> Greetings, all. > > We've got 5 static IP addresses (e.g. 1.1.1.1 - 1.1.1.5) from our ISP > and we'd like to configure one for our WAN and the other 4 for our OPT > (for public servers). > > WAN (1.1.1.1) > LAN (192.168.0.1-255) > OPT (1.1.1.2 - 1.1.1.5) > > I've tried this with bridging the WAN and OPT interfaces, but it > doesn't seem to work. > > Is this possible? If so, how would I go about it?
Alternatively (1) WAN (1.1.1.1 - 1.1.1.5) virtual interfaces for 1.1.1.2 - 1.1.1.5 LAN (192.168.0.1-255) OPT (192.168.2.1 - 192.168.2.5) OPT address is 192.168.2.1 Put the servers on OPT as 192.168.2.2-192.168.2.5 Port forward port 80 (and ssl if required) from virtual interfaces 1.1.1.2 - 1.1.1.5 to the respective addresses on OPT Put in more relaxed rules from LAN to OPT so you can upload files for webservers in OPT This is a classic DMZ setup that isolates the severs from your LAN i.e. all of your webservers are NOT in the LAN It makes no difference if the firewall is compromised but it may make all the difference if the webservers are. Alternatively (2) If you are not using the firewall for load balancing just put a hub in front of the router and stick the web servers onto the internet. Be sure to configure the local firewall on each webserver before plugging it in. If you allow SSH (use SCP not FTP for upload) from your firewall and port 80/SSL from ALL then block/drop the rest it should be pretty secure. Any use of FTP sends a logon password as clear text and rather undermines your good work (the same applies to telnet [Soooo 20th century!])(This can apply even if FTP is confined to your LAN). These are just a couple more suggestions if you want you can isolate the web servers from each other and so it goes on. Decide what your risk is and act appropriately - always have a backup handy. ---Rob --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
