1. Home
  2. Networking Firewalls
  3. Newbie Home Network/ADSL Router query.

Newbie Home Network/ADSL Router query.

That is impossible. The computers are connected to the router and they get a DHCP IP from the DHCP server on the router. They are called private LAN side IP(s). The router itself is obtaining a DHCP IP from the ISP so that your router can access the Internet and the machines connected to the route using private LAN IP(s) can access the Internet through the router. The IP from the ISP the router is using is called a public/WAN IP.

You really don't need the XP FW, since the machines are behind the protection of the NAT router.

You can put it there, because the router is there protecting the network.

Well, you either put the machines in the trusted zone of the PFW/packet filter so that the machines can share resources or you disable the PFW/packet filter, but since the machines are behind the protection of the NAT router, either way, the machines are protected.

One installs a PFW/packet filer on the machine to stop outbound traffic from the machine, since the NAT router for home usage doesn't have the ability.

You should leave it alone.

You should leave it alone.

You could use static IP(s) on the router.

(A)

The machines are protected by the NAT router until you start doing high risk things with the router like using port forwarding opening inbound ports on the router to a LAN/IP/machine.

All ports are closed on the router by default and the ports will only open if a program running on the computer initiates outbound traffic to a remote IP. If the solicitation is made to a remote IP, then the router will open the required inbound ports, otherwise, all unsolicited inbound traffic to the router is blocked, unless you open ports manually using port forwarding.

formatting link
Duane :)

Reply to
Duane Arnold
Loading thread data ...

You need to be careful, some ISP's setup their NAT to forward ALL ports inbound, no blocking - so that if One IP is used on the LAN, all inbound traffic is redirected to that IP - not sure how they handle more than one LAN ip in that case.

Reply to
Leythos

Today I have finally joined the 21st century and switched from ISDN to broadband. All appears to be running fine, access wise.

I have a Windows XP SP2 machine and a Windows 98 machine (primarily used for backups), these are connected via a (ISP supplied and configured) Thomson SpeedTouch 510 Ethernet Switch/Router/Hub/whatever, this has an 'integrated firewall'. The machines connect to the router via DHCP using an IP address range supplied by my ISP.

The XP machine is running Windows Firewall (although since I stopped using dial-up it has, worryingly, stopped appearing in the system tray) which is 'On' and has ActiveSynch Application (my PDA), Connection Manager, File and Printer Sharing and SmartFTP as exceptions. Also under 'Network Connections' my 'Local Area Connection' is marked as firewalled. I think this seems secure?!?

The Windows 98 machine has the freebie ZoneAlarm installed. However as there is only one connection - to the router - I don't seem to be able to win on whether to put this in the 'Trusted' or 'Internet' zone ;

a.if in the trusted zone then my file sharing between the two computers works OK, but I am, presumably, less secure. b.if in the internet zone then my file sharing doesn't work - I cannot connect to the 98 machine from the XP machine.

I'm sure this is a REALLY common problem, with an obvious answer, but I don't know what it is ! As I see it I can either; a.Trust that the Firewall on the router is doing it's thing and leave the network connection in the trusted zone. The Router Firewall would *appear* to be working as ZoneAlarm has only reports 3 blocked intrusions - all of which were me on the other PC. But one of our network people at work said I should definately also install a software firewall ...... unfortunately I'm on holiday all week, so can't ask him this one! or b.Add my IP range to the exceptions, but I'm unsure of the implications of this. or c.Turn off DHCP and hardwire the IP addresses of the 2 machines, albeit to numbers within the same range, and then put these into the exceptions instead. or d.Something else!!

What is the correct solution? Many TIA.

Reply to
Stephen P.

What are you saying that the ISP will configure the NAT router and port forward the ports to one IP? For what purpose would that be done that the ISP would do that?

Duane :)

Reply to
Duane Arnold

I don't have a clue why they do it - other than it means they can control things in the router remotely and it still provides full service to the client without having to give them a fixed PUBLIC ip.

I've seen this with SBC DSL in a couple areas.

Reply to
Leythos

I certainly wouldn't have the ISP remotely controlling anything concerning any setup. But for some, it may be needed. There is nothing to say that some dubious person(s) cannot be at the ISP.

Duane :)

Reply to
Duane Arnold

Well, in the case of many connections, ISDN, T1, etc... the ISP that installs the router can do many thing you might not be aware of. As an example, most CABLE routers can show a total bytes uploaded and downloaded since last reset. They can also be set so that the ISP can monitor connections...

Reply to
Leythos

OK, thanks very much that all seems to make sense.

Basically I'll just switch my network connection to 'Trusted' instead of 'Internet' in ZoneAlarm and I'll still be protected by the Firewall on the router. But I should leave the software firewalls in place a) 'cos they're not doing any harm and b) it validates/stops outgoing IP traffic.

My network friend at work said the router firewall would not prevent port scanning (and some other stuff I can't remember). At least I think that's what he said!

Re the DHCP; what I meant was my ISP told me what the IP range (for my internal network) would be, not that it was dynamically supplied by them over the connection. If that makes sense? So yes, it does come from the router, I guess I should have said "my ISP told me" rather than "supplied by". Also, if it is relevant, I can connect to the router (ping or browser) via a fixed IP address.

Regarding the other discussion - I'm 98% sure my (hands off, user self installs everything) ISP would not support remote config, at least not deliberately ..... !

Many thanks aga>

Reply to
Stephen P.

And I should also have said - thanks for the web links, very useful, it's all a bit clearer now!

Cheers

Reply to
Stephen P.

"Stephen P." wrote in news:db3jro$96i$1$ snipped-for-privacy@news.demon.co.uk:

If it were me, I'd change the password on the router if you haven't already done so. Not that I don't trust them, but like the old saying - "good fences make for good neighbors".

Reply to
Chuck

Buy and setup a decent router - eg. Netgear DG834...easy to setup and it will be completely under your control.

Set ZoneAlarm to trusted... the router will block filesharing to the Internet(unless you configure the router to allow it). The router has

4 network ports so you can use as your network hub/switch.
Reply to
jnitron

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.