[swiftp]

Guys,

I am thinking of installing a solution where I have an 2 Xserves, each with 2 nics, one nic supporting the office network and one connecting to the Internet via an Airport (or Cisco 827) router. I know that Airport will do NAT and that Xserve will also do NAT. The design looks like

Internet ADSL
Airport
Ethernet
2 x Xserve (with firewall)
Ethernet
Workstations

Its difficult to do this without graphics but if you imagine that each line is connected to the one above.

So, can I configure the airport with DHCP and NAT to server the two Xserves and one of the Xserves with NAT to serve the workstations? Will web requests from the workstations be serviced through the Xserve AND the Airport and would I have any performance problems?

Any input would be gratefully received.

Many thanks

Paul

[Phil Quinney]

Paul,

You shouldn't have any problems with that. I've used a similar set up for my home network.

Router to internet
|
Firewall doing NAT
/ | \
Client 1 Client 2 Client 3
|
Airport

Here nat is used on both the firewall for the clients and on the airport clients connected to Client 2.

Just think about your addressing scheme. I used the 192.168.x.x block and had 192.168.1.x block for wired clients and 192.168.2.x for wireless clients.

For you you could do the same, with 192.168.1.x addresses on the Airport base station and the nics in the xserve connected to the airport bs. Then assign 192.168.2.x addresses to the other nic in the xserves and the other clients.

Hope this helps,

Phil.

[Phil Quinney]

Sorry, the diagram messed up a bit. The wireless clients are meant to be on client 2.

Phil.

[dreilly1]

So the Airport is between the outside world and the Xserves? That seems weird, but what you are proposing should work.

You only really need to do the NAT in one place, though. All NAT does is share one IP address among a group of computers using internal IP addresses. I don't see a reason why you should have to run NAT twice, although like I said it will work.

You can get a way with just running NAT on the router if you set up the Xserves with distinct IP addresses. Then you can run DHCP without NAT on the xServe connected to the workstations. As long as your routing tables are set up correctly, you should be able to route packets through the xServes to the Airport router, which would share the upstream connection among all the computers in the address range, regardless of where the DHCP information came from.

I would second Phil's remark that you should use different subnets for wired clients and wireless clients. If your routing tables are set up correctly, this shouldn't be a problem. And you get a lot of address space in the 192.168.x.x range, you may as well use it!

[kampl]

Not to nitpick and be discouraging, but what happens to your security model upon such time that those Xserves are providing a vulnerable Internet facing service? Being that they are Unix boxes, a vulnerability can come out that is not addressed in a timely fashion and an attacker could route right around your firewall and into the private network.

Following the same lines, say accounts on the Xserves are also similar/same in user/password to that which manage the firewall? Now one has priveleges to modify the firewall policy as well. Naturally this last scenario depends on your firewall(s) and how it is deployed.

NAT is all well and good, but if you are port forwarding to these servers to provide services to the Internet instead of just to wireless users you may run into issues with the safety of your data/infrastructure.

[swiftp]

Thanks for all of these tips. I will make good use of them!