supafly1975
Warning: Private LAN subnets (networks) that contain Private Client computers and/or systems and maintain data (possibly sensitive)
shall not include servers or equipment that require External Port Access (External Port Forwards).
Private Client based LAN networks shall not allow/permit External Port Forwards to the Private LAN Network (no exceptions).
Providing External Port Forwards to a Private Client LAN creates an Extreme Network Security Vulnerability.
By default all Firewalls block external port access (0-65,535) to the LAN Zone & DMZ Zone.
Creating External Port Forwards to a Private LAN Zone defeats the default firewall block ALL external port requests.
An attacker only needs access via a single port to compromise a Private Network.
Therefore Private LAN Networks are restricted from External Port Forward usage.
Should a scenario arise where by an External Port Forward is needed to provide access to a Private Network
the administrator should consider other network configurations to preserve the External Port Forward restriction thus preserving Network Security.
All systems requiring External Port Forwards, access to provide external port requests can and should be configured within a DMZ Network Zone.
What that means is this, if you are going to provide www access to SME on your LAN you will
have to create a External Port Forward to SME which effectively creates an Extreme Network Security Vulnerability.
See >>
http://en.wikipedia.org/wiki/Demilitarized_zone_(computing) wikipedia.org DMZ Zone
Once you read the above, then read page 85 of your user manual.
The Belkin you have does provide DMZ configuration.
However a true firewall DMZ does two basic things.
1 Enables (1 to 1) Nat (Network Address Translation)
2 Provides subnet IP isolation.
Since your Belkin manual doesn't explicitly state for the DMZ Zone 1 to 1 Nat we can assume that it is
configured that way, as most are.
We can safely assume the #1 above requirement has been met.
Side Note:
The LAN Zone unlike the DMZ Zone enables (1 to many) Nat (Network Address Translation)
That is the reason why you can't use SME in either of the gateway modes on the LAN Zone.
SME in gateway mode enables it's internal (1 to many) Nat, thus it would create IP translation issues
with the firewall 1 to many Nat.
#2 is a different story though.
A good firewall allows the Lan Zone to be configured on a separate subnet from the DMZ Zone i.e.
Lan Zone 192.168.1.1
DMZ Zone 192.168.2.1
or
Lan Zone 192.168.1.1
DMZ Zone 172.16.1.1
The Belkin doesn't allow that configuration, thus it doesn't provide the required subnet isolation.
It only allows you to change the rightmost IP oclet 192.168.1.xxx
In order to provide subnet isolation you need to be able to change at least the 3rd oclet i.e. 192.168.xxx.1
Since the DMZ and LAN Zone's are on the same subnet, if you Port Forward to the DMZ you are in effect creating the same
Network Security Vulnerability stated above.
So the Belkin was not designed with the intent of the user providing www access to a server.
There are some types of equipment you could install on the Belkin, however it appears that it
doesn't support servers like SME without creating a Network Security Vulnerability.
Most low end (brick) Router's will suffer from the same issue, so it's important to select the correct, capable Firewall, Router for your needs.
I know that most all of the Linksys and Dlink work and are capable, I have both.
Also a FOSS (free open source software) firewall will suite your needs extremely well, however they will take a little more effort to setup.
IPCop, Smoothwall, PFSense, monowall are just a few.
Each has their own set of features.
Starting with IPCop would probably be your best, easy to setup and feature rich.
Also if you decide on a better firewall, all is not lost with the Belkin, you can still use it as an Access Point.
So the basic network rule of thumb is....
Servers that require external access to provide their services, should never be included in a Private Secure Lan.
SME server-only....can be included on a Private LAN, providing only local area access to the server, no www access.
I don't think the documentation is quite clear on that point.
hth
edit: minor edits to improve clarity