Network topology suggestions sought...

[BoB-O TiVo]

Hey all,

Currently I co-locate a 1U box that hosts my DNS, mail, web, etc. I'm bringing up a dev server to develop apps. These boxes run Windows Server 2003 and I can't change that. That said, the hoster provides me a CAT5 cable that gets me on the internet and 8 IP addresses that conveniently lie in a range that can be mask'ed. Both servers have 2 GbE ports. I'd like to firewall the boxes to the outside world ('cept for STD_PORTS), but allow them to talk to each other wide-open (this helps NT domain stuff, SQL replication, etc).

I've got two ideas how to accomplish this. The first involves a hardware firewall, and just plugging NIC1 from both boxes into the firewall. The second involves using two switches, connecting NIC1 from both to the first switch and connecting NIC2 to the second switch. The first switch would be uplinked to the internet and I'd use the software firewall on each NIC1. This would leave internal traffic going over NIC2.

My problem with each of these solutions is that I've never done either before.

The first one just confuses me WRT setting up the TCPIP settings on each box. Do they all point to the firewall as the gateway? my private DNS server for DNS? How is the firewall configured? does it use one of my 8 IPs, or do I get another IP on "their" network.?

The second one is a bit confusing because you have two subnets containing both machines. I'm not sure how to set up the DNS to make sure that there's no ambiguity.

Any help would be appreciated. Pointers to good books would be even more appreciated.

Thanks,
BoB

 

[ktwebb]

Do they all point to the firewall as the gateway

If it's your gateway, then yep.

my private DNS server for DNS

If your DNS is setup to forward internet (public) addresses, then yep. If not, then you'd need at least one (Primary DNS) to be your DC (or non DC windows DNS server) the second to be your ISP's, or any other public DNS server. You could also turn on root hints, or even setup a stub zone or conditional forwarder but that is a bit over the top and you'd need permission from your providers DNS admin..

How is the firewall configured?

Your asking how YOUR firewall is configured????


does it use one of my 8 IPs?

See above but most likely. Depends on where your firewall is in your network and what it's role is.

or do I get another IP on "their" network.?

You get what you get. They gave you 8 IP's, you have 8 IP's. Since that is a pretty easy block I wouldn't imagine they would just "give" you an extra IP.

The second one is a bit confusing because you have two subnets containing both machines

You have your internet network and your private network. You would unbind any file and printer sharing and use it only for Internet connectivity. your private network would be local file transfers, backups etc..

 

[YeOldeStonecat]

We have a similar setup to that at my office....our Exchange Server has 2x NICs, one on the WAN, one on the LAN side for our DC, Term Box, and workstations connect to on the internal IP scheme.

The WAN NIC, you'll usually want to unbind all networking services from...but we have that there for SMTP on Exchange, and OWA for Exchange. The data center next door has some strong security on his entire network, else...I'd be taking my other preferred approach,

...which is to hide the computer behind a firewall (usually NAT with SPI), and only forward the ports necessary to run services you need public. Computers would naturally just use a single NIC. VPN to the "inside" for additional work, RDC, etc. Something like a Sonicwall, PIX, or Linky/Cisco RV0 series would work well.

 

[BoB-O TiVo]

Using the firewall, can we open port 80 to multiple machines? That's another concern I have with any "consumer" grade solutions. We need both our main web server and our dev server open to the world at large.

Got an prosumer firewall suggestions?

BoB

 

[Blitzrommel]

Since you have 8 public IPs, simply speaking, you should be able to do a static NAT or something. Not sure what your firewall's like.

A Cisco PIX 501 oughta be nice for ya.

 

[BoB-O TiVo]

Since you have 8 public IPs, simply speaking, you should be able to do a static NAT or something. Not sure what your firewall's like.

A Cisco PIX 501 oughta be nice for ya.

I've never heard of "Static NAT". A search doesn't produce a ton of relevant results. Do you have any more info on this?

Thanks,
BoB

 

[Darthkim]

there are usually 2 types of nat

one to many - ie. a router. (one ip shared by many host)
one to one - ie. 1 webserver with private ip to 1 public IP.

static nat refers to one to one nat.

 

[Blitzrommel]

Static NAT is also referred to as "One-to-one" NAT -- one public address mapped to an internal private address. The most common form of NAT is "one-to-many" where one public IP is "shared" by several hosts, but in this situation, each host with a private address would have their own public address associated to it by the firewall.

 

[BoB-O TiVo]

Any idea for an inexpensive firewall that will do static NAT?

Thanks,
BoB

 

[Blitzrommel]

Hotbrick LB-2 can, just over 100 bucks.

 

[Asgorath]

Any idea for an inexpensive firewall that will do static NAT?

Thanks,
BoB

Monowall

 

[Blitzrommel]

Props. I had no idea m0n0wall did 1:1 NAT!

 

[BoB-O TiVo]

Cool! FWIW, (I assume 1:1 and static NAT are the same) Linksys has a box called the RV0041 that's $350 and does 1:1 as well as having GigE ports on the inside. For replication between the two machines, this is handy. Since I haven't a spare machine, is there any hardware that will run monowall that has GigE ports on the inside? I remember a monowall dev kit, but I think it was all 10/100.

Thanks,
BoB