Hi,
A friend next door and I plan to migrate our networks to one over WIFI and cut costs by freing the need for two ISP's. The line will be 2Mbit/648Kbit.
The problem is that both want's to be able to access all ports on their own local server from the Internet.
Is this possible to do with only 1 WAN IP-adress and 2 local IP's / servers?
I plan on 1 router/firewall with the following rules:
1. forward the request to the named server (server1 or server2) if port is defined open for the specified server.
2. forward responses to a workstation (NAT), if session originatet from inside.
3. block all requests/responses
If this migration is possible, I could also need some pointers of how to setup QoS so that both networks get half the speed when both need it, but one server could use it all if the other one is idle and serves nothing.
I have read a little of the Advanced Networking How-To a time ago, but don't quite get how to implement it at this time.
Hoping for some good pointers.
2 domains -> 1 IP -> 2 servers?
Message
That's a tough one. There's nothing you can do to get the two servers to be accessed through all ports from the WAN side. Maybe you two could also share a common server with domain-based http for example? Maybe apache could be setup to forward connections to port 80 based on the domain used to your respective servers but you'd still be stuck for the other ports.
I've never seen iptables doing something like that. Besides, it would be highly dependent on the protocol you're using. HTTP passes the domain name of the request (and then only if you're not using an ancient browser). Other protocols may or may not.
Most of the time the packets only have the destination ip address and since that's only one ip there's no way to distinguish which server that should be sent to.
Could you get a second ip address from your ISP? Maybe they'll charge you something extra but would allow you to use that. If so it's a much simpler situation.
Most of the time the packets only have the destination ip address and since that's only one ip there's no way to distinguish which server that should be sent to.
Could you get a second ip address from your ISP? Maybe they'll charge you something extra but would allow you to use that. If so it's a much simpler situation.
HTTP is a higher level protocol based on IP (actually TCP). The domain name is sent in the HTTP protocol, not in the IP protocol. To IP, the HTTP request is just data that is being sent around.eivinn wrote:Does this mean that only HTTP packets have the requested domain name in them? I was surely hoping that this was the case for all IP packets
IP basically just knows about source address/port and destination address/port. So there is no way to know on this level whether an IP packet with destination port 80 should be sent to one server or the other.
The only way to do such a thing is to use dedicated software that is aware of the higher level protocol for each port you want to use. For HTTP, this is easy to do using a reverse proxy, for other protocols it will be impossible if they do not include the name of the target host.
Do you really need to access all ports from the internet?
bug, n: A son of a glitch.
Well, I don't need "all" ports from the internet, but it would be great having most of the common ones (ftp, ssh, http) and probably bittorrent possibilities.
I can see two solutions:
1. We use one server, and maps the filesystems for ftp etc from the other one over NFS (or alike) over WIFI.
2. We get a second IP from our ISP.
Could I probably have Apache setup to use two different servers for a kind of loadbalancing (but for the two domains). Eg. one gets all incoming traffic, but forwards if to a specific domain. And what about mail? Do I need to use only one mail-server or is forwarding possible here?
Will the second choice be "easy" to set up using only one router/firewall. Think I must have two WAN nics or could I do with one? And what about QoS?
I can see two solutions:
1. We use one server, and maps the filesystems for ftp etc from the other one over NFS (or alike) over WIFI.
2. We get a second IP from our ISP.
Could I probably have Apache setup to use two different servers for a kind of loadbalancing (but for the two domains). Eg. one gets all incoming traffic, but forwards if to a specific domain. And what about mail? Do I need to use only one mail-server or is forwarding possible here?
Will the second choice be "easy" to set up using only one router/firewall. Think I must have two WAN nics or could I do with one? And what about QoS?
The second option (having two WAN IPs) is definitely the best way of doing it. On your linux router you simply forward all packets coming in to IP a to server A and all packets in through IP b to server B. That's it, no need to install server on your router, only iptables.
If you want to go with the first option you'll have to setup daemons on the linux router for every application you both want to use. For example, http (as you mentioned). The idea you gave of using ftp is a good one, you'd need usernames to be unique to both internal servers so that the home directories mapped to the different servers. If you wanted anonymous ftp you could setup directories pointing to the respective servers.
I don't think there's anything you can do for SSH other than logging into the server and from there into your respective machines. If you use unique usernames you could even make it so that once the user singed on to the router a ssh connection would automatically be made to the appropriate internal server.
Cheers
If you want to go with the first option you'll have to setup daemons on the linux router for every application you both want to use. For example, http (as you mentioned). The idea you gave of using ftp is a good one, you'd need usernames to be unique to both internal servers so that the home directories mapped to the different servers. If you wanted anonymous ftp you could setup directories pointing to the respective servers.
I don't think there's anything you can do for SSH other than logging into the server and from there into your respective machines. If you use unique usernames you could even make it so that once the user singed on to the router a ssh connection would automatically be made to the appropriate internal server.
Cheers
