[nmglug] networking question -- how would you do it?

Gary Sandine gars at laclinux.com
Sat Apr 29 12:19:20 PDT 2006


Hi,

I would like to hear from some of you how you would solve this problem.
I have a stable and pretty fast DSL line coming into my house and I want
to run three servers on Internet IP addresses, the addresses are a, b,
and c, say.  Server one answering at address a is in my house plugged
into the modem (it's a quiet P4 system), and servers two and three
answering to addresses b and c are in my garage (no wires going to the
garage) -- dual Opteron and dual Athlon (dual Athlon currently hosts
nmglug.org).

The first thing I did was to put one primary IP address (address a) and
two secondary IP addresses (addresses b and c) on the server.  Neither
of the servers in my garage had wireless cards so there was a third
computer in the garage with wireless and wired NICs to be a router.  I
put three IP addresses (call them b', c', d) on the wireless card in the
garage router.  I used iptables to push traffic hitting address b (in
the house machine) to b' in the garage router then to the appropriate
server in the garage.  Similarly, packets hitting address c (in the
house machine) forward to c' in the garage router then to the other
server in the garage.  This worked fine, but I was SNAT-mangling packets
along the way and all traffic to either garage server came form an IP
address associated with the garage router, which made it impossible to
filter traffic by source IP.  Perhaps if I used iptables differently and
did not have to SNAT-mangle in order to get packets to route properly,
this could have worked fine (I wanted to see the real source IP).  This
now seems like a dopey solution to me, but it was something I understood
and knew how to do in a short time the day I moved the servers to my
house.

The second thing I did was put wireless cards in the garage servers
(eliminating the extra garage router machine), and the house machine now
has a bridge interface with address a connected to the DSL modem with a
VPN tunnel device and the real external NIC as slaves (tinc for vpn:
http://www.tinc-vpn.org/ ).  The garage servers are now vpn clients, and
the vpn tunnel devices in the garage servers have external addresses b
and c, and tinc acts like a switch so incoming traffic bound for IP
addresses b and c goes directly to the appropriate garage server.  I now
see the real source IP and can work with this solution.  tinc is really
neat by the way if you need a stable, easily expandable vpn solution.  I
used tinc before and knew that it would do what I needed, so that's why
I went here.

I expect there are at least a few other ways to do this (simply, now
that I have functioning wireless cards in the garage servers)?  I have
never done this, but I expect someone has put a bridging firewall at the
front of their network (with Internet-exposed services in computers
behind the firewall) -- maybe that would be an easy solution?  Others?

I'm curious to hear any ideas about this.

Thanks,
-- 
Gary Sandine <gars at laclinux.com>





More information about the nmglug mailing list