From owner-freebsd-questions@FreeBSD.ORG Tue Dec 23 08:32:20 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 588DE16A4CE for ; Tue, 23 Dec 2003 08:32:20 -0800 (PST) Received: from franklin-belle.com (adsl-65-68-247-73.dsl.crchtx.swbell.net [65.68.247.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FCA643D31 for ; Tue, 23 Dec 2003 08:32:18 -0800 (PST) (envelope-from jacks@sage-american.com) Received: from sagea (sagea.sage-american [10.0.0.3]) by franklin-belle.com (8.12.8p2/8.12.8) with SMTP id hBNGWH0j065728 for ; Tue, 23 Dec 2003 10:32:17 -0600 (CST) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20031223103216.01468800@10.0.0.15> X-Sender: jacks@10.0.0.15 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 23 Dec 2003 10:32:16 -0600 To: freebsd-questions@freebsd.org From: "Jack L. Stone" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, hits=0.1 required=4.5 tests=AWL,HOT_NASTY autolearn=ham version=2.60-sageame.rules_v1 X-Spam-Checker-Version: SpamAssassin 2.60-sageame.rules_v1 (1.212-2003-09-23-exp) on franklin-belle.com Subject: NAT Redirect Ext address to multiple Int IPs on single machine X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2003 16:32:20 -0000 On my own servers which are all FBSD machines, I use the classic method of redirecting an IP address from a Gateway machine to a main host and its vhosts located on an Internal Machine like so: redirect_address 192.168.0.5 123.xxx.xxx.101 <-- main host ...then Apache sends any requests to a vhost to its own IP: 192.168.0.5 -> 123.xxx.xxx.102 192.168.0.5 -> 123.xxx.xxx.103 However, on an ISP where I manage servers, we have a new FBSD Gateway set that is working fine for the internal FBSD machines behind that GW, just as above. However, there are also some Window Servers to be setup behind the Gateway and I was asked if I could do the redirect of several public IPs to a single Internal IP address as follows (the Win servers run IIS -- not Apache: Redirect from FBSD GW to single Window Server (all of the internal IPs are on one machine): redirect_address 192.168.0.5 123.xxx.xxx.101 redirect_address 192.168.0.6 123.xxx.xxx.102 redirect_address 192.168.0.7 123.xxx.xxx.103 I have never seen this setup before but, I tried it and it works -- that is until we pull out the Gateway ad0 drive and put it into another FBSD machine. This is an experiment to see if the main GW were to go down, could we pull the HD (or a clone HD) and move it to another machine to get right back up and running as before. We have tried this exercise on several identical FBSD machines and find that the redirects no longer work. Eventually, the one FBSD internal machine on this new network test will start resolving, but not the Window stations -- although even here, the FTP will work, but not the port 80 webs on the Window machines. We have tried to isolate anything that might be the slightest way different to figure out why the addresses no longer redirect to port 80 and I have pretty much concluded that IIS does not handle things like Apache does and that we cannot redirect as in the FBSD-->Windows example above. Many times, I have successfully switched GW machines using the same HD and things worked as before. This allows me to bring down a GW machine to do maintenance while keeping all of the services running on another machine. Admittedly, I have not run Windows servers and am unfamiliar with IIS and highly suspect this as the culprit. Sorry for the length of this one, but was as brief as possible. Any suggestions greatly appreciated as this put us at the crossroads of whether to switch to FBSD as a GW/NAT/FW/Router. Thanks & Happy Holidays! Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com