[ previous ] [ next ] [ threads ]
 
 From:  Shaun Sutterfield <shaun at prointegrations dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Using 1:1 NAT on a server farm with exceptions for specific ports
 Date:  Sat, 03 Sep 2005 14:19:34 -0700
Using 1.2b9

I recently setup M0n0Wall, and I have to say it's pretty slick.  It's 
being used as a firewall & traffic shaper for a small server farm (web, 
ftp, and email hosting), with a full class C on the public side.  We're 
not using NAT at the moment, but now I've got an idea that I was 
wondering if is do-able with M0n0wall's NAT features:

Right now, the email server listens on a single IP.  For the most part, 
each of the websites are on dedicated IPs.  Now there's a couple of 
clients who need their email to be on dedicated IP's for certificate 
reasons (web-mail, etc., can't have multiple certificates on a single IP 
address).  This idea may very quickly spread to all of the hosting clients.

What I don't want is to have to dedicate two IPs for every client--seems 
rather wasteful.  So, I have the idea of using 1:1 NAT, mapping every 
public IP to the internal website IP address, and then setting up 
exceptions for specific ports (POP3, SMTP, IMAP, Web-Mail (:81), etc.) 
to map to an internal email IP address.  Basically, I want to map 
specific ports to one internal IP, and then "all others" to another 
internal IP.

For example:

Public network:  1.2.3.AAA / 24
Internal network:  10.1.0.0 / 16
Internal range for websites:  10.1.2.AAA
Internal range for email:  10.1.3.AAA

I'd basically want to setup NAT so that:
   1.2.3.150:25 maps to 10.1.3.150:25
   1.2.3.150:110 maps to 10.1.3.150:110
   1.2.3.150:81 maps to 10.1.3.150:81
   1.2.3.150:* maps to 10.1.2.150:*

I could then setup 10.1.3.150 on our email server, configured for that 
specific client's domain name, certificate, etc., and change the web 
server to listen on 10.1.2.150 rather than 1.2.3.150.

Two questions:

1. Is this possible to do with m0n0wall, how?
2. Is it possible to do this "slowly" (meaning can I setup NAT for 
specific IP addresses and still have all the other public IPs pass 
through without NAT--we want to experiment with one or two clients 
first, not to mention it's probably going to be a bit of work to remap 
all of them)?

(unrelated side note, since I saw someone was asking for bugs info on 
1.2b9:  I haven't had a chance to try to reproduce this in a controlled 
test environment, but there MIGHT be a bug in 1.2b9's console interface, 
when you set the LAN IP address, it seemed to keep setting it to /8 even 
though I was saying /24... and bad-on-my-part I didn't catch this the 
last time and for a few hours we weren't getting connections from anyone 
who's IP started with the same octet as ours... firewall anti-spoofing 
rules, etc.)

- Shaun