Chained Routers, Part III

I finally got around to installing the second router (actually the third but I’m not counting
my wireless router).

As a review, I’ve been researching the possibility of hosting my own server. This is because
paying pair.com, the present host of my web site, costs me several
hundred dollars a year and, over time, system performance has degraded.

Partly it could be the server that my site is on is also serving over 125 other sites. While, no
doubt, this keeps costs down, running my content management system –
MovableType (MT) in such an environment leads to compromises. One of those compromises is that, in
the opinion of pair.com, MT uses too much CPU resources. As an effort
to keep this from degrading other sites, pair.com automatically kills
some MT processes. One of those processes is the automatic
re-generation of web pages managed by the MT program.

Be clear that I’m not blaming pair.com. I’m sure they instituted this situation to protect their
services and hold costs down. If you aren’t running MT, or are but
don’t have a lot of pages, pair.com will work just fine.

In the end, I may stay with pair, move to
another host, or in fact host my own site. There are costs
involved in whichever way I choose to go.

That all said, the suggested configuration came from Gibson Research Corporation (GRC) – of
ShieldsUp! fame. They feel it best to use two properly configured
firewall/routers, if you are going to open a port or ports so that, for
example, you can host your own web or mail server at home. The theory
is that you open a port from your external firewall/router for
whichever services you need (eg., 80 for web) but keep all ports on the
internal firewall/router stealthed and closed. Hence, should your
server be hacked, said server cannot act as a relay into the rest of
your home network since it is upstream of the second firewall/router.
This assumes, of course, the second firewall/router is correctly
configured. If not, like you open any ports on the second router, then
you might as well just use a one router configuration.

In any case, my internal router, a Linksys
BEFSR11
, is your standard firewall/router and will be used to act as a firewall for the majority
of my home network. The external firewall/router is a Netgear FVS318 and has just port 80 open
and forwarded to my test web server (there’s no content on the server
so I’m not going to link to it yet). All other ports are closed. The
Linksys is cascaded from the Netgear.

There may be several ways to configure the routers to work together. I only know of how to do it
with the two I have. Even then, there may be a better way. If there is,
feel free to let me know. YMMV. Insert disclaimer here. Use at your own
risk. There be dragons here.

The two routers must not have overlapping IP addresses nor, if you are using DHCP, overlapping IP
address ranges that they give out. Otherwise, your routers
will not work properly, if at all. GRC recommends the external router
use an IP address of 192.168.1.x and the internal use 192.168.2.x. For
me, that means my Netgear uses 192.168.1.1 and my Linksys
uses 192.168.2.1.

The first step is to ensure that the two routers are never on at the same time, or at least not on
and linked, until you have everything configured so as to avoid default
IP addresses that overlap. For me, this means having two PCs,
one each plugged directly into each of the routers so I can access each
setup utility.

In my present network configuration, the Netgear is the only firewall/router in use. Hence, I
wanted to leave that alone until the last possible moment so I could
always get access, in case anything went wrong. So I configured the
internal Linksys first.

I won’t go into the specific details because it will vary by make and model of router. Suffice to
say I changed the IP address and DHCP ranges to reflect the 192.168.2.x
addresses. I then did a similar change to the Netgear but using the
192.168.1.x range (it was set to 192.168.0.x).

I then turned off both routers, ran an Ethernet line from the Netgear to the Linksys, left the line
from the Netgear to what will be my test web server, and removed all
other lines from the Netgear and plugged them into the Linksys and
attached 16-port switch instead.

This physically and electronically isolates the test web server from the other PCs on my
home network. I then powered on the Netgear, waiting until it was fully
powered and then turned on the Linksys.

I still have to do some testing but all seems to be working. I will let you know if any problems are
identified. If not, my next step is to get the web server itself
configured and running Apache/MySQL/MT followed by configuring a
dynamic naming services to make up for the fact that I don’t have a static IP address.

Aloha!

Advertisements

Comments are closed.