I finally got around to installing the second router (actually the third but I'm not counting my wireless router).
As a review, I've been researching the possibility of hosting my own server. This is because paying pair.com, the present host of my web site, costs me several hundred dollars a year and, over time, system performance has degraded.
Partly it could be the server that my site is on is also serving over 125 other sites. While, no doubt, this keeps costs down, running my content management system - MovableType (MT) in such an environment leads to compromises. One of those compromises is that, in the opinion of pair.com, MT uses too much CPU resources. As an effort to keep this from degrading other sites, pair.com automatically kills some MT processes. One of those processes is the automatic re-generation of web pages managed by the MT program.
Be clear that I'm not blaming pair.com. I'm sure they instituted this situation to protect their services and hold costs down. If you aren't running MT, or are but don't have a lot of pages, pair.com will work just fine.
In the end, I may stay with pair, move to another host, or in fact host my own site. There are costs involved in whichever way I choose to go.
That all said, the suggested configuration came from Gibson Research Corporation (GRC) - of ShieldsUp! fame. They feel it best to use two properly configured firewall/routers, if you are going to open a port or ports so that, for example, you can host your own web or mail server at home. The theory is that you open a port from your external firewall/router for whichever services you need (eg., 80 for web) but keep all ports on the internal firewall/router stealthed and closed. Hence, should your server be hacked, said server cannot act as a relay into the rest of your home network since it is upstream of the second firewall/router. This assumes, of course, the second firewall/router is correctly configured. If not, like you open any ports on the second router, then you might as well just use a one router configuration.
In any case, my internal router, a Linksys BEFSR11, is your standard firewall/router and will be used to act as a firewall for the majority of my home network. The external firewall/router is a Netgear FVS318 and has just port 80 open and forwarded to my test web server (there's no content on the server so I'm not going to link to it yet). All other ports are closed. The Linksys is cascaded from the Netgear.
There may be several ways to configure the routers to work together. I only know of how to do it with the two I have. Even then, there may be a better way. If there is, feel free to let me know. YMMV. Insert disclaimer here. Use at your own risk. There be dragons here.
The two routers must not have overlapping IP addresses nor, if you are using DHCP, overlapping IP address ranges that they give out. Otherwise, your routers will not work properly, if at all. GRC recommends the external router use an IP address of 192.168.1.x and the internal use 192.168.2.x. For me, that means my Netgear uses 192.168.1.1 and my Linksys uses 192.168.2.1.
The first step is to ensure that the two routers are never on at the same time, or at least not on and linked, until you have everything configured so as to avoid default IP addresses that overlap. For me, this means having two PCs, one each plugged directly into each of the routers so I can access each setup utility.
In my present network configuration, the Netgear is the only firewall/router in use. Hence, I wanted to leave that alone until the last possible moment so I could always get access, in case anything went wrong. So I configured the internal Linksys first.
I won't go into the specific details because it will vary by make and model of router. Suffice to say I changed the IP address and DHCP ranges to reflect the 192.168.2.x addresses. I then did a similar change to the Netgear but using the 192.168.1.x range (it was set to 192.168.0.x).
I then turned off both routers, ran an Ethernet line from the Netgear to the Linksys, left the line from the Netgear to what will be my test web server, and removed all other lines from the Netgear and plugged them into the Linksys and attached 16-port switch instead.
This physically and electronically isolates the test web server from the other PCs on my home network. I then powered on the Netgear, waiting until it was fully powered and then turned on the Linksys.
I still have to do some testing but all seems to be working. I will let you know if any problems are identified. If not, my next step is to get the web server itself configured and running Apache/MySQL/MT followed by configuring a dynamic naming services to make up for the fact that I don't have a static IP address.
Aloha!
