MiniPortal: Setup: Firewall* and Router** IssuesGeneralFirewalls and routers make it more safe to use the internet, but they can also block access to a user's web server. To understand why, it helps to look at the figures below. Figure 1 shows a computer connected directly to the internet (no firewall or router present). Figure 2 shows the same computer connected directly to the internet (but with firewall software). Figure 3 shows a computer indirectly connected to the internet (through a router). Read the explanations of Figures 2 & 3 to understand why configuration changes to the firewall or the router (network configuration) are required to run a web server. Note on firewall / router combination: it is also possible to use firewall software together with a router. In this case both the router and the firewall software must be configured to enable web server access. Not on multiple IPs: the figures below assume the user has only 1 internet IP address. If more than 1 IP address is available, it is possible to configure a router using options other than described below (e.g. to use one external IP address for the router and another external IP address for the server machine). See your router documentation for details on such additional configurations. |
|
|
|
|
Direct Connection to the Internet (no firewall software): |
|
|
|
|
Figure 1 shows a single computer (Local Computer 1) connected directly to the internet without any firewall software. The web server's domain name points directly to the IP address of Local Computer 1 (in this example, '1.2.3.4'), and no changes in network configuration are required to enable Remote Computer 1 to access the web server on Local Computer 1. |
|
|
|
|
Direct Connection to the Internet (with firewall software): |
|
|
|
|
Figure 2 shows a single computer (Local Computer 1) connected directly to the internet with firewall software. The web server's domain name points directly to the IP address of Local Computer 1 (in this example, '1.2.3.4'), and no changes in network configuration are required to enable Remote Computer 1 to access the web server on Local Computer 1. However, the firewall software must be configured to enable Remote Computer 1 to access this web server. See the documentation for the particular brand and version of firewall software for instructions on how to configure the firewall to enable a local web server. Popular firewall software: |
|
|
|
|
Indirect Connection to the Internet (router): |
|
|
|
| Figure 3 shows multiple computers (Local Computers 1 & 2) connected to the internet through a router box. The web server's domain name points to the external IP address of the router box (in this example, '5.6.7.8'), and changes in the router configuration (network configuration) are required to enable Remote Computer 1 to access the web server on Local Computer 1. These changes will cause the router to pass web server requests from its external IP to the web server on Local Computer 1.
See the documentation for the particular brand and model of router for instructions on how to configure it to use a local web server. Popular routers include:
A more detailed explanation of Figure 3: Local Computer 1 and Local Computer 2 are connected together (and to the router box) over a local area network (LAN). The router enables them to access the internet using a single IP, and also protects them from being accessed directly from the internet. The router may have a built-in modem (assumed in this diagram), or the modem may be a separate box between the router and the internet (not shown here). The router has two network addresses: the internal IP address is used to communicate with Local Computer 1 and Local Computer 2 across the LAN. The external IP address is used to communicate with Remote Computer 1 across the internet. If Remote Computer 1 wishes to access a web server running on Local Computer 1, it will use a domain name that points to the external IP for the router protecting Local Computer 1. The domain name must point to the external IP because all computers on the internet use the external IP -- the internet does not know any of the internal IPs. Each request to the web server on Local Computer 1 must go through the router which must be configured to pass the request along to Local Computer 1 (HTTP requests are on port 80). When the web server on Local Computer 1 responds to a request from Remote Computer 1, it will do so thru the router which will pass along the response. |
|
|
|
|
| *Firewall: here we use the term 'firewall' to mean firewall software which is running on the server machine. We use 'firewall' and 'firewall software' interchangeably. Firewall can also mean an external system (hardware, software, or both). We do not use the term in this way; refer to the definition of 'router' below for this kind of function. | |
| **Router: here we use the term 'router' to mean an external system (hardware, or a hardware / software combination) which connects a 'local' server machine to the internet. A router may or may not include 'firewall' capabilities; that is, the router may merely connect the server machine directly to the internet, it may connect the server machine to the internet in such a way as to hide its IP address (NAT), or it may perform additional functions in addition to the connection (data inspection and processing). |