questions? said:
yes, I want one of the machine still entitled my static IP and I can
easily ssh to.
Thank you for the reply!
There are a couple of concepts for routers. DMZ (Demilitarized Zone)
is useful if a server on your local network, does not use a
convenient-to-specify set of ports. This is really an ugly hack,
because it is the equivalent of connecting one PC directly
to the Internet (to be port scanned by weenies). For example,
if your public address is 123.124.125.126 and the two computers
are 192.168.0.1 and 192.168.0.2, you can have all incoming
requests forwarded to 192.168.0.2, so in effect that PC has
an address of 123.124.125.126. The other computer continues to
be able to surf.
http://support.dlink.com/faq/view.asp?prod_id=1212
"Port Forwarding" allows port numbers to be forwarded
to one of your two computers (but not both). For example
you could forward an FTP request on the well-known FTP port
to computer #1, and an HTTP request to a web server on
computer #2. But both computers could not get HTTP
requests at the same time (unless using non-standard ports
for a service, like :80 for one web server and :8080 for
a second web server on the second PC, to be configured on
the web server itself). So you could get 123.124.125.126 port 23
to 192.168.0.1 port 23 and 123.124.125.126 port 80
to 192.168.0.2 port 80. The benefit of port forwarding,
is it only opens your "shields" to attack on those services.
Opening any ports on your router, or via connection sharing
with PCs, still has risks, but port forwarding only
exposes the ports you specify.
"Port Forwarding" is only as good as the protocol design.
Some of the game servers have clumsy port usage, that
makes setup a pain. There are possibly other services
like that as well. My puny router doesn't have enough
port forwarding resources to set up just any arbitrary
service - more modern designs will be better in that
regard. You will become a protocol expert, in the
process of setting up port forwarding. An example of a
nasty thing, would be VOIP, which has call setup and
transport, and for that, there are dedicated routing
devices that do the VOIP first, then pass the rest of
the network traffic to your normal router.
http://support.dlink.com/faq/view.asp?prod_id=1005&question=port+forwarding
(A comment on VOIP's hunger for port numbers...)
http://www.ussg.iu.edu/hypermail/linux/net/0105.1/0010.html
An alternative to a router, is equipping one PC with
two network cards. One card has the public address
123.124.125.126, the other card points to a subnetwork
of private addresses. Between the two computers, they
look like 192.168.0.1 and 192.168.0.2 to one another.
I suppose there is still the possibility of
NAT/firewall/port_forwarding in that first computer, for
deciding what ports are open to the outside world, what
ports are terminated locally on the first computer, or
port forwarded to the second computer. It just might
be a little harder to configure the ICS (internet connection
sharing) or the level of functionality might be limited
in some way. So a computer with two network cards can
be used, but you might have more research to do, to achieve
the ends you want. (Using a Linux box for routing might
be easier to do, than using Windows, if the config is
at all complicated. I tried ICS and it wasn't too hard
to get the two computers to surf, but I never tried to
do anything more complicated than that.)
The router box has the advantage that both computers don't
have to be running, when using networking. Each computer
connects point to point to the router. Using ICS means
the first computer must be running ICS, in order for the
packets to make it to the second computer. So the router
can save on electricity in the long run (and if you do the
calculation, it doesn't take that many years to pay off).
The router way:
123.124.125.126---router ---comp #1 192.168.0.45
|
+------comp #2 192.168.0.87
The ICS way (comp #1 has two network cards...)
123.124.125.126--- comp #1 ------------------------ comp #2
192.168.0.1 192.168.0.2
One potential advantage of the second configuration, if you
are a cheapskate like me, is comp #1 and comp #2 can have
gigabit ethernet interfaces, allowing fast transfer of files
between computers. At one time, finding a gigabit router
would have cost a lot of money. I think there are now
small gigabit routers, so you can still have the advantage
of 10/100bt connection to your cable modem/ADSL modem, while
using gigabit connectivity between local computers.
Good luck,
Paul
