Topic: Multiple IP addresses on one physical interface routed internally to hosts

[JoshuaR]

Protocol Source Port(s) Destination Host IP Address Destination Port(s) Action
TCP        3389             192.168.110.22              3389                        Remove
TCP        12345            192.168.100.5              12345                       Remove

Yes you could do that, but just to be clear, the source and destination ports don't have to be the same (as Stefano wrote).

So, you are not limited to only forwarding the external 3389 port to one TS (in fact I wouldn't recommend it), you could in fact have your teacher TS as 192.168.1.5, and your student TS as 192.168.1.6 
With the diagram below, your teachers would RDP to yourexternalip:1234 and your students would RDP to yourexternalip:2345   and this will forward either one to the correct 3389 port on the appropriate terminal server

you could forward like this:

         Source Port(s) Destination Host IP Address     Destination Port(s)           Action
TCP       1234                  192.168.1.5                         3389                        Remove
TCP       2345                   192.168.1.6                        3389                        Remove

hope that helps,

--Josh   

[f21970]

Hi all,

You've all been such great assistance!  I've tried the recommendations as follows:
1. forwarded subdomain from ISP to external IP address of SME server
2. forwarded the relevant port on the SME server to internal address of terminal server
3. attempted to connect from home via RDP to subdomain

Alas, no joy - RDP reports that domain is not reachable.  I've run a tracert & can see the subdomain reaching the external IP address of the SME server, but it mustn't be getting through. 

Anyone know what logs or such I can look in to determine what is happening to the traffic?  Or have I missed out a vital stage?

Again, I appeal, please speak in simple language to me!

[JoshuaR]

Ok, well the theory in what you've done sounds correct, so the problem most likely is a small step along the way.
So from what you're written I gather you have:

1. forwarded subdomain from ISP to external IP address of SME server

So, sme.yourserver.com is now pointing to your SME external IP, I take it you've given it time to propagate the DNS entry?

2. forwarded the relevant port on the SME server to internal address of terminal server

So, you're incoming port is set up to forward to the IP internally of the terminal server with the destination port 3389? (as with my example above) Try forwarding both the TCP and UDP ports with the same source and destination if you haven't already.

3. attempted to connect from home via RDP to subdomain

That's right, I have a setup similar to this and it works. So, pretty much you'll just have to work back and figure it out...can you rdp to you terminal server internally? If you try to rdp to your server from home, does it work if you rdp to the external ip instead of the dns entry you made?
Check everything, remember to connect you will have to rdp with the format yourhostnameorip:1234  where 1234 is the source port you set up.

[f21970]

Hi again Joshua,

I'll change config so I forward the UDP ports as well.  I'm just trying it currently on standard RDP port incoming and forwarded.  I can connect via RDP internally to the terminal server, but due to restrictions on the Local Authority firewall I cannot test RDP externally to the server - therefore I have to try at home! I haven't tried to RDP to the external SME server IP address as tracert indicated that traffic was passing fine from the domain name to the relevant IP address, but I guess it's worth a try!

I'll have another go tonight and let you know (keeping fingers crossed!)

Kind Regards,
Amanda

[MSmith]

OK, maybe I'm missing something here, but if the OP has multiple outward-facing IP addresses, why not put a switch in *front* of the SME server and assign another device (or several) the desired public IP(s)?

[JoshuaR]

OK, maybe I'm missing something here, but if the OP has multiple outward-facing IP addresses, why not put a switch in *front* of the SME server and assign another device (or several) the desired public IP(s)?

From what I understand the OP is using SME as a firewall for the TS.
The above port forwarding method will keep SME in the 'front line' except for passing through the RDP traffic

[Stefano]

If OP has many IP adresses, I suggest him to change SME to server-only mode and put on the edge something that can work with multiple IPs, like M0n0wall or IpCop.. in this way he could manage multiple IPs, traffic shaping and other things that you can't achieve (easily) with SME

my 2c
Stefano

[f21970]

That's an interesting thought Stephano - I'm kinda coming to the same conclusion.  Passing through traffic to the terminal server is proving a tricky problem, and exchange will likely to be even worse - there doesn't seem to be any inbuilt support for these functions.  Currently, the SME server is acting as server/gateway, running dansguardian to filter traffic. 

It also currently runs email, which I will be changing in the next 12 months to Exchange (boo hiss), and users have access to their webmail remotely. 

How about the scenario where I leave the SME server in server/gateway mode, and additionally attach a box running IP cop with a separate IP address to the internet & LAN, through which I route the traffic to the internal servers?

If I change the SME server to be server only, and use IPcop (which I have had some scant experience with) as the external gateway do you see any potential implications? 

[Stefano]

That's an interesting thought Stephano - I'm kinda coming to the same conclusion.  Passing through traffic to the terminal server is proving a tricky problem, and exchange will likely to be even worse

I agree

- there doesn't seem to be any inbuilt support for these functions. 

it's by design.. SME offers a limited firewall configuration because it's not a firewall

Currently, the SME server is acting as server/gateway, running dansguardian to filter traffic. 
How about the scenario where I leave the SME server in server/gateway mode, and additionally attach a box running IP cop with a separate IP address to the internet & LAN, through which I route the traffic to the internal servers?

it could be a good solution.. in this way you can use SME as a filter for internet navigation

If I change the SME server to be server only, and use IPcop (which I have had some scant experience with) as the external gateway do you see any potential implications? 

you should "move" dansguardian filtering on IpCop
then, as far as you don't expose SME services directly on wan, there's nothing to fear about

It also currently runs email, which I will be changing in the next 12 months to Exchange (boo hiss), and users have access to their webmail remotely. 

exponge? why?

Ciao
Stefano

[janet]

f21970

1. forwarded subdomain from ISP to external IP address of SME server
2. forwarded the relevant port on the SME server to internal address of terminal server.......

I'm not sure about this, but do you also need to add those subdomains to the Domains panel in sme server manager.

By "forwarded subdomain", do you mean configured external DNS records to point that domain at sme servers external IP ?

[f21970]

Hi Mary,
Yes I do mean configured external DNS record to point at the SME servers external IP. 

[JoshuaR]

I'm not sure about this, but do you also need to add those subdomains to the Domains panel in sme server manager.

I recently set up a record with my ISP to point a subdomain to SME, and I didn't have to add anything to SME for me to be able to connect to it.

exchange will likely to be even worse

On a side note, SME has the functionality to delegate a separate internal mail server (like Exchange) with the click of a button in the server-manager.  http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter13#E-mail_Delivery

[f21970]

Hi Joshua,

The issue with Exchange will not be internal access, but giving access to it from the big wide world.  I think my best route is to have a little dabble with IPCop and see where that leads!

Amanda

[JoshuaR]

No worries, IPcop may very well suit your needs. But to clarify, the link I posted shows that the option mentioned delegates the mx traffic to the internal server--giving access to it from the 'big wide world' .

All the best,
Josh

[f21970]

I don't think I explained what I meant very well!  I meant external access for individuals to their Exchange email, not delivery of mail to/from the big wide world!