Multiple IPs/Routes Through Router?
Not sure what this idea would be called.
I have a LAN connection coming in my router, which has an outside IP of (we'll use these for examples) A.A.A.A1. My routers internal IP is 192.168.0.1. I have one box connected to the router, with IP 192.168.0.100. Now, box can have multiple IPs assigned to that NIC. Is there any way for me to 'route' another IP through the router, basically bypassing it entirely? I want 1 IP thats currently assigned to the router, which puts box in the DMZ, and another IP to basically pass straight through to box. Basically, box needs 2 external IPs somehow. I only have 1 LAN port to use, and the router is a requirement for other things, so I can't get rid of it. Does any of this make any sense? |
I would guess that this is going to depend entirely on the router. Let's say, for a second, that you didn't have any hardware restrictions: multiple NICs, plus no restriction about what the router is connected to upstream. You would have a set-up that looks like this:
Code:
NIC A [NIC A WAN IP] -----------------------------. Your router is a Network layer device, as such, it will determine where packets are sent via IP address rather than by ethernet address. Your question, then, is whether it's possible to emulate this setup on your router. My Linksys WRT54G has a feature called 'static routing', allowing specific routes from the router to a given LAN IP address... I think that this will do what you want it to, assuming that the router doesn't try to get too smart about what's happening at the link layer. On my router this is available under [setup]->[advanced routing], and allows IP address, subnet mask and default gateway to be set up for up to 20 static routes. Your Mileage May Vary. |
I've got a D-Link DIR-628, and it has the same options basically.
Problem I've run into: I ran the other cat5 up to the router from the box, and gave that NIC an IP that would be on the network. I put that IP in on the router, and the gateway IP in as well. I can't find the box from elsewhere on the network, it's simply not there (no ping replies), and if I unplug the other cat5 and setup Lenny to use the new NIC, no internet period. Am I missing something somewhere? |
This is one of those cases where a picture is worth a thousand words... that's why I put together the ascii art diagram of the network as I saw it.
If you can put together a sketch of how your network is set up, either as ascii art, or an attached picture (svg is a good option), that would help. Make sure that you show the IP address of each connection on both sides e.g. Code:
____192.168.1.100 192.168.1.1 ____ |
Code:
____192.168.0.100 192.168.0.1 ____ Pub. IP Basically, I need some sort of way to make a "virtual connection" between the @'s, so that 192.168.0.101 becomes another public IP. Edit: One more important thing I forgot to mention. IPs are assigned via DHCP based on MAC address as far as I can tell. IPs change if MACs change, otherwise stay the same. |
You have a very interesting problem there. What you're trying to do is called SNAT (Static Network Address Translation). Unfortunately, your SOHO router almost certainly doesn't support SNAT (or multiple WAN IPs in any way). What you need to do is use a static route to get it to route packets for the public IP to your server's LAN IP. You then need to get your server to realize that those packets are for it.
The static route to set on the router is easy: network <public IP> netmask 255.255.255.255 gateway <LAN IP>. This will make it think that the LAN IP of the server is the next hop for packets destined for the public IP. In point of fact, that's exactly correct. The second part (making the server realize that the packets addressed to the public IP are for it) is rather more complicated. I'm guessing that it'll involve creating a virtual Ethernet device. I'll fire up some VMs when I get home and play around with it. |
You can subnet your network. Assign the regular IP and the virtual IP on different subnets. Then use the router to route between them.
You could also use a 10.xxx.xxx.xxx address for the virtual IP address. However, as the routers output port is also a port, you don't have the isolation you should with one device. A computer in the DMZ should not have any interface in the LAN. In the DMZ it is exposed to hostile traffic. It it is successfully compromised, the attacker has full access to your LAN. Even without being compromised, you are allowing internet traffic on the wire you use for the LAN which will eat up bandwidth. If there is a DOS attack for example, the attacker can deny LAN access as well as to the internet. There is a type of scanning where a 3rd device is used (such as a printer), which could reveal to an attacker that the device is actually on the LAN, making you a more attractive target. |
As jschiwal says, it's rather insecure to have a publicly visible host connected to your LAN. If that host is breached, it effectively makes the rest of your LAN public too. Most computers on LANs aren't secure enough for public visibility, so that can be a Very Bad Thing. You have been warned.
As it turns out, it's simpler than I thought. All you need to do in order to get your server to listen on the public IP is register it as a virtual interface on eth0. The command to do that is below. Replace '<public IP>' with the public IP you want it to listen on. I'm not a Debian user so I have no idea how to make its init scripts set that up for you. Someone else (you?) will have to figure it out. Code:
ifconfig eth0:1 <public IP> netmask 255.255.255.255 |
Quote:
We haven't discussed the issue that you run in to is getting a second public IP address from your ISP. Another issue that wold bother me somewhat is the issue of security. As mentioned by others on this thread, having an publicly routable address in your LAN is a bad idea from a security stand-point... but even if you fix that, you still have to deal with the fact that both your virtual, publicly routable address, and the other IP address running through the same jack are both on the same box. Unless you set up some sort of chroot environment or a virtual box connected to the outside world, you risk having that box getting compromised, which will leave the rest of your LAN vulnerable. |
Quote:
|
I'll look into the idea of getting a switch if I can find a cheap one. I've already got 2 NICs in the box right now, both going to the router.
Edit: I'll get another public IP as long as another MAC address is seen on their end. Worst case I can do what I've done before and just assign as static one and pray to not have a conflict... |
All times are GMT -5. The time now is 07:10 PM. |