0

We have 4 servers running in a data center, with internal IP: 192.168.3.* assigned. A hardware (FORTIGATE) firewall configured NAT, and it will lead the traffic as: external IP: 

111.222.333.10 -> 192.168.3.10  www.server1.com
111.222.333.11 -> 192.168.3.11  www.server2.com
111.222.333.12 -> 192.168.3.12  www.server3.com

In DNS, we have www.server1.com A 111.222.333.10

Now if I send a lot of data to www.server1.com from www.server2.com, the data will be send through 111.222.333.10 (external IP) and this cause our bandwidth usage huge (expensive!).

The work around I have is to add a local host mapping to server2:

192.168.3.10  www.server1.com.

That way when send files from server2 to www.server1.com, it will be internal.

However, we are having more and more servers, it would be hard to manually add mapping to every server.

Just wondering do we have another solution for this? Can we do something in the FORTIGATE firewall?

ps. The DNS server being used is public, such as opendns, Google dns etc.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
starchx
  • 533
  • 10
  • 24

3 Answers3

0

What are you using for DNS servers? Are you relying on something that you can control?

If you can control the DNS serevrs for all the machines you can set up split-brain DNS. This is actually even easier if you are running a DNS server for your LAN only. You would just configure it to return 192.168.3.10 for server1.com instead of the public IP.

devicenull
  • 5,622
  • 1
  • 26
  • 31
  • Good idea - but we are using the DNS server data center ISP provided, also the Google one: 8.8.8.8. We have no control. We are trying to avoid building a DNS server. – starchx Feb 16 '11 at 03:15
0

No, your external bandwidth shouldn't be affected by 192.168.3.10 communicating with www.server2.com.

The traffic would be routed from server1, to the fortigate, then the fortigate will send it to server2. It will never traverse the external network on the fortigate.

A static host file on each server is the best way. Write it once, then a use a simple script to push it to each host. Your alternative is to run your own DNS server, and create a split dns where internal hosts get the local ip, but others don't.

Steven
  • 3,029
  • 20
  • 18
  • The traffic routed to fortigate, and back to internal. Our data center bandwidth meter still includes these traffic into our bill. Once I added to local host file, bandwidth is much much less. I am interested in your script. Does it work on both Linux and WIndows hosts file? – starchx Feb 16 '11 at 03:22
  • Ah, so they bill you for server to gateway traffic, but not server to server traffic. Then a script is the best way; I don't have one but I'd write one. It depends if your hosts are linux or windows and the OS of your host computer. – Steven Feb 16 '11 at 18:12
  • Thanks Steven. Since all Linux, I would probably use SCP command to copy hosts file to all the other servers. Thanks. – starchx Feb 27 '11 at 02:11
0

You may be able to get the internal addresses from an /etc/hosts file. You will need to copy this to all servers. If you can't configure the file to have priority over the DNS servers, you could setup dnsmasq on a server and feed it the hosts file. Then configure the servers to refer to it.

BillThor
  • 27,737
  • 3
  • 37
  • 69