We've only got 3 interfaces in our firewall, so there will only be OPT1.
Is there a way to do this so I'm not required to address the OPT1 servers with internal IP addresses? I would have to worry about split DNS/etc to make sure that LAN people could access it via FQDN and I'd rather not worry. Is it possible to have it like... WAN - 1.1.1.1 LAN - 192.168.0.1-255 OPT1 - (1.1.1.2-1.1.1.5) ... so the servers are configured with their actual external IP addresses? If we are required to use one of the IP addresses for the actual OPT1 interface I can live with that. Any ideas? Thanks, Geoff. On 8/15/06, Robert Mortimer <[EMAIL PROTECTED]> wrote:
> Greetings, all. > > We've got 5 static IP addresses (e.g. 1.1.1.1 - 1.1.1.5) from our ISP > and we'd like to configure one for our WAN and the other 4 for our OPT > (for public servers). > > WAN (1.1.1.1) > LAN (192.168.0.1-255) > OPT (1.1.1.2 - 1.1.1.5) > > I've tried this with bridging the WAN and OPT interfaces, but it > doesn't seem to work. > > Is this possible? If so, how would I go about it? Alternatively (1) WAN (1.1.1.1 - 1.1.1.5) virtual interfaces for 1.1.1.2 - 1.1.1.5 LAN (192.168.0.1-255) OPT (192.168.2.1 - 192.168.2.5) OPT address is 192.168.2.1 Put the servers on OPT as 192.168.2.2-192.168.2.5 Port forward port 80 (and ssl if required) from virtual interfaces 1.1.1.2 - 1.1.1.5 to the respective addresses on OPT Put in more relaxed rules from LAN to OPT so you can upload files for webservers in OPT This is a classic DMZ setup that isolates the severs from your LAN i.e. all of your webservers are NOT in the LAN It makes no difference if the firewall is compromised but it may make all the difference if the webservers are. Alternatively (2) If you are not using the firewall for load balancing just put a hub in front of the router and stick the web servers onto the internet. Be sure to configure the local firewall on each webserver before plugging it in. If you allow SSH (use SCP not FTP for upload) from your firewall and port 80/SSL from ALL then block/drop the rest it should be pretty secure. Any use of FTP sends a logon password as clear text and rather undermines your good work (the same applies to telnet [Soooo 20th century!])(This can apply even if FTP is confined to your LAN). These are just a couple more suggestions if you want you can isolate the web servers from each other and so it goes on. Decide what your risk is and act appropriately - always have a backup handy. ---Rob --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
