Redirect Website...
 

Hi,

I've got a domain name without any webhosting.

I have a NAS device capable of being a webserver.

What's the best was to make this available?

Do I - point my NS record to the static public IP of the device - or do I keep the 192.168.x.x address and then point the NS record to the firewall and have that redirect to the internal IP?

My firewall has a second WAN port where I can setup a DMZ I think.

So which way is best for security?

Re: Redirect Website...
 

When you say NS record are you talking about the nameserver IP or the A record??

Either way is this going to be a public website or a private site? If private consider using a non-standard port.

The NAS won't have a public IP unless you have multiple IP's via your ISP. If this is the case then you can use the public IP no problem unless you use the NAS internally then best to use the LAN IP with a port forward..

Re: Redirect Website...
 

A Record.

It's (hopefully) public site....

I have multiple IPs from my ISP. I want to use the NAS drive internaly as well as having a public site on it.

What do I port forward? UDP / 25? TCP 25?

Re: Redirect Website...
 

You forward whichever port the NAS is set up for (remember the external port can be different from the internal port and also why are you wanting to forward the SMTP port???)

Re: Redirect Website...
 

Port 25 is SMTP, what is it you want to forward ?

Re: Redirect Website...
 

Sorry - I meant port 80 - web - not SMTP - 25! Durrr!

Re: Redirect Website...
 

OK - so I've got my DNS pointing to my firewall IP and a firewall rule that forwards 80 to the interal 192.168.x.x address but I can't connect using either the www.whatever.com or the public IP.

Any ideas??

Re: Redirect Website...
 

When did you change the DNS? just that it can take 12+ hours (upto 72 hours) to change..

Also remember that if you're internal to the network then you have to use the internal IP as the external IP will not work for you.

PM me the details if you wish and I can check from here

Re: Redirect Website...
 

Changed last night - a good 12 hours have passed.

OK - I think I've discovered the problem - I added a firewall rule not a NAT port forwarding rule. Thing is - NAT is disabled on the router so whatever I do there I don't think it'll make any difference.

So what do I do from here?

Re: Redirect Website...
 

Reading the above it seems there is a lot of confusion as to whether you are using LAN (local 192.168.x.x type) allocated perhaps by DHCP on the router) based IPs or WAN (internet) based IPs.

The DNS for your website, visible from the internet can only point to an internet visible public IP, i.e. one that has been allocated to you by your ISP.

You should be able to set your router's external IP to that fixed ISP addy and then use port forwarding and NAT to point the internet based requests for your website to the internal (LAN 192.168.x.x type) IP of your NAS.

If you are unable to use NAT then you will need to allocate fixed ISP based IPs to all kit on your network, including the route, computers and NAS. You'll still be able to use the firewall in your router for some protection, but would have to open up ports between router and NAS IPs to allow the website access. When you connect to the NAS, and point any web DNS records to is, you would use the ISP based IP that you have allocated direct to the NAS. Your router's DHCP function would probably be off as you've allocated the fixed WAN side IPs to everything.

In both cases your NAS will need to see the router as it's gateway to the internet.

Re: Redirect Website...
 

OK - so here's my setup for confirmation:

ZyXel Router External Public IP: DCHP Allocated by ISP
Router LAN Trusted: static network address supplied by ISP
NAT Disabled
Firewall Disabled

WatchGuard Firewall External: One of the 5 static IP's from my allocation:
Firewall Trusted: 192.168.x.x.

You can read a bit more about this as I posted on the subject a while back.

So as NAT is disabled, should I then use one of my block of 5 IPs for the LAN interface on the NAS making it an external device? Obviously I'd need to change the A record to point to the new IP.

Would I still be able to access the device internaly without going out then back in? :dunce:

Re: Redirect Website...
 

If NAT is disabled you have to allocate an external (internet visible) ISP based IP to the NAS. Yes that means it will no longer be on your LAN and accessible only by your ISP allocated IP. You may have to check where your watchguard firewall thing is placed. If it's between the NAS and router that could create problems especially if that firewall is tryinig to use local not ISP addys.

Re: Redirect Website...
 

If NAT is disabled then the router is simply being used as a modem/hub.. for internal IP's you should then have a 2nd cable style router (ethernet router) on one of the external IP's to provide you with a secure internal IP location.

Without the 2nd router you'll instead need to put the NAS directly on an external IP but as it's still behind the firewall it should be safe if you only open up the ports you need and do a default DENY to the IP for all other ports

Re: Redirect Website...
 

I think you are trying to achieve something similar to my office's network. This is setup as follows:

Router WAN port - ISP allocated IP
<wired to>
Firewall / Spam Filter - ISP allocated IP (runs in transparent bridge mode)
<wired to>
Server - external facing network port - ISP allocated IP

Server - internal facing network port - Internal allocated IP from server's DHCP
<wired to>
switches
<wired to>
Workstations - internal allocated IPs from server

Note that the server therefore has an internet facing ISP provided IP address allocated in the same range as the firewall / spam filter and router. This allows the server to operate things like exchange and an external website for things like outlook's web access to which I can point the DNS records for website addresses. Certain ports had to be opened in the router's firewalls to allow traffic through to the webserver.
Our's office's server also acts as a firewall to the internal network, providing protection to that network from intruders and stuff. Thus only the website stuff can be seen externally. I suspect you could use another router instead of the server to fulfil a similar function, using this second router's WAN port with an ISP allocated IP addy, and then the router's DHCP to do the internal stuff.

Re: Redirect Website...
 

So if I enable NAT on the router - SUA Full Feature mode - do I need to change anything on the firewall?

I want to try and keep it internal and have www 80 redirect to the host if possible...

Re: Redirect Website...
 

If you enable the NAT then you'll reduce the external throughput down to a single WAN IP..

Do you have a cable router? If yes then put it behind the Zyxel and allocate it one of the external IP's (set teh doamin A record to the same IP) then use this 2nd router as your internal LAN..

Otherwise just allocate the NAS to one of your external IP's and point the domain towards that IP

---------- Post added at 14:02 ---------- Previous post was at 13:51 ----------

The firewall will become semi-redundant as NAT itself is a form of firewall..(just between two subnets rather than a single IP)

As I asked already do you have a 2nd router?? (cable router with a WAN ethernet and not a ADSL router)

Re: Redirect Website...
 

OK - I think I'll have to put it on a public static.

@Kymmy: Sorry - I'm on ADSL. ADSL Zyxel Router and a seperate WatchGuard Edge Firewall.

Re: Redirect Website...
 

I know you're on ADSL, but the ADSL router you have can not be used as a NAT router at the same time as servicing multiple WAN IP's, so with NAT turned off your Zyxel is simple a modem<>firewall<>hub device.

What I'm asking is do you have a seperate cable router as that will need to go behind the Zyxel, programmed on one of your external IP's and that will provide your local 192.168.*.* network..

So do you have a 2nd cable style router???

If not then you are NOT going to be able to do the 192.168.*.* address on the NAS and keep all of your external IP's and will have to put the NAS on one of your WAN IP's

""Sorry not sure how many different ways there are to repeat the same information""

Re: Redirect Website...
 

Kymmy: No - don't have any other devices I could use.

OK - So external IP it is!

Re: Redirect Website...
 

Does this help?
http://static.highspeedbackbone.net/...e-e-Manual.pdf

If that's the same model as yours, then on the back you should have a row of network ports.
2 WAN ports (external), 1 Opt port (DMZ) and 3 LAN ports (trusted)


Seems to be that anything connected to the LAN ports can talk to each other, but access to it from the internet (WAN) can be restricted.
The Opt port would be for connecting something which you want to access internally and externally, without giving external access to your internal network, such as a web server or your NAS.

Re: Redirect Website...
 

Yep - that's what I have.

Problem with then Optional port is that after 15 connections are made you'll get a dead response.

I just tried giving my NAS an external IP from my range but I could not connect to it. I had to change my NIC to a IP in the same range to get access to it. I've got it back on an internal 192.168.x.x static at the moment....

Re: Redirect Website...
 

So this isn't a adsl router??

Re: Redirect Website...
 

??

I've got 3 devices: Zyxel ADSL Router, WatchGuard Edge Firewall and a Synology NAS device

Re: Redirect Website...
 

I take it the watchguard that has 2 wan ports and is NAT capaple?? If yes then can that device do NAT on a single port only leaving the other port as purely firewalled??

If yes then you already have the 2nd "ethernet router" as it's built into the watchguard ;)

Re: Redirect Website...
 

I have two WAN ports on the WatchGuard, yes.

Ahh fair enough - see what you mean now.

Not sure were / how I configure the NAT settings on the WatchGuard though - I think that may be the key I'm missing that will unlock my mess!!

Re: Redirect Website...
 

With 2 WAN ports each port can be set a seperate IP.. If you can NAT just one of them then that will cover the internal address and allow the port forward..

You might though find that the NAT coveres both and the two WAN ports is just for load balancing..

I don;t know the peice of equipment myself but will be interested to know

Re: Redirect Website...
 

From the manual:

Suppose that answers that one! It's just for failover by the looks of it. The external setting cover both ports - there's no settings for WAN 1 and WAN2 - just "External" which covers both. :mad:

Re: Redirect Website...
 

Question for you, you have 8 IP's (5 usable) so what currently do you have connected on external addresses?

Re: Redirect Website...
 

Just the firewall at the moment - I have the 5 'cus I thought I'd try and learn some stuff like this!

Re: Redirect Website...
 

Why not then use the firewall in NAT mode and put behind it all the internal stuff and use the open IP's (not behind the firewall) for a server or anything that needs a NO-NAT situation.

In my case I have the modem (cable modem 5 IP's) feeding a switch. From that switch is the servers and anything that needs a WAN IP (they're all software firewalled or too single ported to be a security risk). One port of the switch though feeds a netgear and it's behind that I have the workstations and internal equipment

Re: Redirect Website...
 

That's what I was trying to do originaly but I'm not sure how to configure the NAT on the firewall! :dunce:

Re: Redirect Website...
 

Rtfm :D

(page 97 onwards)

Re: Redirect Website...
 

And without looking - that's the bit about configuring an incomming firewall rule - right? ;)

Goes looking...

Re: Redirect Website...
 

Nope it's the section about turning on NAT :D

Re: Redirect Website...
 

Yeah - just seen - reading now...

Re: Redirect Website...
 

So there is problem....I don't have any NAT settings on mine...

Re: Redirect Website...
 

Bingo - runnning older firmware. Now this will be intresting - don't think I can get an updated firmware without having a subscription to livesecurity - but I may be able to get around this... ;-)

---------- Post added at 20:33 ---------- Previous post was at 20:08 ----------

Grrrr 7.5.2. was last firmware version for this model (discontinued). So I'll replace it if I want NAT work at this level....

Re: Redirect Website...
 

I'd ditch the watchguard and just use the zyxel in nat mode with port forwarding.
The downside of that though would be if you wanted web access to the NAS and web access to a different server on your network, unless you could configure the NAS to use a port other than 80.

Re: Redirect Website...
 

Fine if he only wants a single external IP.. ;)

Re: Redirect Website...
 

Or I just pay for hosting - but that takes the fun out of configuring something like this!

Re: Redirect Website...
 

Ok swap the watchguard for a Cisco ASA :)

Re: Redirect Website...
 

What's that? I hight end SA for large corporate enviroments with 100's of remote branch offices? :p:

Re: Redirect Website...
 

I'm struggling to see why this thread got 3 pages.

All you need to do is add a CNAME record and point it to your WAN IP at home.

Re: Redirect Website...
 

That's because our Mr Sainsbury didn't have a clue as to multiple IP's and NATs :D

Re: Redirect Website...
 

...and you'd expect that to work without a port forward from your router / firewall would you? ;)

CNAME? Is'nt it just an A record that's required?

---------- Post added at 07:21 ---------- Previous post was at 07:20 ----------


..well I had a idea of how it all hangs together - the crunch bit is that my firewall won't allow me to change the NAT settings!

Re: Redirect Website...
 

CNAME is used when you want a sub-domain, although www is in effect a CNAME you can point it to a different FQDN if you wish (could be the rDNS of your connection) and get the same effect as an A record.

If though all of the domain is being handled by a single IP then the A record is what to change

Re: Redirect Website...
 

OK - so change of configuration...

I've pulled the Watchguard Firewall out of the loop, the Zyxel is now running as the primary device, DHCP server, NAT enabled (SUA Maode).

Port forward www (80) has been pointed to the device running the web server.
DNS A www record pointed to my static public IP of the router.

This should be all that's required - correct?

Edit: I've also added a firewall rule for incoming <any> service www 80 >>> 192.168.x.x (ip addess on the NAS device running web server)

Re: Redirect Website...
 

Thanks to Kymmy this is now working - I need to move the device around in study to give it a permanant power socket so it's permanantly live.

Big thanks to Kymmy and others for their assistance and advice. :tu: