Different segment to separate Application Server to be access from Internet

[Joseph Ong]

Hi,

I am new to network and hence need some advice.

I am using a static IP broadband connection for my internet connection at home-office environment. I am setting up server which i want to hide from the internet.

What i need is

1. 2-3 PC that in 1 segment that will able to access internet. This segment include IP camera and printer which i need to access outside the office.

2. A web server that serve my account application, sales application that I do not want to expose to internet but more for accessing internally.


Appreciate any help i can get here.

Thanks.

 

[john-b691]

You of course could get a real router and run 2 actual lan segments and put in firewall rules to accomplish what you need or you try the simple way but slightly less secure.

First thing
Do nothing. By default unless you port forward things none of your internal machines can be see via the internet. The NAT in the router does most the key feature of a firewall mostly because it is too stupid to know where to send traffic from someone trying to attack you.

For some addition protection
Remove the default gateway from your internal only devices. Without a default gateway now these devices can only communicate with things on their lan. This prevents even a virus infected machine from opening a connection back to someone in the internet.

 

[Joseph Ong]

Hi john-b691

Thanks. Sorry, i am not that network savvy, can advice how do i configure the addition protection if I am using Cisco EA2700 as the 2nd router that connect up the webserver? Or is there any site that able to advice.

Thanks in advance!!!!!!

You of course could get a real router and run 2 actual lan segments and put in firewall rules to accomplish what you need or you try the simple way but slightly less secure.

First thing
Do nothing. By default unless you port forward things none of your internal machines can be see via the internet. The NAT in the router does most the key feature of a firewall mostly because it is too stupid to know where to send traffic from someone trying to attack you.

For some addition protection
Remove the default gateway from your internal only devices. Without a default gateway now these devices can only communicate with things on their lan. This prevents even a virus infected machine from opening a connection back to someone in the internet.

 

[john-b691]

You don't really want to run a second router it just makes things even more complex. I think the only firewall options you even have on that router are parental controls but I have not read the manual lately.

You need a single router that can run 2 networks. There are a couple of low end cisco ones...but not cisco-linksys... that can do this but they are not my first choice. I suspect there are consumer grade routers on the market that can do this but I generally just load DD-WRT onto a router that supports it when I need these features. DD-WRT firmware lets you assign different ports to different vlans and has firewall features you would need. Still this is just a tool you need to understand how subnet works and how you need your traffic to flow to properly configure the firewall rules. You need to be very careful setting it up wrong could be worse than if you choose the do nothing option.

I guess you could also just buy a true firewall and place that between your 2 groups of machines. Something like a low end sonicwall would work but it tends to be overkill for what you need. You generally buy a firewall when you WANT to expose your server to the internet but need to protect it.

 

[Joseph Ong]

Hi John-b691,

Thanks! Will check out these options.

 

[Joseph Ong]

Hi John-b691,

Can check with you whether DD-WRT firmware support running of 2 network with a single router?

Thanks

You don't really want to run a second router it just makes things even more complex. I think the only firewall options you even have on that router are parental controls but I have not read the manual lately.

You need a single router that can run 2 networks. There are a couple of low end cisco ones...but not cisco-linksys... that can do this but they are not my first choice. I suspect there are consumer grade routers on the market that can do this but I generally just load DD-WRT onto a router that supports it when I need these features. DD-WRT firmware lets you assign different ports to different vlans and has firewall features you would need. Still this is just a tool you need to understand how subnet works and how you need your traffic to flow to properly configure the firewall rules. You need to be very careful setting it up wrong could be worse than if you choose the do nothing option.

I guess you could also just buy a true firewall and place that between your 2 groups of machines. Something like a low end sonicwall would work but it tends to be overkill for what you need. You generally buy a firewall when you WANT to expose your server to the internet but need to protect it.

 

[john-b691]

Yup has many ways to do it. Simple way is to assign a network to the different lan ports. It also can run multiple wireless lans. Just be very sure to check the supported router lists. This list is old but almost all broadcom chipset routers work.
http://www.dd-wrt.com/wiki/index.php/VLAN_Support