Redirect Website...

Hi,

I've got a domain name without any webhosting.

I have a NAS device capable of being a webserver.

What's the best was to make this available?

Do I - point my NS record to the static public IP of the device - or do I keep the 192.168.x.x address and then point the NS record to the firewall and have that redirect to the internal IP?

My firewall has a second WAN port where I can setup a DMZ I think.

So which way is best for security?

[Kymmy]

When you say NS record are you talking about the nameserver IP or the A record??

Either way is this going to be a public website or a private site? If private consider using a non-standard port.

The NAS won't have a public IP unless you have multiple IP's via your ISP. If this is the case then you can use the public IP no problem unless you use the NAS internally then best to use the LAN IP with a port forward..

A Record.

It's (hopefully) public site....

I have multiple IPs from my ISP. I want to use the NAS drive internaly as well as having a public site on it.

What do I port forward? UDP / 25? TCP 25?

[Kymmy]

You forward whichever port the NAS is set up for (remember the external port can be different from the internal port and also why are you wanting to forward the SMTP port???)

Port 25 is SMTP, what is it you want to forward ?

Sorry - I meant port 80 - web - not SMTP - 25! Durrr!

OK - so I've got my DNS pointing to my firewall IP and a firewall rule that forwards 80 to the interal 192.168.x.x address but I can't connect using either the www.whatever.com or the public IP.

Any ideas??

[Kymmy]

When did you change the DNS? just that it can take 12+ hours (upto 72 hours) to change..

Also remember that if you're internal to the network then you have to use the internal IP as the external IP will not work for you.

PM me the details if you wish and I can check from here

Changed last night - a good 12 hours have passed.

OK - I think I've discovered the problem - I added a firewall rule not a NAT port forwarding rule. Thing is - NAT is disabled on the router so whatever I do there I don't think it'll make any difference.

So what do I do from here?

[MovedGoalPosts]

Reading the above it seems there is a lot of confusion as to whether you are using LAN (local 192.168.x.x type) allocated perhaps by DHCP on the router) based IPs or WAN (internet) based IPs.

The DNS for your website, visible from the internet can only point to an internet visible public IP, i.e. one that has been allocated to you by your ISP.

You should be able to set your router's external IP to that fixed ISP addy and then use port forwarding and NAT to point the internet based requests for your website to the internal (LAN 192.168.x.x type) IP of your NAS.

If you are unable to use NAT then you will need to allocate fixed ISP based IPs to all kit on your network, including the route, computers and NAS. You'll still be able to use the firewall in your router for some protection, but would have to open up ports between router and NAS IPs to allow the website access. When you connect to the NAS, and point any web DNS records to is, you would use the ISP based IP that you have allocated direct to the NAS. Your router's DHCP function would probably be off as you've allocated the fixed WAN side IPs to everything.

In both cases your NAS will need to see the router as it's gateway to the internet.

OK - so here's my setup for confirmation:

ZyXel Router External Public IP: DCHP Allocated by ISP
Router LAN Trusted: static network address supplied by ISP
NAT Disabled
Firewall Disabled

WatchGuard Firewall External: One of the 5 static IP's from my allocation:
Firewall Trusted: 192.168.x.x.

You can read a bit more about this as I posted on the subject a while back.

So as NAT is disabled, should I then use one of my block of 5 IPs for the LAN interface on the NAS making it an external device? Obviously I'd need to change the A record to point to the new IP.

Would I still be able to access the device internaly without going out then back in?

[MovedGoalPosts]

If NAT is disabled you have to allocate an external (internet visible) ISP based IP to the NAS. Yes that means it will no longer be on your LAN and accessible only by your ISP allocated IP. You may have to check where your watchguard firewall thing is placed. If it's between the NAS and router that could create problems especially if that firewall is tryinig to use local not ISP addys.

[Kymmy]

If NAT is disabled then the router is simply being used as a modem/hub.. for internal IP's you should then have a 2nd cable style router (ethernet router) on one of the external IP's to provide you with a secure internal IP location.

Without the 2nd router you'll instead need to put the NAS directly on an external IP but as it's still behind the firewall it should be safe if you only open up the ports you need and do a default DENY to the IP for all other ports

[MovedGoalPosts]

I think you are trying to achieve something similar to my office's network. This is setup as follows:

Router WAN port - ISP allocated IP
<wired to>
Firewall / Spam Filter - ISP allocated IP (runs in transparent bridge mode)
<wired to>
Server - external facing network port - ISP allocated IP

Server - internal facing network port - Internal allocated IP from server's DHCP
<wired to>
switches
<wired to>
Workstations - internal allocated IPs from server

Note that the server therefore has an internet facing ISP provided IP address allocated in the same range as the firewall / spam filter and router. This allows the server to operate things like exchange and an external website for things like outlook's web access to which I can point the DNS records for website addresses. Certain ports had to be opened in the router's firewalls to allow traffic through to the webserver.
Our's office's server also acts as a firewall to the internal network, providing protection to that network from intruders and stuff. Thus only the website stuff can be seen externally. I suspect you could use another router instead of the server to fulfil a similar function, using this second router's WAN port with an ISP allocated IP addy, and then the router's DHCP to do the internal stuff.

So if I enable NAT on the router - SUA Full Feature mode - do I need to change anything on the firewall?

I want to try and keep it internal and have www 80 redirect to the host if possible...