Topic: Server Only Mode

[Paul]

Just a question,  can you actually assign 2 different IP addresses to the same NIC?  Remember, Howard only has 1 NIC to work with.

Paul

[Howard]

Wow such a lot of help... Thanks Guys..

Stuart, your suggestion sounds like the one I will go for... If I set up SME as a public server (ie server only mode), I was under the impression that the firewall / security would not be active...Is this incorrect?

Also, if I didn't put the server in a DMZ and used NAT / port forwarding on the router, I guess this would work as well? Although I would need a dynamic DNS updater that gets my external IP address rather than the internal network one... Maybe the DMZ is the way to go - (you may have noticed I'm security paranoid)..

Again, thanks for all the help guys..

[Bill Talcott]

Howard wrote:
>
> Stuart, your suggestion sounds like the one I will go for...
> If I set up SME as a public server (ie server only mode), I
> was under the impression that the firewall / security would
> not be active...Is this incorrect?

His suggestion actually was for a Server-Gateway, with two separate interfaces. The Server-Only mode assumes it's already on a secure LAN, so yes, the firewall is disabled.

> Also, if I didn't put the server in a DMZ and used NAT / port
> forwarding on the router, I guess this would work as well?
> Although I would need a dynamic DNS updater that gets my
> external IP address rather than the internal network one...
> Maybe the DMZ is the way to go - (you may have noticed I'm
> security paranoid)..

Yes, with PAT (Port Address Translation, aka NAT with port forwarding) you will be using the router as a firewall and the SME will be open. The router will decide which stuff gets through and which stuff is blocked. The DMZ idea may work, but you'd need to assign a second IP to your SME. I have a HowTo on contribs.org about assigning multiple IPs to one interface. To actually make it useful though, you need to also duplicate all the firewall rules (basically copying the templates and changing one line in each), but I don't have that HowTo done yet.

[Boris]

Setting second IP for the Interface via eth0:1 is not hard, but I don't think it will work in this case as both IPs are in the SAME network. You need two DIFFERENT networks for routing to work.
You shouldn't do it by using your public/private IP either. I have number of installations where SME set up as a server-gateway with single NIC using eth0-private, eth0:1-public and public pages served via public address and samba and other private services listen on the private IP of the same NIC. , but I do it only if I have full control other phisycal LAN, otherwize, your neigbours (in case of the cable Internet) or ISP, can spoof your private IP and attempt to connect to trusted private IP. They still need to login to the server for some services, but not to lets say spam via SMTP.

I run my home server behind small router/firewall and only forward few ports to it. For the small home net it works well and that (if I understand it right) was the intendent purpose of this anyway. Some routers have nowdays dyndns client builtin and it works. Other solution is to play with dyndns addons or install client on the windows computer behind the same router. They share the same public IP.
Good luck.

[stewart]

My idea WAS to use a router for the other PCs, and put the SME server behind this router. If you put it in server-only mode, as Bill says, it won't protect itself, so you are relying on the router's firewall rules.  So instead, I put it in server-gateway mode (since it has two NIC cards already), but just didn't hook anything up to eth1.  

My scheme worked well for web server, but for some reason I've had problems with mail. I can send mail out from the rest of the network (traffic goes out through the router, then down into the SME server to the mail server before turning around and going back out into the net), but I could not receive any mail.  Looks like SME server isn't set up to operate behind a router, and modifying the templates looks to be byzantine in its complexity - at least from my perspective.  

I've actually given up and gone back to my previous configuration: SME server working as server - gateway, connected to cable modem. On the internal side, it connects to a 5-port hub to which my workstations are connected.  

I tried using a Linksys router instead of a hub, but I cannot get my workstations to see the outside world.  Probably has to do with the fact that my SME server is on 192.168.224.x, while my router (and connected workstations) are on 192.168.1.x - some routing is required (I think) to get from that network to the SME server network, and isn't obvious to me how to accomplish it.  If anyone has any tips, please let me know.

cheers
Stewart in Calgary

[Bill Talcott]

stewart wrote:
>
> My scheme worked well for web server, but for some reason
> I've had problems with mail. I can send mail out from the
> rest of the network (traffic goes out through the router,
> then down into the SME server to the mail server before
> turning around and going back out into the net), but I could
> not receive any mail.  Looks like SME server isn't set up to
> operate behind a router, and modifying the templates looks to
> be byzantine in its complexity - at least from my perspective.

The SME shouldn't require any changes. Do you have the router forwarding the incoming mail on port 25 to the SME? If you're giving the LAN PCs IPs that aren't in the SME's local network, you'll need to use the authenticated SMTP contrib at pagefault.org so that valid users can log on from outside the SME's LAN. In your case, defining a local network should work also.

> I've actually given up and gone back to my previous
> configuration: SME server working as server - gateway,
> connected to cable modem. On the internal side, it connects
> to a 5-port hub to which my workstations are connected.
>
> I tried using a Linksys router instead of a hub, but I cannot
> get my workstations to see the outside world.  Probably has
> to do with the fact that my SME server is on 192.168.224.x,
> while my router (and connected workstations) are on
> 192.168.1.x - some routing is required (I think) to get from
> that network to the SME server network, and isn't obvious to
> me how to accomplish it.  If anyone has any tips, please let
> me know.

I'm guessing you don't have it setup properly for this. In this setup, the SME is assigning a NAT IP to the router's WAN interface, and the router is then NAT-ing that to other private IPs for the PCs. If the SME is already providing NAT, there's no reason to do this, and you're just adding one more step of processing into the mix. The SME+hub is doing the same thing as your router's ports...