PDA

View Full Version : Another $%^&$#"* router question...



ChrisA
19th-October-2005, 11:23 PM
Ok, here's another router question.

Or at least it would be, if I knew enough to be able to articulate it properly.

I want to put Exchange Server on a box with one of the two public IP addresses I get with my PlusNet account. This box is also going to be a domain controller (Windows 2K3 Server) for a domain I own, and so I want that IP to be propagated through the DNS system. It's probably also going to host a web site, maybe several.

I'm quite happy for my other public IP to be the address of the gateway that's also exposed to the internet.

So although I want the server behind a hardware firewall, I want the relevant ports open so that the public IP isn't hidden from the rest of the internet.

Currently I have a Linksys ADSL gateway, with a reasonable firewall, some ethernet ports, wireless that doesn't work very well, VPN termination that works well enough with other Linksys devices of the same type, and DHCP that serves up local IPs in the 192.168.x.x range quite nicely - though obviously that's no good for internet-wide DNS.

I still want VPN, I wouldn't mind having the ADSL gateway in the same box either. But beyond this, my feel for requirements starts to get a bit hazy.

My question is, what devices should I be looking at that will meet these requirements. And if there's a web site that helps with decisions like this it would be cool.

Thanks in advance...

El Salsero Gringo
19th-October-2005, 11:38 PM
I'm quite happy for my other public IP to be the address of the gateway that's also exposed to the internet.

So although I want the server behind a hardware firewall, I want the relevant ports open so that the public IP isn't hidden from the rest of the internet.

Currently I have a Linksys ADSL gateway, with a reasonable firewall, some ethernet ports, wireless that doesn't work very well, VPN termination that works well enough with other Linksys devices of the same type, and DHCP that serves up local IPs in the 192.168.x.x range quite nicely - though obviously that's no good for internet-wide DNS.Forgive me if I'm teaching someone's grandmother to suck eggs, but the feature you need to use is NAT - Network Address Translation. Most home routers now do this to some extent, probably enough for your purposes, at least to get things started. I'm not entirely sure how you get two public IP addresses, unless you're being assigned a /30 subnet, in which case it would be up to the ISP to provide a router at your premises. Grab me for a chat tomorrow if you like. I used to be a Cisco specialist in exactly that field, so I might be able to be some use.

WittyBird
19th-October-2005, 11:42 PM
Hope this is what you are looking for :grin:
My best friend is an MVP he is also in the top 10 on experts exchange specialising in exchange http://www.experts-exchange.com/ his user name is sembee :waycool:

First off.
You are confused with internet domains and Windows domains.

You do not want to expose any internal active directory domain controller to the Internet for DNS. Very bad idea as it exposes more information than the world needs to know.

Leave your internet domain name where it is and simply adjust the DNS settings at the registrar/web host.

Putting Exchange on to a domain controller isn't really a clever idea, but if you only have one server or SBS then you don't have much choice. The Windows server part needs to run the show from an internal networking point of view, so if the router has built in DNS and DHCP this needs to be disabled. All clients need to look to the domain controller for dns information. If you have problems with DNS lookups, use forwarders.

If you are prepared to ditch whatever router you currently have, get some decent kit. Linksys do a very nice standalone ADSL modem. This can then feed something like a Cisco PIX 501/505 which is a small hardware firewall which can cope with the multiple IP addresses. The 501 has 4 network ports making it a good starting point. It isn't really critical to have a dedicated IP address for the firewall device on the outside - just NAT everything through and use both addresses internally. You could do something like have a dedicated IP address for your server and all the clients NAT on the other IP.

For IP addresses, use 192.168.x.x but avoid 192.168.0.x and 192.168.1.x - this will cause problems with other people. I usually use a double digit - 11, 22 etc. Easy to remember.

If you want wireless, pick up a cheap WAP. The Linksys WAG54G does the job quite nicely. Connect to the network and the server will deal with IP address assignment.

Hosting web sites... this isn't really worth the hassle. There is so much cheap web hosting around that you can leave someone else to worry about it with more bandwidth than you will ever get at home. If you want to host multiple web sites, get a "reseller" account. Single fee, as many web sites as you like.
If you do decide to host web sites internally then you will need to setup split DNS so that it works inside and out. You may want to do this anyway so that you can get to OWA inside and outside on the same address.

http://www.amset.info/netadmin/split-dns.asp

LMC
19th-October-2005, 11:45 PM
<<<< streaks through thread >>>>

Andreas
19th-October-2005, 11:48 PM
Quite frankly, if you secure your server well enough, any ADSL router will do the job. Otherwise you'll be looking at very expensive solutions.

When I say any router then this will exclude very simple ones. You will need to have one that allows you to create zones as your server MUST NOT be part of the intranet zone. It has to sit in a DMZ (DeMilitarised Zone). That way, if the server should be compromised the rest of your network will still be save.

Then you have to configure port forwarding in your router. Naturally you will only forward ports for services you offer to the outside world, i.e. SMTP, POP3 or IMAP, HTTP, perhaps HTTPS, possibly FTP if needed. Same accounts for your VPN.

Pretty much all routers have a built-in "firewall". This is not really a firewall, it is simple NAT (Network Address Translation). What that means for you is that requests from the outside world will be bounced off, unless you forward the respective port. Like most hardware firewalls, NAT will only filter incoming requests. So if you have a virus on your server NAT is of no help. (I will save you the speech why I would not ever choose Windows as a server OS :D ).

One of the most important rules is, switch each and every service on your server OFF and then start enabling the once that you really need in order to do what you intend to.

:flower:

El Salsero Gringo
19th-October-2005, 11:52 PM
First off.
You are confused with internet domains and Windows domains.

You do not want to expose any internal active directory domain controller to the Internet for DNS. Very bad idea as it exposes more information than the world needs to know. I presume that Chris wants to use exchange server to receive SMTP mail with the mx record set to point to that box via its public address. Similarly he wants to host a public webserver. The fact that the box also runs as a windows domain controller to the internal network is pretty irrelevant. Lets also credit him with having decided there are good reasons for doing it this way rather than using an external web and mail hosting service; there's no overriding technical reason why it should be done that way.

WittyBird
19th-October-2005, 11:54 PM
Quite frankly, if you secure your server well enough, any ADSL router will do the job. Otherwise you'll be looking at very expensive solutions.

When I say any router then this will exclude very simple ones. You will need to have one that allows you to create zones as your server MUST NOT be part of the intranet zone. It has to sit in a DMZ (DeMilitarised Zone). That way, if the server should be compromised the rest of your network will still be save.



This sounds like a basic home network, it doesn't need the complication of putting a domain controller in to a DMZ.

ChrisA
20th-October-2005, 12:53 AM
This sounds like a basic home network, it doesn't need the complication of putting a domain controller in to a DMZ.
This may well turn out to be true... ESG has made some useful suggestions (one of which made it fairly obvious why using the port forwarding facilities of my existing router that I'd already tried, didn't work as I'd hoped, and led me to think that I needed a more sophisticated solution).

I'll keep you posted if and when I get the whole thing working.

Thanks for the suggestions so far :flower:

ducasi
20th-October-2005, 01:16 AM
Hmm... What I'd like to know is how the ISP provide him with the two IP numbers... Is it by a routable subnet or a pair of entries in a DCHP table?

I'm not familiar with how ADSL does this type of thing – my cable modem acts like a bridge and so if I were to get multiple IP address from my ISP it would be via multiple DHCP entries allocated to me.

I guess ADSL, being point-to-point will be different, and you'll like get a /30 subnet...

If it is a routable subnet, you'll need a router (don't see why it'd have to be provided by the ISP though, ESG?)

Behind this router, which will be doing all your main firewalling, you have your server with one IP address, and then you'll want a second router doing NAT for the rest of the network.

For simplicities' sake, you might consider putting the server on both networks.

(If it was done the cable-modem way, you'd just plug both the server and the NAT router into a switch connected to the cable modem... if you insist on a separate hardware firewall for the server, you'd buy one and run it in bridging mode.)

VPN can be done by any of the boxes involved... DNS is a totally separate issue.

El Salsero Gringo
20th-October-2005, 01:57 AM
Hmm... What I'd like to know is how the ISP provide him with the two IP numbers... Is it by a routable subnet or a pair of entries in a DCHP table?

I'm not familiar with how ADSL does this type of thing – my cable modem acts like a bridge and so if I were to get multiple IP address from my ISP it would be via multiple DHCP entries allocated to me.

I guess ADSL, being point-to-point will be different, and you'll like get a /30 subnet...

If it is a routable subnet, you'll need a router (don't see why it'd have to be provided by the ISP though, ESG?)Having talked to ChrisA, and seen what his ISP have sent him - they are providing a full routed subnet with a /30 mask, leaving a whole two (yes, count them, two) usable host addresses. I guess you're expected to use a 'real' router with an ADSL WAN interface, although since the ethernet interface of that router would have to adopt one of the two available addresses I'm not sure what the use of this would be. Perhaps there's a cunning ADSL-router-thing that does the job more efficiently (in terms of IP addresses) - anyone seen one? Why would I expect the ISP to provide the kit? I thought it was fairly standard for instance for leased line terminations which have a routed subnet at the customer end - but I don't suppose it's obligatory.

Going back to solving the original problem, it sounds like a single fixed public IP address and a home router with some common or garden NAT and fixed port maps for DNS, SMTP and HTTP should do the trick.

Andreas
20th-October-2005, 12:43 PM
This sounds like a basic home network, it doesn't need the complication of putting a domain controller in to a DMZ.

I personally don't think there is need for a domain controller unless Chris intends to server a larger number of people or wants to tinker with it. In neither case should this be - as you already mentioned - on the same machine and accessible from the Internet. Hence the simple setup should be sufficient, with the use of a second computer as domain controller on the save side of the fence, if it is needed.

Robin
20th-October-2005, 02:16 PM
Ok, here's another router question.

I want to put Exchange Server on a box with one of the two public IP addresses I get with my PlusNet account. This box is also going to be a domain controller (Windows 2K3 Server) for a domain I own, and so I want that IP to be propagated through the DNS system. It's probably also going to host a web site, maybe several.


Just to throw some more wood on the fire ....

On the basis that you are using the a win 2k3 server to run the dns for a domain, you need to ensure that your own server is listed as the primary name server - technically you should have a backup server listed as well. I should say that in my experience you need to make sure that you are definately listed as the primary nameserver other you will run in to all sorts of error messages due to ADS updates not being allowed by the real primary nameserver.

Make sure that you keep thoroughly up to date with the ms updates and run the various ms security tools - such as iis lockdown etc

Also, you might want to set up ssl on this box and enable fba - this is not enabled by default in exchange 2003 (unless its sbs2003) . You might also want to consider a frontd-end/back-end server scenario - its probably the most secure if you plan to use OWA on this server.


Currently I have a Linksys ADSL gateway, with a reasonable firewall, some ethernet ports, wireless that doesn't work very well, VPN termination that works well enough with other Linksys devices of the same type, and DHCP that serves up local IPs in the 192.168.x.x range quite nicely

I use 2 very differnet routers/firewalls. One if you've littel money is the draytek range - extremely competent, wireless options and superb vpn capabilities. The other is something called a netpilot - very heavy duty security device - includes web scanning anti spam anti virus etc etc etc - but expensive - but very secure.

Robin
20th-October-2005, 02:54 PM
god - my typing is awful !!!!