On Wed, 2005-05-18 at 10:50 -0700, Mark A. Taff wrote:
On Wednesday 18 May 2005 07:23, Ken Schneider wrote:
There is no need to reach the router's external IP (internally), only the internal IP. Let the router do the job it was designed for, route traffic.
No. The problem seems to be in your logic. If you can access liberty1 from the internet you can then access all of the internal machines via eth1 Let the router handle the connection to liberty1 via port forwarding. I believe the d-link can handle this, I know linksys routers can. port forward ssh from the router to liberty1-int but no other ports, unless needed for other services and then you can setup a vpn tunnel to further protect any traffic between your internet connection and liberty1. Then you can eliminate liberty1-ext interface and the hub by having the cable/modem connect directly to the d-link wan port.
Thanks for the help. I understand that if I can access liberty1 from the internet, then I can access every other host on my internal network. Here is what I want to be able to accomplish:
Liberty1 will be running sshd, apache, mysql, postgresql, subversion, possibly a mail server, and maybe from time to time remote X (just cause it impresses windows users ;-). It will also serve as a file server (using fish/ssh in KDE). Liberty1 is to be a development server.
Here's the issue: I will be hanging lots of stuff on this box, with many layers of abstraction. At the base, I need to be able to connect with the same connection string, regardless of whether I am at work, at home, or traveling. I also need full access to the internal network from liberty1, hence the reason I put liberty1-int in the machine.
This is because liberty1 serves as my backup machine, i.e. if something goes wrong with my laptop, I like having liberty1 be fully functional to help me fix my laptop.
Currently, I have liberty1-int and liberty1-ext defined in /etc/hosts with the internal and external ip addresses, respectively. So at home I need ssh root@liberty1-int, and at work ssh root@liberty1-ext.
Just forwarding all ports on the router to point to liberty1 can be done, but then I lose the ability to host any services on any of the other machines on my network. Further, the router has unreasonable limitations built in, such as max of 10 (I think) firewall rules (not counting the default deny).
Then as I see it liberty1-ext would be in a DMZ which is fine. You can then use that address for connecting to liberty1 as well as run other services out ot the internet. As far as the other boxes go use the router to port forward as needed. Routing: liberty1 - default route should be liberty1-ext additional route for the internal network pointing to router via liberty1-int All other machines would have there default route point to the router. With this you have no problems with all other machines reaching the internet through the router and can also reach liberty1 through the internal nic. Every device in the network should have a default route (I think) so that it knows where to send packets that are not known locally. If you follow it like this: pc-a is connected to a local router (the d-link) pc-a whats to connect to liberty1. The d-link knows about liberty1 and sends the request to liberty1 directly. Now pc-a wants to connect to somewhere.com. The d-link doesn't know about somewhere.com and sends a request out to the internet name servers asking for the address to somewhere.com, gets a response and forwards the packet to somewhere.com. This is over simplified but you should get the idea about routing. If you don't know first hand about a destination send the request through your default route. At the last place I worked even the outside router that connected directly to the ISP had a default route which pointed the to ISP's router that it was connected to. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge