How do we do it? Simple: we use two routers. The first router connects directly to the cable or DSL modem. This router can and should be a simple wired-only router, or a wireless router with wireless networking disabled. The web server computer - an old computer you found on the curb, NEVER your personal machine - connects directly to this "DMZ" router.
How does this protect your PCs? Most cable and DSL connections give you just one "IP address," allowing you to put just one computer on the Internet at a time. A home networking router solves this problem by forwarding traffic from many computers, making it appear to the rest of the Internet as if it were all coming from one PC. One consequence is that incoming connections can't talk directly to any of the PCs. Incoming connections can only talk to the router. And unless you're going out of your way to forward ports - which you do only on the "DMZ" router, to forward port 80 to the web server - those connections don't go anywhere and can't cause any harm.
With just one router, your web server would be on the same network with your personal computers. If it were hacked, it could talk directly to them and attempt to hack them as well. But with a second "Intranet" router, your personal computers appear to the web server as just one PC, a PC that doesn't accept any incoming connections. The hacking attempts are stopped "at the firewall."
In principle, there's no reason why you can't put together this system with two different routers from two different companies. Still, since home routers aren't always tested for this sort of operation, I suggest using two routers of the same make and model. That way, you may be able to obtain support from the manufacturer if this two-tiered arrangement doesn't work the way it should.
Routers With Built-In DMZs: Not What You WantSome routers have a built-in DMZ feature. This is different from the kind of DMZ I am talking about and it does not make your network more secure. In fact, it does the opposite. Routers that offer a DMZ feature are offering to expose your server computer to traffic on all incoming ports, which is less secure than forwarding ports individually. And since your server would still be on the same physical network with other computers, nothing would prevent hackers from communicating with your other computers after they took over the server.
Accessing Your Website From Your Home ComputersWith many routers, you'll have no trouble accessing your website from a home computer after following these steps. But with others, when you try to log on from your own computers, you'll find that you always get the DMZ router's web-based configuration logon prompt instead of your website. That's because some routers assume any traffic coming to the web server port from inside the router is meant for the web-based configuration utility and not for your web server. Folks on the outside have no trouble, but you're stuck!
What to do? The solution is to forward an additional port to the web server, and access the website at a special URL. Follow the steps in my article how do I set up my router to forward ports from the Internet to my computer, with one change: set the "WAN" port to something other than 80, such as 8081. Keep the "LAN" port set to 80.
After doing this, you can access your website from your home computers at the URL http://myhostname.made-up.com:8081/ (substitute your own hostname, of course). Be sure to use relative links on your pages, so that you are not forced back to the router logon page every time you click on a link.
Note: you only need this special URL for your home computers. The rest of the world will have no trouble accessing the website without the :8081. And you might not need this "extra port" trick at all, depending on your router. So try things out without it first.
Got a LiveJournal account? Keep up with the latest articles in this FAQ by adding our syndicated feed to your friends list!