WWW FAQs: How do I set up a DMZ for safer home web hosting?

2006-04-10: Hosting at home is never 100% safe. There's always a chance that hackers will take advantage of a newly-discovered security hole in your web server. However, you can reduce the risks by placing your home web server in a "demilitarized zone," and placing your other home computers in a separate "intranet" zone. If you do this correctly, the home computers can still fetch pages from the web server. But the web server can't "see" the home computers. So even if it does become compromised, it can't be used to hack into the rest of your PCs.

How do we do it? Simple: we use two routers. The first router connects directly to the cable or DSL modem. This router can and should be a simple wired-only router, or a wireless router with wireless networking disabled. The web server computer - an old computer you found on the curb, NEVER your personal machine - connects directly to this "DMZ" router.

This article assumes you have already read how do I host my own website at home? See that article for complete step-by-step information to set up basic web hosting at home.
Now, here's the trick: the second, Intranet router also connects to the "DMZ" router, just like a PC would. And your personal computers connect to the second router, wirelessly if you wish.

How does this protect your PCs? Most cable and DSL connections give you just one "IP address," allowing you to put just one computer on the Internet at a time. A home networking router solves this problem by forwarding traffic from many computers, making it appear to the rest of the Internet as if it were all coming from one PC. One consequence is that incoming connections can't talk directly to any of the PCs. Incoming connections can only talk to the router. And unless you're going out of your way to forward ports - which you do only on the "DMZ" router, to forward port 80 to the web server - those connections don't go anywhere and can't cause any harm.

With just one router, your web server would be on the same network with your personal computers. If it were hacked, it could talk directly to them and attempt to hack them as well. But with a second "Intranet" router, your personal computers appear to the web server as just one PC, a PC that doesn't accept any incoming connections. The hacking attempts are stopped "at the firewall."

Important: you will need to set up your two routers to use different "subnets." By default most routers use the addresses through You'll need to configure one of the two routers to use a different block of addresses. I suggest through Every router is different, so I can't give you exact instructions for configuring this through your router's web-based interface, but look on the "LAN" tab or read the manual that came with your router.

In principle, there's no reason why you can't put together this system with two different routers from two different companies. Still, since home routers aren't always tested for this sort of operation, I suggest using two routers of the same make and model. That way, you may be able to obtain support from the manufacturer if this two-tiered arrangement doesn't work the way it should.

Routers With Built-In DMZs: Not What You Want

Some routers have a built-in DMZ feature. This is different from the kind of DMZ I am talking about and it does not make your network more secure. In fact, it does the opposite. Routers that offer a DMZ feature are offering to expose your server computer to traffic on all incoming ports, which is less secure than forwarding ports individually. And since your server would still be on the same physical network with other computers, nothing would prevent hackers from communicating with your other computers after they took over the server.

Accessing Your Website From Your Home Computers

With many routers, you'll have no trouble accessing your website from a home computer after following these steps. But with others, when you try to log on from your own computers, you'll find that you always get the DMZ router's web-based configuration logon prompt instead of your website. That's because some routers assume any traffic coming to the web server port from inside the router is meant for the web-based configuration utility and not for your web server. Folks on the outside have no trouble, but you're stuck!

What to do? The solution is to forward an additional port to the web server, and access the website at a special URL. Follow the steps in my article how do I set up my router to forward ports from the Internet to my computer, with one change: set the "WAN" port to something other than 80, such as 8081. Keep the "LAN" port set to 80.

After doing this, you can access your website from your home computers at the URL http://myhostname.made-up.com:8081/ (substitute your own hostname, of course). Be sure to use relative links on your pages, so that you are not forced back to the router logon page every time you click on a link.

Note: you only need this special URL for your home computers. The rest of the world will have no trouble accessing the website without the :8081. And you might not need this "extra port" trick at all, depending on your router. So try things out without it first.

Legal Note: yes, you may use sample HTML, Javascript, PHP and other code presented above in your own projects. You may not reproduce large portions of the text of the article without our express permission.

Got a LiveJournal account? Keep up with the latest articles in this FAQ by adding our syndicated feed to your friends list!