Quoted:


Ok. First let me give you my network setup.



Cable Internet connection with static IP come into the modem.

Goes to the router and is split off to 1 hub, and 1 additional router.

Connected to the second router are two XBOX 360s. (DHCP is only enabled on the first router).



Also, both routers have UPnP enabled.



So both consoles are usually on MW2. The NAT type is moderate on one, and strict the other.



I've read that the fix for the strict one is to give it a static IP and set the IP for that console in the DMZ.



Now for a couple questions.



1. Which router do I put the DMZ setting in, or do I put it in both?

2. We are hosting some websites and SQL DBs on one machine on the network, so we have some port forwarding set up in the first router. My understanding of DMZ is that it forwards everything coming in to a specific port, so if I enable DMZ for a certain console, would it interfere with our web hosting?



Thanks

Quoted:
Unfortunately I don't think you can DMZ more than 1 host in your network with a single static.


-Foxxz

Quoted:

Your modem is doing NAT? Why are you using two routers? What's the hub for? What is MW2? "Moderate" and "strict" NAT sound like manufacturer-specific nomenclature, and I'm not sure what they mean.

What device are you trying to put in a DMZ?

Basically...forget what you currently have and how it's hooked up. What specific task are you trying to accomplish, exactly?

 

Quoted:


That's my main question.

Quoted:
Also, do you REALLY need to directly access SQL server from the internet? You'd only do this, if you had the need to issue queries directly or otherwise manage it using the SQL Server Management Studio (for example). If the DB is being used to drive a web application, then access is indirectly obtained through the web server.

Quoted:









^this.



I never do it b/c it's a security nightmare just waiting to happen.  There are some cases where you need it, but if you have physical access to the box...why do it?

Quoted:


Yep. At best, I'd open up RDP to to it, and just do what I needed to do off the console. Better still, I'd come in through a VPN tunnel (this option being more than I'd bet he's willing to setup at home).
 

Quoted:

And Vlans you got to have Vlans!!

Quoted:
1.I don't see the need for a DMZ in your situation. Maybe somebody else can chime in (I don't own an XBOX), but why would you put a gaming console in a DMZ?

2.Port forwarding alone should suffice. I also don't understand why you have two devices doing IP routing. I have a very complex network at home, and even I only have one physical router.

3.If you have a web server, forward port 80 on the WAN/public address to port 80 on your web server's private address (and 443, if your site requires secure http).

4.Also, do you REALLY need to directly access SQL server from the internet? You'd only do this, if you had the need to issue queries directly or otherwise manage it using the SQL Server Management Studio (for example). If the DB is being used to drive a web application, then access is indirectly obtained through the web server.

Quoted:


Shit, even I'm not quite that geeky. I have a voice VLAN at home, but if I wasn't carrying voice traffic, I'd see little reason to.
 

Quoted:


game server area and home area, and wireless area..

ya major geeky..

Quoted:


Your current network setup, which I shall refer to as "The Articles of Confederation", is a bewildering mess.  No wonder you need to ask for help.

Time to go back to the drawing board and don't come out until you've drafted a Constitution.

_MaH

Quoted:







I'll go in order.




1. I've read that this is the best solution for opening up both XBOXes to the internet

2. The second router doesn't really do anything in way of IP routing. It essentially serves as a hub.



3. Done - I guess my question was, if I have 80 forwarded to the private IP of our web server, and I put the private IP of the xbox in the DMZ, is it going to screw up access to the site? I thought DMZ just forwarded all ports to a specific machine?? Maybe it ignores the ones you have set explicitly elsewhere??
I guess I'll just try it and see what happens?



4. Yes - we really do.

Quoted:







Your current network setup, which I shall refer to as "The Articles of Confederation", is a bewildering mess.  No wonder you need to ask for help.



Time to go back to the drawing board and don't come out until you've drafted a Constitution.



_MaH

Quoted:


I don't want to ridicule the OP in any way (I'm here to help!), and I hope he doesn't think less of me for it, but I'm laughing so hard right now, it's hard to type.

I'm actually saving this, and I can't wait to use it somewhere else. As a matter of fact, I'm going to use this on our CIO to describe a network we inherited.

You've made by day.
 

Quoted:

I'll take your word for it on #4 (it's not really pertinent to the question you're asking, anyway) but I still doubt this - and it's only because whatever it is you're accomplishing by doing this, can almost certainly be done more securely another way.

For #1, I don't know where you read that or what the author's rationale was for it, but I'd love to hear it. Until the author tells me something very convincing to the contrary, I'm saying he's wrong. Port forwarding alone should suffice, and if I was doing this on my own network, that's precisely how I'd do it.


 

Quoted:



In regards to #4... we have some offsite desktop applications that need to hit the DB. That's why.
Back to the real issue though....
Since I have multiple consoles, both of which will obviously use the same ports to get online, if I set up port forwarding for one of them, and leave the other one alone (because I can't forward the same port to multiple addresses, right???), then will it kill the console that doesn't have the ports explicitly forwarded to it in the router?

Quoted:


They should connect over a VPN *or* should use a web application service. Any stored procedures would be executed by the web application service, with results returned to the desktop application as XML. You've got bigger balls than I do opening up SQL Server to the public internet, but that's on you.

Anyway...


You can't forward the same port (assuming you only own one publicly routable IP address) to multiple IP addresses, that's correct. But the bigger question is - do you really need to do port forwarding at all? Somebody that owns an XBOX can help me out here, but technically speaking - there is only ONE reason why you'd need to do this:

* A machine on the public internet needs to initiate a connection to your XBOX, rather than respond to a reply originating from your XBOX.

Examples of that (just guessing) might be your XBOX hosting a game (acting as a server), or maybe with voice chat (if voice is decentralized). I don't know without a sniffer.

Are you positive that you even need to do port forwarding? I'd only do it, if it was absolutely required for specific functionality I desired.

If you have two consoles right now and only one public ip address, then one of them has no ports forwarded to it at all (it'd be impossible in your arrangement). It's just NAT. This means, if they both work satisfactorily, then we've answered the question already. No DMZ is required, no port forwarding is required.
 

Quoted:


I don't want to ridicule the OP in any way (I'm here to help!), and I hope he doesn't think less of me for it, but I'm laughing so hard right now, it's hard to type.

I'm actually saving this, and I can't wait to use it somewhere else. As a matter of fact, I'm going to use this on our CIO to describe a network we inherited.

You've made by day.
 

Quoted:



So. It sounds like, since I do only have 1 public IP address, and they both, kinda work, then there's nothing I can do short of getting another internet connection...

Quoted:


What does "kinda" work mean? Is there something you can't do?

But yes - it's only technically possible to forward a port on a single public address, to a given port on a single private address.

There's no need to get another internet connection, though - at least, not technically. If your ISP will give you second static IP address, that would work. Your router will have to support binding more than one IP address to it's physical WAN interface (most consumer-grade routers don't allow this), or you'd just pick up a second cheap router, and connect the WAN interface on both to a switch along with your cable modem. This last configuration will work, as long as your cable ISP is cool with allowing more than one MAC address out it's HFC interface.

Clear as mud?

EDIT: That last option (multiple consumer-grade routers) is kind of a mess, because you'll have two different routes inside, for the same internet connection. Using DHCP will be out (effectively - making it work for all devices will get stupid complicated for a home network). The best solution is to get your ISP to provide you with two public addresses, and use a single router that can bind them both to the same physical interface.
 

Quoted:
I don't know why you couldn't just hook up both of your X-boxes to the same switch, behind the same router, and not have them work equally well... your setup there sounds painful.

Look... your router tracks which X-box sent a given packet (based on the IP address), and should route any return packets back to the appropriate network client.  I can't think of any reason why, other than network topology or QoS, why one X-box would work so much better than the other.

And Subnet is right... exposing any server directly to the internet without it being ABSOLUTELY NECESSARY, is howling madness.  Remember the famous SQL Slammer worm a few years ago?  That one slowed down a significant chunk of the internet... I was working nights then, and watched it unfold live on Slashdot.  The entire worm was written in assembly, and could fit in a single packet... it wreaked literal havoc before people started blocking ports.

I have a stoopid heterogenous network at home... complete with a server rack, PoE, multiple subnets, NAS, managed gigabit backbone, caching proxy, and several extension switches in other locations... so I'm not necessarily slagging on you for having more than a basic router/switch... I'm just questioning why you have done it the way you have.  Maybe simplifying it a bit would help.

Quoted:


So you think if I toss the second router in favor of a switch it should fix some problems?? I only used a second router because I got it free and needed more ports in that part of the house.