2

In my office we have two separate internet lines. One is for the general office internet, and the other is a dedicated line for the webserver. I've tried to connect the dedicated into our switch using a vlan so that I can access the webserver through our local network instead of going out to the internet and back in, but I haven't been able to get it to work.

I thought if I had the dedicated line and the webserver ports on a vlan and tagged the webserver port on both vlans it should work. I tried giving the webserver a second ip on a different subnet, 192.168.2.x, than the local network (is that more secure?) and gave the corporate server an IP there too, and that didnt work (does that still require a static route??), so I put it on the same subnet (1.x) and then I could access it locally, but it was no longer using its first static ip and was therefore not online anymore. I tried moving the webserver port back into the first vlan (local) and keeping it tagged in both vlans, and that didnt work either.

Am I trying to do this the right way? Should I have any security concerns about having them connected like that?

Thanks for any help. Mark

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Mark
  • 121
  • 1
  • Do both lines go into the same router? Different routers? Does the webserver line go directly into the webserver? – Ben Jencks Nov 24 '10 at 03:09
  • ben- the webserver line goes directly into the webserver. the office internet line goes into a firewall and then a switch. – Mark Nov 26 '10 at 20:24

2 Answers2

1

If your webserver has two ethernet ports (most servers do, these days), then I'd make a new "DMZ" VLAN on your switch, put the second webserver port into it, configure it on the router (your router-switch connection should be a VLAN trunk) and, on the office router, configure a static route to the public web IP via the DMZ web IP, and on the webserver a static route to the office network via the router's DMZ IP.

Ben Jencks
  • 1,361
  • 8
  • 13
  • I second this. You should definitely look into ways of obtaining a DMZ-like configuration, where all the traffic to the webserver from the local network is not automagically accepted. Creating a separate "dmz" vlan, on a separate subnet with the webserver's secondary interace (and any future servers) in it, and then routing _while filtering traffic_ to it, as described above would work. I shall detail a similar config that involves new equipment, just for completeness. – mr_daemon Nov 24 '10 at 05:24
  • its an old server with only one ethernet port, but i will be upgrading it eventually so I may look into that later. thanks. – Mark Nov 26 '10 at 19:43
1

You have not specified how/if NAT is being done, or if you just MIP/Full-Translate the static IP onto the dedicated or...

Well, roughly, this is how I would do it (Scroll down for ASCII diagram love <3)

                                   .-,(  ),-.
                                .-(          )-.
                               (  teh internets )
                                '-(          ).-'
                              .-----'-.( ).-'----.
                              |                  |
                              |                  |
                            __v___             __v___
                  LAN Line |_ooo_x|           |_ooo_x| Dedicated Server Line
                              |                  |
                              |                  |
                        [69.70.2xx.21]     [75.120.1xx.37]
                              |                  |
                              |                  |
                              |                  |
                              '-->eth0    eth1<--'
     ............................. _*______*_  ...........................
     .              .-------eth2*.[_...__...o]*eth3 -------.             .
     .              |            . ROUTER/SW   .           |             .
     .              |            .             .           |             .
     .      [192.168.1.0/24]     .             .   [172.16.32.0/24]      .
     .              |            .             .           |             .
     .              |            .             .           |             .
     .              v            .             .           |             .
     .          ____   __        .             .           |             .
     .         |    | |==|       .             .           |             .
     .         |____| |  |       .             .           |             .
     .         /::::/ |__|       .             .           |   ____      .
     .   ____   __    ____   __  .             .           v  |====|     .
     .  |    | |==|  |    | |==| .             .         eth0*|    |     .
     .  |____| |  |  |____| |  | .             .              |    |     .
     .  /::::/ |__|  /::::/ |__| .             .              |____|     .
     .                           .             .                         .
     .       Local Network       .             .            Web Server   .
     .............................             ...........................
            [vlan1 - LAN]                            [vlan2 - DMZ]

                           .----------------------------------------------.
                           | Abstract Routing/Vlan device Config          |
                           |                                              |
                           | 192.168.1.0/24 => NAT on 69.70.2xx.21        |
                           |                                              |
                           | Full NAT/Mapping:                            |
                           | 75.120.1xx.37 => MAP to 172.16.32.X [Server] |
                           | 172.16.32.X => NAT on 75.120.1xx.37          |
                           |                                              |
                           | Route LAN => DMZ traffic                     |
                           | 192.168.1.0/24 => 172.16.32.0/24             |
                           | (filtered, ex: TCP DST 22/80/443)            |
                           |                                              |
                           | Deny outbound DMZ => LAN traffic:            |
                           | 172.16.32.0/24 =>X 192.168.1.0/24 [DENY]     |
                           | (except related)                             |
                           '----------------------------------------------'

Do note that you may substitute ports for VLANs, and replace the mythical router-like device in that schema with a combination of multiple routers/NAT devices and switches/VLANs. But this is the generic idea. I would probably go for mapping/full NAT instead of adding an extra NIC to the web server to route back into the LAN.

Filtering the traffic is also nice -- allows /some/ access to the DMZ from your local network, which is the entire point, and prevents the web server from directly accessing your LAN. Useful, in case of break in.

Possible alternatives for mythical router-like device:

.---------------------------.
|   Multiple NAT Devices    |
| (Requires Router Switch,  |
|   or extra Router)        |
'---------------------------'                .-,(  ),-.
                .-----------------------> .-(          )-.
                |                   .--->(    interwebs   )
          69.70.2xx.21              |     '-(          ).-'
                |             75.120.1xx.37   '-.( ).-'
                |                   |
           __________          __________
       .->|____oooo_x|        |____oooo_x|<---.
       |    LAN Line           Server Line    |
       |      (NAT)              (NAT)        |
       |                                      |
     **|****************    ******************|
192.168.1.0/24   __Managed Switch____  172.16.32.0/24
     * '--------[_::::::::::::::::::x]--------'
     *            ^    *    *     ^          *
     *            |    *    *     |          *
     *LAN VLAN****|*****    ******|**DMZ VLAN*
                  |               |
                  |  __________   |
                  '-[_...__...x]--'

                   route/filtering
          192.168.1.0/24 <=> 172.16.32.0/24

That scenario implies the machines in each VLAN have a route for each other's subnet, and each VLAN's NAT device is their respective's default gateway.

Or if you actually have a "real" edge device (which would be very nice):

.---------------------------.
| Simple NAT Device         |
|    + ASA/Edge Firewall    |
'---------------------------'
                                             .-,(  ),-.
                .-----------------------> .-(          )-.
                |                        (    interwebs   )
          69.70.2xx.21                    '-(          ).-'
                |                             '-.( ).-'
             ______                               ^
       .--->|_ooo_x|                     .--------'
       |    LAN Line                     |
       |  (Office NAT)             75.120.1xx.37
       |                                 |
192.168.1.0/24                           |
       |                           _[Out Int.]_____
 ******|*************             [_...________...x][DMZ Int.]
 *  ___|__________  *             ^ [In Int.]            |
 * [_::::::::::::x] *            /       |   ************|*******
 *     Switch  ^    *           /        |   *     172.16.32.0/24
 *             '-------192.168.1.0/24----'   *      _    |      *
 *                  *         /              *     |=|   |      *
 *LAN VLAN***********        /               *     |_|   v      *
                            /                * Web Server       *
   .--------------------------------------.  *                  *
   .          route/filtering             .  ***********DMZ VLAN*
   .   on Edge FW, between In and DMZ     .
   .  192.168.1.0/24 <=> 172.16.32.0/24   .
   . (Previous pseudo-rules/routes apply) .
   '--------------------------------------'

Or if your server really is directly connected with no NAT whatsoever (better have that filtering up and running on it):

.------------------------------------------------------.
| Single Office NAT +                                  |
|   Server w/ Direct, Routable IP                      |
| (Requires second NIC, and a lot of manual,           |
|  separate, OS-specific filtering done on the server) |
'------------------------------------------------------'
                                              .-,(  ),-.
                 .-----------------------> .-(          )-.
                 |                        (    interwebs   )
           69.70.2xx.21                    '-(          ).-'
                 |                             '-.( ).-'
              ______                               |
      .----->|_ooo_x|                              |
      |      LAN Line                              |
      |    (Office NAT)                      75.120.1xx.37
      |                                            |
 192.168.1.0/24                                    |
      |                                            |
******|*************                               v
*  ___|__________  *                             eth0
* [_::::::::::::x] *                              __
*     Switch  ^    *              _______        |==|
*             '--192.168.1.0/24--|___|___|---eth1|  |
*                  *             |_|___|_|       |__|
*LAN VLAN***********             Firewall     Web Server
                                (On server)

   .--------------------------------------------------------------------.
   .            "pseudo DMZ" enforced by fw rules on Server.            .
   .         No routing required. Defeats the entire point, too.        .
   .  Attacker on Server can potentially alter ruleset and poke at LAN. .
   '--------------------------------------------------------------------'

However that's not very nice, security-wise. Feel free to combine scenarios. If you require more details, feel free to ask, too :)

Hope this somewhat helps. Also, had been a while since I had done ASCII graphs. Much fun was had here :D

mr_daemon
  • 490
  • 4
  • 11
  • I forgot to mention that, of course, with the DMZ-on-a-different-subnet, you will need to implement split horizon DNS, if you want your LAN clients to resolve the website(s) address as the one in the DMZ, and not the publically routable one. Just a little something to keep in mind, too... – mr_daemon Nov 24 '10 at 10:17
  • 1
    Thoroughly comprehensive response. (and nice charts. What did you use for them?) – SmallClanger Nov 24 '10 at 10:40
  • @SmallClanger: I used this old as sin piece of Perl code from CPAN called Asciio: http://search.cpan.org/dist/App-Asciio/lib/App/Asciio.pm -- gtk interface, a massive pain to get working at all in the first place, has some bugs -- yet, I honestly use it more than visio :) – mr_daemon Nov 24 '10 at 11:06
  • Thanks for the pointer. I've been looking for something like this. (Visio is great an' all, but sometimes I just want to get something done...) – SmallClanger Nov 25 '10 at 12:27
  • Wow thanks for the detailed response. I should note that my network is very basic at the moment, and most closely resembles your last diagram. I don't have a fancy ascii diagram maker like you but here's a quick rundown of my layout. Dedicated line -> Ubuntu Server with a software firewall – Mark Nov 26 '10 at 19:45
  • The webserver is directly using the static IP Office Line -> Hardware Firewall -> Main Switch -> Corporate Server and everything else For those routing rules you gave, would those go into the firewall, the server, or the switch if thats even possible? I'll be upgrading the webserver soon and getting a hardware firewall for it so maybe that will help me get this working better. – Mark Nov 26 '10 at 20:16