I have a small network at home, and have been using an Intertex IX66 ADSL modem/router for some years. It has basically performed as I might want.

The Intertex IX66 recently died and as I needed a replacement in a hurry, I bought a Belkin wirless modem/router from PC World.


Well, the Belkin is so limited compared to my IX66, am looking to replace it, despite it is only a day old! Intertex support used to be good, but is now bad, so I'm not buying another Intertex

I wish to know if a DrayTek will solve some of the issues I now have, since changing from the Intertex to the Belkin.

My network consists of

* ADSL connection using Onetel as ISP and BT as telephone line. I have a static IP address.

* A Sun workstation which is my main computer, used for most things. I want to keep this private, away from prying eyes on the internet.

* Another Sun workstation which is just a web server, which I administer from inside my LAN by SSH. Obviousl;y, I don't want this hacked, but the nature of web servers mean this is always possible. I want to ensure any sucessful hack does not manage to compromise my private network.

* Laptp which connects wirlessly to a private netwokr.

Here are a few things which worked well on the Intertex, but dont work on the Belkin. Will a Draytek allow me to do these things I once could?

1) Access web sites I host (e.g. http://www.g8wrb.org) and see the actual site whilst on my private network. With the Belkin, despite having routed port 80 to the web server, from inside the LAN I see a copy of the Belkin's setup wizard, not the site.

The same would happen on the Intertex, but there was a tick-box 'Access Servers from Inside' which stopped that. Once that was ticked, the web site could be seen inside the LAN too.

2) I want to have a private (secure) network, and have a second one where security is less important. On the Intertex, I had the private nework as 192.168.0.x and the web server as 192.168.1.x. In the Intertex' they called the latter the DMZ, although I don't think there is a universally agreed definition of what a DMZ is. Anyway, the point was, if someone managed to hack the web server, there was no way they could use that as a springboard to hack my private machines.

Can I do something like this on the Draytek's?

3) A friend in the US, who has a fixed IP, remotely uses a computer of mine running XP via the Windows Remote Desktop. In the Internex, I forwarded port 3389 (used for remote desktop) to my PC, if the source address is his. I assume I can do the same in the DrayTek ok (Its not possible in the Belkin, so I have to use XPs firewall to implement that).

I was thinking of the Draytek Vigor 2820Vn, as that would appear to be a popular model. The WiFi is not essential, as I do have a wireless access point, but Id rather pay the extra few pounds and have it all in one unix.

Any thoughts ?? In particular, I'm keen to know if I can host my own web site, and see it from inside my network. (The Apache server uses hte Apache VirtualHosts).

1. yes, you will be able to see the external ip or fqdn from within the lan
2. drayteks do have a true dmz feature and 2nd subnet. see here http://www.draytek.co.uk/support/kb_vigor_truedmz.html & here http://www.draytek.co.uk/suppor/kb_vigor_2ndsubnet.html#disablenat
3. yes, you can set the firewall up to only allow a certain ip to access lan servers

louis-m wrote: 1. yes, you will be able to see the external ip or fqdn from within the lan
2. drayteks do have a true dmz feature and 2nd subnet. see here http://www.draytek.co.uk/support/kb_vigor_truedmz.html & here http://www.draytek.co.uk/suppor/kb_vigor_2ndsubnet.html#disablenat
3. yes, you can set the firewall up to only allow a certain ip to access lan servers

Thank you. Sounds like this will be a lot better than the Belkin (which is not hard!)

What devices support the True-DMX ? The link you gave me says some do, but not all of them. The comparision chart I could find has no reference to True-DMZ, so its hard to know what is what. I was thinking of the 2820n, since it seems to be popular, has wireless and is not too cheap or too expensive. Not sure fi that is my best bet though.

On the Intertex device I used, the DMZ was isolated from the LAN (which is good), but did allow almost all outgoing traffic - unlike the LAN, there was no restriction on outgoing traffic. That I felt was unwise, as a hacker who managed to hack a web server would have life much easier for them if they could ftp to somewhere where they could find all the tools they need to compromise a host even more. I'd much rather if they did manage to hack a web server, they had no DNS lookups, no ability to ssh out, using ftp or http to get other tools would fail. I mentioned that to the Intertex people, but I think they thought I was paranoid.

2) The DMZ on Draytek routers doesn't separate the device in the DMZ from the rest of the network. What can be done instead is use the port based vlan to separate say port 4 from ports 1,2,3 and then connect the machine to be isolated onto port 4.

If I have, say, an FTP/web server on this DMZ Host thing, and use a separate vLAN for it, will that server be able to access network shares on the internal LAN?

I suppose it cannot as that will defeat the whole purpose of having a DMZ?

Would the data on the internal LAN be unaccessable completely? Would I even be able to Remote Desktop into the DMZ FTP/web server, from the internal LAN (it would be headless)?