Multiple IP addresses

AfterDark · 09-09-2002, 02:37 AM

I have an ADSL router and a block of 4 IP addresses. Apart from the PCs on the network (which all come off a single hub), I run a web server and use NAT on the ADSL router to point http traffic at it. The ADSL router is assigned the first of my IP addresses

For various reasons, I now want to use the other IP addresses and need a way of differentiating traffic on each one so that I can then use a number of inexpensive NATable routers to run multiple web servers etc.

It has been suggested that I either use a multi-NAT router or a firewall, but I am not sure of the technology and would appreciate anyones help, bearing in mind the pros and cons of any approach.

Thanks.

**gotissues68** · 09-09-2002, 09:56 PM

Which type of ADSL router do you have?

AfterDark · 09-10-2002, 08:31 AM

Quote:

Originally posted by gotissues68
Which type of ADSL router do you have?

It is an Efficient 5861. I think it is this one:

http://www.efficient.com/products/routbus.html

Thanks.

**gotissues68** · 09-11-2002, 01:00 AM

I hope I'm wrong and someone can double check my investigation. But it looks like your current router won't be able to do what you're asking it to do >:( I understand what is you want to do.. the problem is ... doing it..

I see that your DSL router does support bridged though, and that could be to your advantage if your ISP supports it. If you're stuck in PPP then it might be tougher..

What you're asking to do is called multi-homing.. it a process of one physical piece of equipment having multiple IP's and routes for each IP. If you're ISP supported bridged (I'm familiar with RFC 1483) then you could setup a simple Linux or Windows server and have it be you're multi-homed router which then could support what you're asking.

If you're ISP is strictly PPP then.. I honestly couldn't be of assistance on this one.. :(

johnwill · 09-26-2002, 12:13 PM

One way of dealing with the one vs. many IP addresses is by external redirection. Check out sites like www.noip.com. You can change the port that web requests come into based on the URL redirection, so one web server could use 80, the next one 8080, the third use 8081, etc... This is also effective when you have an ISP that blocks certain incoming ports, say 80 for instance.

**Pseudocyber** · 09-26-2002, 02:33 PM

Why not put in a DMZ? See attached image:

johnwill · 09-26-2002, 03:55 PM

How do Internet users individually address multiple web servers with only one IP address without translation of the port addresses at a minimum?

**Pseudocyber** · 09-26-2002, 05:03 PM

Quote:

I have an ADSL router and a block of 4 IP addresses. Apart from the PCs on the network (which all come off a single hub), I run a web server and use NAT on the ADSL router to point http traffic at it. The ADSL router is assigned the first of my IP addresses

For various reasons, I now want to use the other IP addresses and need a way of differentiating traffic on each one so that I can then use a number of inexpensive NATable routers to run multiple web servers etc.

I thought you were going to use your other addresses? Why use NAT if you don't need to?

In addition - how are they going to address multiple servers? You have multiple domain names? You could have one web server which is your main web server and then it pushes off traffic or pulls files from you other servers.

AfterDark · 09-26-2002, 11:39 PM

Hi everyone,

There are a few questions being asked here and I have the suspicion that I am missing something pretty basic which you guys all take for granted.

Can I assume that unless there is more than one PC listening on the same port, you don't need to use NAT? (ie there is no confusion as to which PC the incoming packet is aiming for.)

I use NAT at the moment for the simple reason that my ADSL router has it and because I develop internet software, I have another web server on another PC just for testing.

OK. Lets look at this scenario from scratch.

Here I am with an Apache web server and I have many web sites on it. Each domain is mapped to the same external IP address (the IP address of my ADSL router) and I use VirtualHosts to handle each web site.

I also have another Apache web server at a different location, all nicely set up with databases etc. and I want to bring it here, but it is to use my existing ADSL connection. I also want to keep it as a separate PC, rather than just copying it all over onto the existing web server.

So, the question is how to do it?

The answer can use any or none of the following facts.

1. Apart from the external IP address assigned by my ADSL ISP to my ADSL router (and to which are mapped all the existing web site domains), I also have a further 3 external IP addresses which could be used.

2. I like the idea of isolating the web servers from the rest of the network for security reasons and would use FTP to upload files.

3. I have an ADSL router and a hub, but will buy anything else if necessary.

4. I prefer a hardware solution to a software one.

Please do not use phrases like 'firewall' without explaining exactly what it will be doing. I know less that you think!

(It occurs to me that my situation is exactly the same, only smaller, as all the web hosting companies out there!)

Thanks guys. I appreciate your help.

**gotissues68** · 09-27-2002, 12:19 AM

I apologize for my idiocy, but I'm going to ask anyway.

Let me see if this is correct...

You currently have:
ADSL router that does NAT, one static IP which is the current home based web server, and the rest of your machines run NAT correct?

Or do you have.. an ADSL router, one static IP, which is currently assigned to the ADSL router, which then forwards those packets destined for the webserver. workstations ect..

And what you're looking to do:

Assign multiple static IP's to the ADSL router, and then forward packets based on incoming IP address to the appropriate internal webserver?

I think I may have posted previously that the router model you do have doesn't support sub interfaces on the WAN link ... meaning you can't have 12.222.222.222 12.222.222.223 both assigned at the same time to your ADSL router.

A couple solutions...

Find a router that supports multiple sub interfaces..
Find out which encapsulation type your ISP support PPPoE, PPPoA, or bridged ethernet, and if you're bound by the type they currently offer, meaning if you're currently setup as PPPoE can you used bridged.

In my opinion... if you are able to use a bridged connection, then make a purchasing decision based on that, find a bridging DSL router that works with your particular service. Of course that does cost a little bit of money of course.

At that point. Either setup one of the current machines.. or build a new one to use as a firewall.. I'm going to jump out on a limb here and assume you're using the Linux version of Apache.

With Linux firewall you can do a couple of things.

Setup multiple interfaces.. for instace.

eth0 0.0.0.0
eth0:0 1.1.1.1

and so forth, then configure the firewall to route internally to the specific machine based on either interface or IP address.

I hope this makes sense and wasn't too long winded.

**Pseudocyber** · 09-27-2002, 04:40 AM

Here is the way I would do it - see attached net diagram. Your router to the I'net must have a public IP address.

If you have enough addresses - you could put a public on the inside interface of your interface, one on each server, and one on the outside (not inside your network) of your firewall. This would be 5 addresses.

You could use the same setup but have the I'net router perform NAT (Network Address Translation). I would still use two different networks - a DMZ and a Inside Network.

If the DMZ - De Militarized Zone this is the area where you maintain web servers that are accessible from the I'net. They must be "hardened" because they are not protected by a firewall or if they are, it's not as "tight" as the firewall protecting your inside network.

Firewall - a firewall is a smart Layer 4 switch/router. It has the ability to open up a packet and inspect the contents. If the contents aren't allowed, they're discarded. Think of it as the postal inspector or the mail processing people in a prison. They will open the envelopes (packets) and inspect their contents. Maybe Prisoner Jones is only allowed mail (SMTP) and Prisoner Smith is allowed mail and care packages. The mail processing people will look at what it is and who it's for and consult their rules and if it's allowed, will pass it through. If not, they might just drop it, or they might pass along an alert to the Warden!

An Excellent short movie explaining all of this can be found at: http://www.warriorsofthe.net/clips.html

Inside your network, I would definitely have the Firewall be performing NAT - for added security and to give you the ability to add more machines whenever you wanted to.

Additionally, when you're setting up NAT - consider using "private" addresses internally. These are special address ranges which aren't routeable on the internet. This will give you a little bit of "added" security.

HTH

**gotissues68** · 09-27-2002, 05:07 AM

Pseudo ... maybe even some ACL's on the router for additional security?

**Pseudocyber** · 09-27-2002, 06:04 AM

An ACL wouldn't hurt - assuming router is Cisco.

For the non-networking peeps ...

An ACL is an Access Control List. It is a rudimentary form of Security which routers can implement. I should qualify this statement - business routers that is. Home routers don't really have this feature - usually.

An ACL can compare IP addresses and protocols being used and allow or deny access. They can be put on an incoming direction or an outgoing - the difference is to allow the traffic "into" the router or not. They have different processing demands put on the router.

An ACL will slow down the throughput of the router, to a degree. If the ACL is extensive and not designed well, it can put a substantial choke point on your throughput or even drop traffic unnecessarily.

However, if the ACL is pretty small and you're only looking to allow a few protocols through then there shouldn't be a problem.

In laymens terms it would be something like this:

If destination is me and protocol is HTTP then allow.
If destination is me and protocol is SMTP then alllow.
If destination is me and protocol is SSL then allow.
Deny all else.

Note, an ACL on a router DOES NOT take the place of a true Firewall. A firewall can do it better and faster and is more secure.

HTH!

AfterDark · 09-29-2002, 12:30 AM

Hi, Pseudocyber.

I loved that HighWarriors mpeg. And that voice-over!

I have been playing around again and I have a confession to make. The idea of putting a public IP address on one of the web servers had not occured to me! (I get there in the end, but my brain moves pretty slowly at times.)

Anyway, about firewalls.

Quote:

Note, an ACL on a router DOES NOT take the place of a true Firewall. A firewall can do it better and faster and is more secure.

As I understand it, a firewall is there to, among other things, stop outsiders finding open ports to gain access to your system. In this sense, a NATed router is acting as a firewall.

What is it that a firewall does that makes it "better, faster and more secure?'

Tim

09-09-2002, 02:37 AM	#1 (permalink)
AfterDark Member Join Date: Jul 2002 Location: London Posts: 25 OS: win98/2000	Multiple IP addresses I have an ADSL router and a block of 4 IP addresses. Apart from the PCs on the network (which all come off a single hub), I run a web server and use NAT on the ADSL router to point http traffic at it. The ADSL router is assigned the first of my IP addresses For various reasons, I now want to use the other IP addresses and need a way of differentiating traffic on each one so that I can then use a number of inexpensive NATable routers to run multiple web servers etc. It has been suggested that I either use a multi-NAT router or a firewall, but I am not sure of the technology and would appreciate anyones help, bearing in mind the pros and cons of any approach. Thanks. Last edited by AfterDark : 09-09-2002 at 02:39 AM.

09-26-2002, 11:39 PM	#9 (permalink)
AfterDark Member Join Date: Jul 2002 Location: London Posts: 25 OS: win98/2000	Hi everyone, There are a few questions being asked here and I have the suspicion that I am missing something pretty basic which you guys all take for granted. Can I assume that unless there is more than one PC listening on the same port, you don't need to use NAT? (ie there is no confusion as to which PC the incoming packet is aiming for.) I use NAT at the moment for the simple reason that my ADSL router has it and because I develop internet software, I have another web server on another PC just for testing. OK. Lets look at this scenario from scratch. Here I am with an Apache web server and I have many web sites on it. Each domain is mapped to the same external IP address (the IP address of my ADSL router) and I use VirtualHosts to handle each web site. I also have another Apache web server at a different location, all nicely set up with databases etc. and I want to bring it here, but it is to use my existing ADSL connection. I also want to keep it as a separate PC, rather than just copying it all over onto the existing web server. So, the question is how to do it? The answer can use any or none of the following facts. 1. Apart from the external IP address assigned by my ADSL ISP to my ADSL router (and to which are mapped all the existing web site domains), I also have a further 3 external IP addresses which could be used. 2. I like the idea of isolating the web servers from the rest of the network for security reasons and would use FTP to upload files. 3. I have an ADSL router and a hub, but will buy anything else if necessary. 4. I prefer a hardware solution to a software one. Please do not use phrases like 'firewall' without explaining exactly what it will be doing. I know less that you think! (It occurs to me that my situation is exactly the same, only smaller, as all the web hosting companies out there!) Thanks guys. I appreciate your help. Last edited by AfterDark : 09-26-2002 at 11:42 PM.

09-09-2002, 09:56 PM	#2 (permalink)
gotissues68 Senior Member Join Date: Sep 2002 Location: Vancouver Washington, Mountain View CA and Atlanta GA you pick the week! Posts: 716 OS: Linux/FreeBSD	Which type of ADSL router do you have?

09-11-2002, 01:00 AM	#4 (permalink)
gotissues68 Senior Member Join Date: Sep 2002 Location: Vancouver Washington, Mountain View CA and Atlanta GA you pick the week! Posts: 716 OS: Linux/FreeBSD	I hope I'm wrong and someone can double check my investigation. But it looks like your current router won't be able to do what you're asking it to do >:( I understand what is you want to do.. the problem is ... doing it.. I see that your DSL router does support bridged though, and that could be to your advantage if your ISP supports it. If you're stuck in PPP then it might be tougher.. What you're asking to do is called multi-homing.. it a process of one physical piece of equipment having multiple IP's and routes for each IP. If you're ISP supported bridged (I'm familiar with RFC 1483) then you could setup a simple Linux or Windows server and have it be you're multi-homed router which then could support what you're asking. If you're ISP is strictly PPP then.. I honestly couldn't be of assistance on this one.. :(

09-26-2002, 12:13 PM	#5 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 28,754 OS: XP-Pro, Vista, Linux Blog Entries: 1	One way of dealing with the one vs. many IP addresses is by external redirection. Check out sites like www.noip.com. You can change the port that web requests come into based on the URL redirection, so one web server could use 80, the next one 8080, the third use 8081, etc... This is also effective when you have an ISP that blocks certain incoming ports, say 80 for instance.

09-26-2002, 03:55 PM	#7 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 28,754 OS: XP-Pro, Vista, Linux Blog Entries: 1	How do Internet users individually address multiple web servers with only one IP address without translation of the port addresses at a minimum?

09-27-2002, 12:19 AM	#10 (permalink)
gotissues68 Senior Member Join Date: Sep 2002 Location: Vancouver Washington, Mountain View CA and Atlanta GA you pick the week! Posts: 716 OS: Linux/FreeBSD	I apologize for my idiocy, but I'm going to ask anyway. Let me see if this is correct... You currently have: ADSL router that does NAT, one static IP which is the current home based web server, and the rest of your machines run NAT correct? Or do you have.. an ADSL router, one static IP, which is currently assigned to the ADSL router, which then forwards those packets destined for the webserver. workstations ect.. And what you're looking to do: Assign multiple static IP's to the ADSL router, and then forward packets based on incoming IP address to the appropriate internal webserver? I think I may have posted previously that the router model you do have doesn't support sub interfaces on the WAN link ... meaning you can't have 12.222.222.222 12.222.222.223 both assigned at the same time to your ADSL router. A couple solutions... Find a router that supports multiple sub interfaces.. Find out which encapsulation type your ISP support PPPoE, PPPoA, or bridged ethernet, and if you're bound by the type they currently offer, meaning if you're currently setup as PPPoE can you used bridged. In my opinion... if you are able to use a bridged connection, then make a purchasing decision based on that, find a bridging DSL router that works with your particular service. Of course that does cost a little bit of money of course. At that point. Either setup one of the current machines.. or build a new one to use as a firewall.. I'm going to jump out on a limb here and assume you're using the Linux version of Apache. With Linux firewall you can do a couple of things. Setup multiple interfaces.. for instace. eth0 0.0.0.0 eth0:0 1.1.1.1 and so forth, then configure the firewall to route internally to the specific machine based on either interface or IP address. I hope this makes sense and wasn't too long winded.

09-27-2002, 05:07 AM	#12 (permalink)
gotissues68 Senior Member Join Date: Sep 2002 Location: Vancouver Washington, Mountain View CA and Atlanta GA you pick the week! Posts: 716 OS: Linux/FreeBSD	Pseudo ... maybe even some ACL's on the router for additional security?

09-27-2002, 06:04 AM	#13 (permalink)
Pseudocyber NetEngr/Geek Join Date: Sep 2002 Location: Earth\US\NC\Charlotte Posts: 1,394 OS: Win2K	An ACL wouldn't hurt - assuming router is Cisco. For the non-networking peeps ... An ACL is an Access Control List. It is a rudimentary form of Security which routers can implement. I should qualify this statement - business routers that is. Home routers don't really have this feature - usually. An ACL can compare IP addresses and protocols being used and allow or deny access. They can be put on an incoming direction or an outgoing - the difference is to allow the traffic "into" the router or not. They have different processing demands put on the router. An ACL will slow down the throughput of the router, to a degree. If the ACL is extensive and not designed well, it can put a substantial choke point on your throughput or even drop traffic unnecessarily. However, if the ACL is pretty small and you're only looking to allow a few protocols through then there shouldn't be a problem. In laymens terms it would be something like this: If destination is me and protocol is HTTP then allow. If destination is me and protocol is SMTP then alllow. If destination is me and protocol is SSL then allow. Deny all else. Note, an ACL on a router DOES NOT take the place of a true Firewall. A firewall can do it better and faster and is more secure. HTH!