Topic: Public and private server, but not a gateway?

[judgej]

I've been scratching my head on this one for a few days, and not found a simple solution yet. Here is the scenario:

- ADSL service provides 5 IP addresses
- ADSL modem is a Vigor 2600 Plus
- A group of PCs on the internal network use DHCP for their addressing
- SME Server 6.5

Basically, these are my requirements:

- I would like the network to function whether the SME server is on or off. This means the Vigor router provides DHCP, and is directly connected to the internal network.
- I would like the SME server to be available to the internal network, as alocal server.
- I would also like the SME server to be available to the external network, through one of the public IPs.

Two solutions I can see:

1. Put the SME server into a DMZ. This, however, would be exposing the SME interface that is really only designed for internal network use. Is there any

way the SME server could be made to recognise whether it is getting a connection request from either an internal address, or an external address (via the DMZ) and act accordingly? At the moment I can see it distinguishes only between which network card a request comes in on.

2. Expose the public and private network cards of the SME to the same internal LAN, and pass through the public IP direct through the LAN to the server.

That would mean both the internal and external LAN cards of the SME being plugged into the same LAN. I can't see that being any less secure than two separate physical LANs, since a hacker could not 'jump out of' the public IP route going directly to the server, because only that one IP will be routed.

Which would be the best approach, or are there any other options I should choose? The VPN facilities of the Vigor router are very handy (and a lot less fiddly than the VPN on the SME) so it would be nice to keep all the PCs directly connected to the router, and not hidden on the other side of the SME server.

I guess, what I am trying to do, is to run the SME server in public and private mode, with a public and private IP, but *not* as a gateway.

I will be doing similar things with other servers later, such as an Asterisk server, and other web servers.

-- Jason

[duncan]

Port forward the relevent ports via the Vigor.

[judgej]

Port forward the relevent ports via the Vigor.

Would that not have the same problem as running the DMZ, namely, that if the SME is running in server-only mode, then I am exposing an interface (albeit just  afew ports) that is only meant for internal use?

If I set up an e-bay with the "use password for Internet access" then would the SME know that the forwarded ports to the *local* IP are from the Internet, and so present a password prompt?

-- JJ

[duncan]

What services do you want to expose.

Web-Https, Mail, VPN. Not a problem - just port forward and you will be fine.

This is fairly routine.

[judgej]

What services do you want to expose.

Web-Https, Mail, VPN. Not a problem - just port forward and you will be fine.

This is fairly routine.

Do you happen to know definately how the SME server will treat the port-forwarded connections? Will it know they are not from the local network, and therefore block all the HTTP i-bays that have been selected for local network access only? I don't want the full range of private i-bays (the HTTP part) exposed to the Internet. Some are public and some are private.

-- JJ

[judgej]

Okay, this is how I have set it up, and it seems to be working fine for now.

I have confiugured the Vigor with two VLANs - one for the local network and one for the public address network. The SME server straddles the two VLANs, with one network card plugged into each.

The router is configured to both pass through the routed public addresses, and offer DHCP. This gets applied to both VLANs, as I don't think it is possible with this router to offer just public address on one VLAN and just private DHCP on the other.

Somehow the router directs requests for the public address to the correct VLAN (the one with the server public network card on). I was a bit worried that would not work, but it seems to.

That is just about it. I know have the network split into two logical and physical networks through the one router: pubic and private, with servers and PCs that can be plugged into whichever is appropriate, with DHCP or public IPs configured as needed.

I hope that is useful to someone (and if there is some glaring security risk I've overlooked, apart from the fact that the SME server holds both local files and public websites, which we mostly accept as a small risk, then please let me know).

-- Jason

[duncan]

Do you happen to know definately how the SME server will treat the port-forwarded connections? Will it know they are not from the local network, and therefore block all the HTTP i-bays that have been selected for local network access only? I don't want the full range of private i-bays (the HTTP part) exposed to the Internet. Some are public and some are private.

-- JJ

Local ibays (http) remain local regardless of whether the server is server only or server-gateway. It makes no diffence. The httpd.conf file filters out any network not in the local networks tab.

[judgej]

Local ibays (http) remain local regardless of whether the server is server only or server-gateway. It makes no diffence. The httpd.conf file filters out any network not in the local networks tab.

If my current setup proves not to work as I expect, I'll give the port forwarding a try.

Thanks,

-- JJ