internal ip changes

  • Thread starter Thread starter Linea Recta
  • Start date Start date
L

Linea Recta

Few days ago I have been portforwarding ports 20-21 in my router for using
my FTP server.
Thought I had done the job for once and for all and everything worked fine.
Today people again couldn't get into my server.
After looking in the router setup again, it seemed that all by itself the
inernal ip of the PC had changed, so I had to portforward to another ip
again!

Is this normal? How can I prevent this from happening?
Of course I don't want to mess around with the router setup every single
day!



--
regards,

|\ /|
| \/ |@rk
\../
\/os
 
Hi
Some Routers have IP Reservation (aka Static DHCP). If your Router has it,
set the IP of the computer that runs the ftp to a reserved IP status.
Otherwise, assign to the computer's TCP/IP an static IP that is out of the
DHCP Range.
Jack (MS, MVP-Networking).
 
Jack said:
Hi
Some Routers have IP Reservation (aka Static DHCP). If your Router has it,
set the IP of the computer that runs the ftp to a reserved IP status.
Otherwise, assign to the computer's TCP/IP an static IP that is out of the
DHCP Range.
Jack (MS, MVP-Networking).
Click to expand...


Afraid this is very confusing stuff. :-(
Using a Sitecom WL-174, have a "manual" but it seems to be for experts...
I found DMZ... do I use that??
http://www.sitecom.com/support-product/productid/538#manuals

Also, in Windows XP I have been following this
http://www.portforward.com/networking/static-xp.htm but it disabled my
connection altogether. So I undid the changes.



--
regards,

|\ /|
| \/ |@rk
\../
\/os
 
Linea said:
Afraid this is very confusing stuff. :-(
Using a Sitecom WL-174, have a "manual" but it seems to be for experts...
I found DMZ... do I use that??
http://www.sitecom.com/support-product/productid/538#manuals

Also, in Windows XP I have been following this
http://www.portforward.com/networking/static-xp.htm but it disabled my
connection altogether. So I undid the changes.
Click to expand...

Let me try.

You want the computer that runs your FTP server to keep its local (LAN)
IP address.

There are two ways you can do this:
1. You can configure the router's DHCP server to always assign the same
IP address to that computer -- but not all routers can be so configured.
2. You can configure the computer with a static IP address (which has
the effect of ignoring the router's DHCP server).

If you pick option 2, you have to ensure that the IP address that you
choose will not conflict with an IP address that might be assigned by
the router's DHCP server to some other device on the LAN.

With only a very quick glance at your manual, it does not appear that
your router has the capability for option 1.

Look at section 4.2.2 of the manual. In the example shown, the router's
DHCP server is enabled (good) and configured to assign IP addresses in
the range 192.168.0.100 through 192.168.0.201 (that is, it starts with
192.168.0.100 and will assign up to 101 addresses). Thus, configure the
the computer on which your FTP server is hosted to have a static IP
address between 192.168.0.2 and 192.168.0.99. Remember that when you
configure a static IP address, you also must supply the subnet mask (in
this case, 255.255.255.0) and the Default Gateway address (the
*router's* local IP address; in the manual's example, that would be
192.168.0.1).

Enter "configure TCP/IP for static addressing" in Help and Support for
directions on setting a static IP address.

You do not want "DMZ."
 
Linea said:
Few days ago I have been portforwarding ports 20-21 in my router for using
my FTP server.
Thought I had done the job for once and for all and everything worked fine.
Today people again couldn't get into my server.
After looking in the router setup again, it seemed that all by itself the
inernal ip of the PC had changed, so I had to portforward to another ip
again!

Is this normal? How can I prevent this from happening?
Of course I don't want to mess around with the router setup every single
day!
Click to expand...

Don't use the dynamic IP address provided by the DHCP server in your router.
Instead configure your host's TCP/IP setup to use a static IP address (and
one that is outside the IP range handled by the DHCP server in your router).
If your router's DHCP server manages IP addresses from 192.168.1.100-200
then use something like 192.168.1.50 for your host. Since you are now using
a static IP address that remains the same and doesn't rely on any
assignments by the DHCP server in your router, your host always uses that
constant IP address.

Then use port forwarding in your router to redirect any external connection
requests on port 20-21 to the static IP or MAC address for your FTP server's
host (some routers can forward based on MAC address, some only let you port
forward on an IP address).

So just how are you hardening the FTP server host against external attack?
Did you even put it in its own subnet in a DMZ managed by the router and
which doesn't let that host connect to any other subnets for your
intranetwork hosts?
 
Lem said:
Let me try.

You want the computer that runs your FTP server to keep its local (LAN) IP
address.

There are two ways you can do this:
1. You can configure the router's DHCP server to always assign the same
IP address to that computer -- but not all routers can be so configured.
2. You can configure the computer with a static IP address (which has the
effect of ignoring the router's DHCP server).

If you pick option 2, you have to ensure that the IP address that you
choose will not conflict with an IP address that might be assigned by the
router's DHCP server to some other device on the LAN.

With only a very quick glance at your manual, it does not appear that your
router has the capability for option 1.

Look at section 4.2.2 of the manual. In the example shown, the router's
DHCP server is enabled (good) and configured to assign IP addresses in the
range 192.168.0.100 through 192.168.0.201 (that is, it starts with
192.168.0.100 and will assign up to 101 addresses). Thus, configure the
the computer on which your FTP server is hosted to have a static IP
address between 192.168.0.2 and 192.168.0.99. Remember that when you
configure a static IP address, you also must supply the subnet mask (in
this case, 255.255.255.0) and the Default Gateway address (the *router's*
local IP address; in the manual's example, that would be 192.168.0.1).

Enter "configure TCP/IP for static addressing" in Help and Support for
directions on setting a static IP address.
Click to expand...


Thanks very much. Finally it looks that I succeeded in setting a static IP
address today. I used 192.168.0.10 and everything works OK now. I hope
things stay this way!



--
regards,

|\ /|
| \/ |@rk
\../
\/os
 
VanguardLH said:
Don't use the dynamic IP address provided by the DHCP server in your
router.
Instead configure your host's TCP/IP setup to use a static IP address (and
one that is outside the IP range handled by the DHCP server in your
router).
If your router's DHCP server manages IP addresses from 192.168.1.100-200
then use something like 192.168.1.50 for your host. Since you are now
using
a static IP address that remains the same and doesn't rely on any
assignments by the DHCP server in your router, your host always uses that
constant IP address.

Then use port forwarding in your router to redirect any external
connection
requests on port 20-21 to the static IP or MAC address for your FTP
server's
host (some routers can forward based on MAC address, some only let you
port
forward on an IP address).
Click to expand...


I think I have achieved that today.
So just how are you hardening the FTP server host against external attack?
Click to expand...


That's a good question. For the time being I only have the FTP server on
line incidently.

Did you even put it in its own subnet in a DMZ managed by the router and
which doesn't let that host connect to any other subnets for your
intranetwork hosts?
Click to expand...


From other users I understood not to use DMZ as it is a security hazard.
Of course I'd like more advice on how to do that. I'm novice with subnets
and other mysterious router options...



--
regards,

|\ /|
| \/ |@rk
\../
\/os
 
Linea said:
From other users I understood not to use DMZ as it is a security hazard.
Of course I'd like more advice on how to do that. I'm novice with subnets
and other mysterious router options...
Click to expand...

DMZ might mean different things to different users. It depends on the
features available in your router. I used to have one where any host that
was connected to the router but allocated to the DMZ meant that host (which
is my host) could not connect to any of my other hosts (outside the DMZ).
That meant any attack at that DMZ host couldn't result in a compromised host
getting connected to my other hosts.

Below is the description of the DMZ feature in my Linksys router:

DMZ Host
The DMZ Host setting can allow one local PC to be exposed to the Internet.
If a local user wishes to use some special-purpose service such as an
Internet game or video-conferencing, Enable DMZ, fill in the IP address,
and click the Save Settings button. Select Disable for DMZ, deactivates
this feature. When enabling this setting, the Router firewall protection
of the local DMZ host will be disabled.

Because you are opening the host to Internet access, the router's firewall
is not applied. The host is open to external connections so you don't need
to use port forwarding. Obviously this needs to be a hardened host.

What I have not tested with this router's implementation of DMZ is if it
will block all communications between a DMZ host and all other hosts, hubs,
or switches connected to that router. For any DMZ host, I don't want it to
connect to or from any other host connected to that same router. If a host
in the router's DMZ wasn't isolated from all other hosts connected to that
same router, I wouldn't use that router's DMZ feature. Basically you would
have a local untrusted network that you don't want to let connect to any
hosts in your trusted network. If the router isn't capable of effective DMZ
management then I'd not bother using it (and instead use a router appliance,
or gateway host with a better firewall, to manage the DMZ and non-DMZ
hosts).

http://en.wikipedia.org/wiki/DMZ_(computing)
 
Hi
The DMZ configuration save one step in the setting of a server by bypassing
the need to open ports through the Router's Firewall. It take a little time
to learn how to open ports.
People who can Not learn, or are too lazy to, solve the need for port
opening by using the DMZ.
DMZ puts the computer in front of the Router's NAT Firewall. As a result the
computer is connected directly to the Internet and have No protection.
About port opening through a router, http://www.ezlan.net/routers1.html
Jack (MS, MVP-Networking).
 
Jack said:
Hi
The DMZ configuration save one step in the setting of a server by
bypassing the need to open ports through the Router's Firewall. It take a
little time to learn how to open ports.
People who can Not learn, or are too lazy to, solve the need for port
opening by using the DMZ.
DMZ puts the computer in front of the Router's NAT Firewall. As a result
the computer is connected directly to the Internet and have No protection.
About port opening through a router, http://www.ezlan.net/routers1.html
Jack (MS, MVP-Networking).
Click to expand...


Thanks very much for the link Jack. I'll have a look at it asap.



--
regards,

|\ /|
| \/ |@rk
\../
\/os
 
VanguardLH said:
DMZ might mean different things to different users. It depends on the
features available in your router. I used to have one where any host that
was connected to the router but allocated to the DMZ meant that host
(which
is my host) could not connect to any of my other hosts (outside the DMZ).
That meant any attack at that DMZ host couldn't result in a compromised
host
getting connected to my other hosts.
Click to expand...


Hi,
I'm using a Sitecom WL-174, which came with a brief manual, describing (some
of) the settings:
http://www.sitecom.com/support-product/productid/538#manuals


By now I've been able to solve the changing internal IP issue with
information from this web site:
http://www.portforward.com/networking/static-xp.htm


Below is the description of the DMZ feature in my Linksys router:

DMZ Host
The DMZ Host setting can allow one local PC to be exposed to the
Internet.
If a local user wishes to use some special-purpose service such as an
Internet game or video-conferencing, Enable DMZ, fill in the IP address,
and click the Save Settings button. Select Disable for DMZ, deactivates
this feature. When enabling this setting, the Router firewall protection
of the local DMZ host will be disabled.

Because you are opening the host to Internet access, the router's firewall
is not applied. The host is open to external connections so you don't
need
to use port forwarding. Obviously this needs to be a hardened host.

What I have not tested with this router's implementation of DMZ is if it
will block all communications between a DMZ host and all other hosts,
hubs,
or switches connected to that router. For any DMZ host, I don't want it
to
connect to or from any other host connected to that same router. If a
host
in the router's DMZ wasn't isolated from all other hosts connected to that
same router, I wouldn't use that router's DMZ feature. Basically you
would
have a local untrusted network that you don't want to let connect to any
hosts in your trusted network. If the router isn't capable of effective
DMZ
management then I'd not bother using it (and instead use a router
appliance,
or gateway host with a better firewall, to manage the DMZ and non-DMZ
hosts).

http://en.wikipedia.org/wiki/DMZ_(computing)
Click to expand...



Thanks for the info. I'll do my homework asap.



--
regards,

|\ /|
| \/ |@rk
\../
\/os
 
Back
Top