Forums | MacLife

hucker · 2009-02-19 1:45 pm

Alright, so I'm looking to add an FTP server to my network to host client files (video, image, music) so I don't have to FTP it myself to california for them to download off our web server [yes, its very time consuming]. The hope is, by having the FTP server directly on my network I could move files directly to the server (via LAN) and have then ready in minutes for clients to download as opposed to hours. Here is my dilemma, My ISP will provide me with a Reserved IP address for the FTP server (which happens to be a PC, i know, yuk) Via a standard cable modem, my ISP will reserve port one on the router directly connected to the modem as the Reserved (or static) IP port (for the server) and will give me 2 dynamic IP's on ports 2 and 3, which will plug in to 2 different switches [i wont get into those in detail]

What I would like is that clients can freely access their route folder (via username and password) on the PC FTP server, but in no way shape or form could anyone including clients gain access to the computers attached through the switches on ports 2 and 3 of the router.

Is this possible? I'd like the router to share ports 1-3 internally, but limit only port 1 to be visible via the internet. while still allowing 2+3 to surf the net and share files throughout 1-3

its a d-linke wireless router btw.

THANKS IN ADVANCE for any help / tips / suggestions.

dv · 2009-02-19 3:03 pm

It will probably work the way you have in mind already - your router is a firewall, and is blocking, by default, any incoming traffic. When the cable company finished messing with it, it should just be allowing incoming connections on TCP port 21 (FTP connections) and forwarding them to the "correct" computer on your network.

Unless your system is somehow completely different that the FTP server I was running on my Comcast connection way back when.

sturner · 2009-02-19 3:11 pm

Why are you asking this question here? Your ISP should be providing you with the necessary hardware/instructions to complete your setup.In general, of course what you intend is possible. You shouldn't have any problem since the other two ports are dynamic IPs. Those are going to be internal to the ISP and not broadcast to the world.

The question is, is the ISP providing you with domain name? Otherwise your ftp will be by ftp://xxx.xxx.xxx.xxx.

That's not a real problem but it is important since there will be no WWW name available to your clients. I would think that you could get the same done by going to a hosting site. I have one with Go Daddy and I can have client specific sites with passwords.

dv · 2009-02-19 3:22 pm

sturner wrote:
The question is, is the ISP providing you with domain name? Otherwise your ftp will be by ftp://xxx.xxx.xxx.xxx.

That's not a real problem but it is important since there will be no WWW name available to your clients. I would think that you could get the same done by going to a hosting site. I have one with Go Daddy and I can have client specific sites with passwords.

www.no-ip.org

hucker.no-ip.org, maybe?

hucker · 2009-02-19 3:32 pm

sturner wrote:
Why are you asking this question here? ...

The question is, is the ISP providing you with domain name? Otherwise your ftp will be by ftp://xxx.xxx.xxx.xxx.

That's not a real problem but it is important since there will be no WWW name available to your clients. I would think that you could get the same done by going to a hosting site. I have one with Go Daddy and I can have client specific sites with passwords.

I am asking the question here because I am looking for help, with 'Networking & Servers' and this seemed to be an appropriate place. Not all ISP tech support people are the ones to talk to, its usually easier to ask people who've actually done it as opposed to someone with a software guide to proper setup sitting in India.

The ISP is not providing me with a domain name. I was planning on using my website and creating a client login page that will forward them to the proper ftp://xxx.xxx.xxx.xxx/client_x for them to use so i don't have to rely on them typing in a series of numbers.

I am aware that the router acts as a firewall, what I was unsure of (especially since the server will be a PC) is will I be creating an unsecured network in any way shape or form, while maintaining a LAN connection between ALL computers? Is it possible that because the server will be essentially open to the public (due to the static IP) that someone could access my other computers connected to different ports on the router.

Nefarious · 2009-02-19 4:05 pm

What kind of computers are #2 and 3 ? If Macs, the FTP is not enabled normally, so I doubt there's an issue there.

sturner · 2009-02-19 4:50 pm

The clients won't have a route to the other two computers either, so that should be sufficient proof against invasion from that route. The LAN connection isn't necessarily open between all the computers on all ports (see Nefarious' post above). Your router (you didn't specify the model so I can't check its capabilities) should be able to route calls along the FTP ports to the specific PC you are using for the FTP server. That would ensure that stray poking around didn't go other places.

And if your FTP is ID specific and password protected, you should have a reasonable amount of security.

hucker · 2009-02-19 6:00 pm

#2 is a gigabit switch with all macs attached and a Final Cut server (also a mac)
#3 is a 100/T swtich with mostly macs and a pc attached.

Im not worried about them spicifically being accessible via FTP, i was concerned that i would be opening some kind of access port by having a static IP port on my router that would allow access to computers that normally just hide behind a standard router.

sturner, i'll get the model number when i go to work in the morning.

Nefarious · 2009-02-19 7:07 pm

Could a 2nd router be placed between 1st router and 2 computers ? just a thought in case one was feeling paranoid.

sturner · 2009-02-19 8:13 pm

Nefarious' suggestion would give you an internal firewall if you feel a little paranoid. The switches won't do anything for protection. I take it the FTP server won't be on a DMZ address. You really are protected by the firewall that your router will establish. If you don't open the ports for the others, the NAT will effectively stop all but the most sophisticated hacking to get into your system. Or a socially engineered attempt.

For all intents and purposes you have enough protection.

Forums | MacLife

#1 2009-02-19 1:45 pm

Router Config Help. Static (reserved) IP and safety.

#2 2009-02-19 3:03 pm

Re: Router Config Help. Static (reserved) IP and safety.

#3 2009-02-19 3:11 pm

Re: Router Config Help. Static (reserved) IP and safety.

#4 2009-02-19 3:22 pm

Re: Router Config Help. Static (reserved) IP and safety.

sturner wrote:

#5 2009-02-19 3:32 pm

Re: Router Config Help. Static (reserved) IP and safety.

sturner wrote:

#6 2009-02-19 4:05 pm

Re: Router Config Help. Static (reserved) IP and safety.

#7 2009-02-19 4:50 pm

Re: Router Config Help. Static (reserved) IP and safety.

#8 2009-02-19 6:00 pm

Re: Router Config Help. Static (reserved) IP and safety.

#9 2009-02-19 7:07 pm

Re: Router Config Help. Static (reserved) IP and safety.

#10 2009-02-19 8:13 pm

Re: Router Config Help. Static (reserved) IP and safety.

Board footer