[ previous ] [ next ] [ threads ]
 From:  Shaun Sutterfield <shaun at prointegrations dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Using 1:1 NAT on a server farm with exceptions for specific ports
 Date:  Sat, 03 Sep 2005 14:19:34 -0700
Using 1.2b9

I recently setup M0n0Wall, and I have to say it's pretty slick.  It's 
being used as a firewall & traffic shaper for a small server farm (web, 
ftp, and email hosting), with a full class C on the public side.  We're 
not using NAT at the moment, but now I've got an idea that I was 
wondering if is do-able with M0n0wall's NAT features:

Right now, the email server listens on a single IP.  For the most part, 
each of the websites are on dedicated IPs.  Now there's a couple of 
clients who need their email to be on dedicated IP's for certificate 
reasons (web-mail, etc., can't have multiple certificates on a single IP 
address).  This idea may very quickly spread to all of the hosting clients.

What I don't want is to have to dedicate two IPs for every client--seems 
rather wasteful.  So, I have the idea of using 1:1 NAT, mapping every 
public IP to the internal website IP address, and then setting up 
exceptions for specific ports (POP3, SMTP, IMAP, Web-Mail (:81), etc.) 
to map to an internal email IP address.  Basically, I want to map 
specific ports to one internal IP, and then "all others" to another 
internal IP.

For example:

Public network:  1.2.3.AAA / 24
Internal network: / 16
Internal range for websites:  10.1.2.AAA
Internal range for email:  10.1.3.AAA

I'd basically want to setup NAT so that: maps to maps to maps to* maps to*

I could then setup on our email server, configured for that 
specific client's domain name, certificate, etc., and change the web 
server to listen on rather than

Two questions:

1. Is this possible to do with m0n0wall, how?
2. Is it possible to do this "slowly" (meaning can I setup NAT for 
specific IP addresses and still have all the other public IPs pass 
through without NAT--we want to experiment with one or two clients 
first, not to mention it's probably going to be a bit of work to remap 
all of them)?

(unrelated side note, since I saw someone was asking for bugs info on 
1.2b9:  I haven't had a chance to try to reproduce this in a controlled 
test environment, but there MIGHT be a bug in 1.2b9's console interface, 
when you set the LAN IP address, it seemed to keep setting it to /8 even 
though I was saying /24... and bad-on-my-part I didn't catch this the 
last time and for a few hours we weren't getting connections from anyone 
who's IP started with the same octet as ours... firewall anti-spoofing 
rules, etc.)

- Shaun