3

Currently we have a few servers behind a router/gateway, which is in bridge mode, so the servers have directly assigned WAN IPs with no NATting performed. This works as expected.

There is, however a separate office computer network behind a separate gateway, which is connected to the internet via the same router as all the servers.

Here's the simplified scheme: enter image description here

Basically, this means that since the office gateway is connected to the same switch as the servers, they can connect to the servers via their WAN IP without going through the main internet firewall. This is desired and it makes many things easier, however I'm wondering if I should be connecting the servers to the office network separately anyway? It "feels awkward" a little to use the WAN IPs for "internal" communication, but I cannot really think of any big reasons why this would actually be bad...

Thanks

Carko
  • 254
  • 2
  • 12

3 Answers3

3

I'd suggest you just stick with the WAN IPs. It's going to needlessly complicate things if you want to try using LAN IPs for them. The only real advantage to private IP addresses would be simpler firewall configuration. In my opinion, that's not worth the extra overhead (it would mean all your servers need another IP assigned, plus you need to configure split-brain DNS).

devicenull
  • 5,622
  • 1
  • 26
  • 31
3

Things appear to be working in the standard manner for servers in this configuration. It appears that the router is properly configured to have different VLANs (Virtual LANs) for your servers in the DMZ (De-Militarized Zone).

Even if the servers in the DMZ had private IP addresses, the routing should remain as it is. They would need their own IP address range separate from the range used by hosts behind the office gateway. Using private addresses would require double the work in configuring the DNS entries and risk errors in the configuration. A split DNS configuration would be required and care would be needed to ensure the private addresses don't leak.

There would also be an issue of whether you would permit hosts behind the office gateway to access the hosts in the DMZ using their Public IP addresses.

BillThor
  • 27,737
  • 3
  • 37
  • 69
0

If you do not want to use WAN ips on the lan the FW/gateway shouldn't be bridged, or least have NAT enabled, if not , as long as these publicly accessible servers are in a DMZ, and seperate from the non-routable IP addresses(in a seperate subnet) with an according FW on your office gateway, you should be fine.

s1los
  • 48
  • 3
  • Well it's not that I don't want to use WAN ips on the LAN, I'm just wondering if there's anything bad in actually using them... – Carko Dec 18 '11 at 03:30
  • for security reasons you should isolate your LAN, from publicly accessable servers, or at least setup a firewall rule for your DMZ to accept but not initiate outbound connections, as this provides a security risk as well, but otherwise, no – s1los Dec 18 '11 at 03:36