which is what most DSL is, provides for most bandwidth to
support surfing of the Internet (downward bandwidth). What little bandwidth in
the other direction (upward) is generally taken up by surfing, and if any
surfing is going on the upward bandwidth (which is what your customers will
depend upon for their downloads) is unlikely to be available in any reliable
amount.
# Some DSL services explicitly prohibit servers for this reason.

In short, you can connect a server to your modem / router. Depending upon the
model, you may or may not be able to do this without exposing your LAN.

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

Thanks for the reply
It's a Netgear FVX318. We want a PC connected to it's DMZ port so we can
upload files to it from the LAN PCs and so that external customers can
access those files..
Mike


"Chuck" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 2 Mar 2006 09:00:28 -0000, "Mike Lloyd-Jones" <(E-Mail Removed)>
> wrote:
>
>>Hi
>>Not strictly related to XP, but maybe someone can help ?
>>
>>Have a Netgear DSL modem/router with a DMZ port.
>>LAN side of the router has a number of XP PCs.
>>We want to connect a PC to the router so it is publicly accessible to the
>>Internet for customers to download files.
>>
>>Guess we have 2 options:
>>
>>1) Port forwarding to allow FTP or whatever through, directed to that PC.
>>Problem here is that since the PC is still connected to the LAN this opens
>>up a potential security risk to the rest of the network
>
> You are correct. NAT routers are great security when all that you do is
> surf
> the Internet. When you need to run an Internet server from a NAT router
> LAN,
> you have to open a hole in the router, and this will indeed expose your
> LAN.
>
>>2) Connect the PC to the DMZ port on the router. This keeps it secure, but
>>we still need to be able to copy files to this from the LAN side (for
>>customers to download). Can a route generally be configured from the LAN
>>to
>>the DMZ which is "one-way" so that we can copy files up to DMZ computer
>>but
>>no access the other way?
>
> On most NAT routers (and here the model of the Netgear might be useful)
> the
> "DMZ" is really just a virtual server port, protected by the firewall
> components
> (if your router has any such), and connected openly to the rest of the
> LAN. No
> routing or firewall rules are necessary, or are possible.
>
> In most domestic DSL LANs, you will find it best to host any server
> offsite.
> # Security, as noted above, is not easily done with a typical DSL modem /
> router.
> # Asynchronous DSL, which is what most DSL is, provides for most bandwidth
> to
> support surfing of the Internet (downward bandwidth). What little
> bandwidth in
> the other direction (upward) is generally taken up by surfing, and if any
> surfing is going on the upward bandwidth (which is what your customers
> will
> depend upon for their downloads) is unlikely to be available in any
> reliable
> amount.
> # Some DSL services explicitly prohibit servers for this reason.
>
> In short, you can connect a server to your modem / router. Depending upon
> the
> model, you may or may not be able to do this without exposing your LAN.
>
> --
> Cheers,
> Chuck, MS-MVP [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My email is AT DOT
> actual address pchuck mvps org.

On Thu, 2 Mar 2006 18:53:02 -0000, "Mike Lloyd-Jones" <(E-Mail Removed)> wrote:

>"Chuck" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> On Thu, 2 Mar 2006 09:00:28 -0000, "Mike Lloyd-Jones" <(E-Mail Removed)>
>> wrote:
>>
>>>Hi
>>>Not strictly related to XP, but maybe someone can help ?
>>>
>>>Have a Netgear DSL modem/router with a DMZ port.
>>>LAN side of the router has a number of XP PCs.
>>>We want to connect a PC to the router so it is publicly accessible to the
>>>Internet for customers to download files.
>>>
>>>Guess we have 2 options:
>>>
>>>1) Port forwarding to allow FTP or whatever through, directed to that PC.
>>>Problem here is that since the PC is still connected to the LAN this opens
>>>up a potential security risk to the rest of the network
>>
>> You are correct. NAT routers are great security when all that you do is
>> surf
>> the Internet. When you need to run an Internet server from a NAT router
>> LAN,
>> you have to open a hole in the router, and this will indeed expose your
>> LAN.
>>
>>>2) Connect the PC to the DMZ port on the router. This keeps it secure, but
>>>we still need to be able to copy files to this from the LAN side (for
>>>customers to download). Can a route generally be configured from the LAN
>>>to
>>>the DMZ which is "one-way" so that we can copy files up to DMZ computer
>>>but
>>>no access the other way?
>>
>> On most NAT routers (and here the model of the Netgear might be useful)
>> the
>> "DMZ" is really just a virtual server port, protected by the firewall
>> components
>> (if your router has any such), and connected openly to the rest of the
>> LAN. No
>> routing or firewall rules are necessary, or are possible.
>>
>> In most domestic DSL LANs, you will find it best to host any server
>> offsite.
>> # Security, as noted above, is not easily done with a typical DSL modem /
>> router.
>> # Asynchronous DSL, which is what most DSL is, provides for most bandwidth
>> to
>> support surfing of the Internet (downward bandwidth). What little
>> bandwidth in
>> the other direction (upward) is generally taken up by surfing, and if any
>> surfing is going on the upward bandwidth (which is what your customers
>> will
>> depend upon for their downloads) is unlikely to be available in any
>> reliable
>> amount.
>> # Some DSL services explicitly prohibit servers for this reason.
>>
>> In short, you can connect a server to your modem / router. Depending upon
>> the
>> model, you may or may not be able to do this without exposing your LAN.

>Thanks for the reply
>It's a Netgear FVX318. We want a PC connected to it's DMZ port so we can
>upload files to it from the LAN PCs and so that external customers can
>access those files..
>Mike

OK, Mike,

Do you maybe have a FVS318? I can't find anything about an FVX318.

From what I'm reading about the FVS318, is that it is not a simple NAT router,
it's more of a firewall with NAT built in. That should make your DMZ an actual
separate VLAN, potentially, and you should indeed be able to put an Internet
server on one port, and have that server isolated from the others.

I'll stand firm with my advice about using DSL (do you have ADSL or SDSL?) for
serving data across the Internet. Co located servers are similar in concept to
edge hosting, they move the traffic closer to the clients. Many ISPs provide co
location, in various autonomy and service levels, for reasonable prices.

But, if you do go with your personally hosted server, you can make your LAN
secure while doing the hosting.

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

Hi
Apologies, it is an FXV538
(http://www.netgear.co.uk/vpn_firewall_router_fvx538.php)
We are using ADSL, and the reason we want this PC/server to be "local" is so
that we don't have to upload what are very large files across a 256k
upstream link.
I guess the question is if we attach the PC to the DMZ port (192.168.10.x)
can we still access it from the LAN (192.168.0.x) ?
Thks




"Chuck" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 2 Mar 2006 18:53:02 -0000, "Mike Lloyd-Jones" <(E-Mail Removed)>
> wrote:
>
>>"Chuck" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed)...
>>> On Thu, 2 Mar 2006 09:00:28 -0000, "Mike Lloyd-Jones" <(E-Mail Removed)>
>>> wrote:
>>>
>>>>Hi
>>>>Not strictly related to XP, but maybe someone can help ?
>>>>
>>>>Have a Netgear DSL modem/router with a DMZ port.
>>>>LAN side of the router has a number of XP PCs.
>>>>We want to connect a PC to the router so it is publicly accessible to
>>>>the
>>>>Internet for customers to download files.
>>>>
>>>>Guess we have 2 options:
>>>>
>>>>1) Port forwarding to allow FTP or whatever through, directed to that
>>>>PC.
>>>>Problem here is that since the PC is still connected to the LAN this
>>>>opens
>>>>up a potential security risk to the rest of the network
>>>
>>> You are correct. NAT routers are great security when all that you do is
>>> surf
>>> the Internet. When you need to run an Internet server from a NAT router
>>> LAN,
>>> you have to open a hole in the router, and this will indeed expose your
>>> LAN.
>>>
>>>>2) Connect the PC to the DMZ port on the router. This keeps it secure,
>>>>but
>>>>we still need to be able to copy files to this from the LAN side (for
>>>>customers to download). Can a route generally be configured from the LAN
>>>>to
>>>>the DMZ which is "one-way" so that we can copy files up to DMZ computer
>>>>but
>>>>no access the other way?
>>>
>>> On most NAT routers (and here the model of the Netgear might be useful)
>>> the
>>> "DMZ" is really just a virtual server port, protected by the firewall
>>> components
>>> (if your router has any such), and connected openly to the rest of the
>>> LAN. No
>>> routing or firewall rules are necessary, or are possible.
>>>
>>> In most domestic DSL LANs, you will find it best to host any server
>>> offsite.
>>> # Security, as noted above, is not easily done with a typical DSL modem
>>> /
>>> router.
>>> # Asynchronous DSL, which is what most DSL is, provides for most
>>> bandwidth
>>> to
>>> support surfing of the Internet (downward bandwidth). What little
>>> bandwidth in
>>> the other direction (upward) is generally taken up by surfing, and if
>>> any
>>> surfing is going on the upward bandwidth (which is what your customers
>>> will
>>> depend upon for their downloads) is unlikely to be available in any
>>> reliable
>>> amount.
>>> # Some DSL services explicitly prohibit servers for this reason.
>>>
>>> In short, you can connect a server to your modem / router. Depending
>>> upon
>>> the
>>> model, you may or may not be able to do this without exposing your LAN.
>
>>Thanks for the reply
>>It's a Netgear FVX318. We want a PC connected to it's DMZ port so we can
>>upload files to it from the LAN PCs and so that external customers can
>>access those files..
>>Mike
>
> OK, Mike,
>
> Do you maybe have a FVS318? I can't find anything about an FVX318.
>
> From what I'm reading about the FVS318, is that it is not a simple NAT
> router,
> it's more of a firewall with NAT built in. That should make your DMZ an
> actual
> separate VLAN, potentially, and you should indeed be able to put an
> Internet
> server on one port, and have that server isolated from the others.
>
> I'll stand firm with my advice about using DSL (do you have ADSL or SDSL?)
> for
> serving data across the Internet. Co located servers are similar in
> concept to
> edge hosting, they move the traffic closer to the clients. Many ISPs
> provide co
> location, in various autonomy and service levels, for reasonable prices.
>
> But, if you do go with your personally hosted server, you can make your
> LAN
> secure while doing the hosting.
>
> --
> Cheers,
> Chuck, MS-MVP [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My email is AT DOT
> actual address pchuck mvps org.

On Fri, 3 Mar 2006 08:19:46 -0000, "Mike Lloyd-Jones" <(E-Mail Removed)> wrote:

>"Chuck" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> On Thu, 2 Mar 2006 18:53:02 -0000, "Mike Lloyd-Jones" <(E-Mail Removed)>
>> wrote:
>>
>>>"Chuck" <(E-Mail Removed)> wrote in message
>>>news:(E-Mail Removed)...
>>>> On Thu, 2 Mar 2006 09:00:28 -0000, "Mike Lloyd-Jones" <(E-Mail Removed)>
>>>> wrote:
>>>>
>>>>>Hi
>>>>>Not strictly related to XP, but maybe someone can help ?
>>>>>
>>>>>Have a Netgear DSL modem/router with a DMZ port.
>>>>>LAN side of the router has a number of XP PCs.
>>>>>We want to connect a PC to the router so it is publicly accessible to
>>>>>the
>>>>>Internet for customers to download files.
>>>>>
>>>>>Guess we have 2 options:
>>>>>
>>>>>1) Port forwarding to allow FTP or whatever through, directed to that
>>>>>PC.
>>>>>Problem here is that since the PC is still connected to the LAN this
>>>>>opens
>>>>>up a potential security risk to the rest of the network
>>>>
>>>> You are correct. NAT routers are great security when all that you do is
>>>> surf
>>>> the Internet. When you need to run an Internet server from a NAT router
>>>> LAN,
>>>> you have to open a hole in the router, and this will indeed expose your
>>>> LAN.
>>>>
>>>>>2) Connect the PC to the DMZ port on the router. This keeps it secure,
>>>>>but
>>>>>we still need to be able to copy files to this from the LAN side (for
>>>>>customers to download). Can a route generally be configured from the LAN
>>>>>to
>>>>>the DMZ which is "one-way" so that we can copy files up to DMZ computer
>>>>>but
>>>>>no access the other way?
>>>>
>>>> On most NAT routers (and here the model of the Netgear might be useful)
>>>> the
>>>> "DMZ" is really just a virtual server port, protected by the firewall
>>>> components
>>>> (if your router has any such), and connected openly to the rest of the
>>>> LAN. No
>>>> routing or firewall rules are necessary, or are possible.
>>>>
>>>> In most domestic DSL LANs, you will find it best to host any server
>>>> offsite.
>>>> # Security, as noted above, is not easily done with a typical DSL modem
>>>> /
>>>> router.
>>>> # Asynchronous DSL, which is what most DSL is, provides for most
>>>> bandwidth
>>>> to
>>>> support surfing of the Internet (downward bandwidth). What little
>>>> bandwidth in
>>>> the other direction (upward) is generally taken up by surfing, and if
>>>> any
>>>> surfing is going on the upward bandwidth (which is what your customers
>>>> will
>>>> depend upon for their downloads) is unlikely to be available in any
>>>> reliable
>>>> amount.
>>>> # Some DSL services explicitly prohibit servers for this reason.
>>>>
>>>> In short, you can connect a server to your modem / router. Depending
>>>> upon
>>>> the
>>>> model, you may or may not be able to do this without exposing your LAN.
>>
>>>Thanks for the reply
>>>It's a Netgear FVX318. We want a PC connected to it's DMZ port so we can
>>>upload files to it from the LAN PCs and so that external customers can
>>>access those files..
>>>Mike
>>
>> OK, Mike,
>>
>> Do you maybe have a FVS318? I can't find anything about an FVX318.
>>
>> From what I'm reading about the FVS318, is that it is not a simple NAT
>> router,
>> it's more of a firewall with NAT built in. That should make your DMZ an
>> actual
>> separate VLAN, potentially, and you should indeed be able to put an
>> Internet
>> server on one port, and have that server isolated from the others.
>>
>> I'll stand firm with my advice about using DSL (do you have ADSL or SDSL?)
>> for
>> serving data across the Internet. Co located servers are similar in
>> concept to
>> edge hosting, they move the traffic closer to the clients. Many ISPs
>> provide co
>> location, in various autonomy and service levels, for reasonable prices.
>>
>> But, if you do go with your personally hosted server, you can make your
>> LAN
>> secure while doing the hosting.

>Hi
>Apologies, it is an FXV538
>(http://www.netgear.co.uk/vpn_firewall_router_fvx538.php)
>We are using ADSL, and the reason we want this PC/server to be "local" is so
>that we don't have to upload what are very large files across a 256k
>upstream link.
>I guess the question is if we attach the PC to the DMZ port (192.168.10.x)
>can we still access it from the LAN (192.168.0.x) ?
>Thks

OK, Mike,

I haven't examined the instruction manual for the FXV538. It's a regular
firewall, though, so as a firewall, you have to be able to setup rules that
allow connection between the LAN port and the DMZ port.

This isn't really a Windows XP networking issue though. If you have specific
questions, you might get them better answered in microsoft.public.security, or
you might try the DSLR Netgear forum (web based, registration is free):
<http://www.dslreports.com/forum/netgear>
http://www.dslreports.com/forum/netgear

I gotta say though, I'm still curious about the server hosting issue. What
files would you prefer that your customers (plural, I hope) should spend
multiple times downloading (thru your 256K upload link), rather than you once
(again thru the 256K upload link)? Or do you have a huge ratio of files to
customers?

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.