How have multiple web servers and IPs on the same physical network
I do web development out of a small office and need to have multiple physical and virtual servers that can be accessed from the internet. I also have a number of devices (computers, laptops, tablets, printers, etc) that need connections as well. I have gotten a subnet of 8 IP's from my ISP and while that is adequate for the web servers its far too small for everything that needs access to the network.
My router is an ASUS RT-N16 running DD-WRT. I'm just smart enough about this routing topic to be dangerous, think 2 year old with a magic marker. I would like to keep my internal network NAT'ed on the 192.168.x.x network and route the 68.69.x.x 255.255.255.248 traffic directly to the servers. The physical network consists of the 4 port DD-WRT router and an unmanaged gig switch. I have a fiber connection to the office that works as an Ethernet port. In other words I can plug my laptop directly into it and have access to the internet. There is no login or password and the router is setup to get DHCP from the ISP, and to provide DHCP addresses for the internal network.
What I've done so far is google and try different configurations with little success. In the end I decided I didn't even know how to ask the questions needed.
My questions are:
Is this the best way to configure the network?
How do you do it? VLANs? Multiple routers?
I've never had to configure a router using anything more than the GUI so if this is command line stuff be gentle.
24 Answers
Chief first up, this question would have a better response on Serverfault.com as it is geared towards business environments and not single user service-desk type questions. Although that is to be debated by some. Alternatively, you will need either to find a Network Engineer consultant to design this for you or do whole bunch of reading on IP natting and vlan routing.
You can do it a few different ways depending on your budget but I would look into a cisco solution, for having routable vlans and IP NAT (Network Address Translation). In this scenario you would have several Vlans running on a Cisco Switch (Can use a layer 2 switch and have your router route the vlans or a layer 3 to it all for you) and a Cisco router taking care of NAT for all your external IPs to your internal addresses and Vlans. When setting up IP natting on a CIsco routers you restrict access by setting up acls and will route to vlan by using dot1q tagging.
Here is sample design would have:
1-2 Public IP address natted to Vlan 2 private IPs (Laptops, tablets, etc) 1-2 Public IP address nated to vlan 3 stage ( stage test environment) 2-6 Public IP addresses nated to vlan 4 Web servers
Good Luck..
1Assign one static address to your gateway, NAT everything else and run each web server on a different port. Configure your router to forward the appropriate ports (80) to each servers local IP address.
3I think this problem represents an issue at a much higher level, perhaps at the application layer - rather than the routing. In order to have multiple servers running internally on the same external address and port, there needs to be a device in between that understands higher level HTTP requests. This device would also have the ability to parse the domain from the URL structure and simultaneously query internal DNS servers for appropriate resolution. AKA reverse proxy.
Essentially, external DNS requests are sent to your internal DNS servers on your network. Once this happens browsers will send HTTP requests through the NAT'd gateway only to be intercepted by a reverse proxy server who then parses the domain from the headers, resolves the associated names internally and forwards the request to the correct server.
1Given what I'm seeing here, there are a few things:
- Port-forward static IP's port-80 to those servers that are un_messed_up enough to warrant it.
- For random internal device access, any of your static IPs can be used as the NAT egress IP. It's best to reserve one IP for just that for IP reputation reasons, but with only 6 usable IPs to work with, that may not be reasonable.
- For the special-snowflakes, you can get fairly creative with HAProxy configs. You can set up rules based on server-name (this assumes no SSL is involved) that then route to configured back-end servers based on that name. Kinda like vhosts, but handled at the Proxy level rather than the web-server itself.
Side-note: this is why IPv6 is the future, this kind of problem kinda goes away. But that doesn't help you now (unless, of course, your clients have v6 support).
Your config looks pretty normal for a small office setup.
