Jump to content

Firewall/Domain/make the pipes work question

bcredeur97
By bcredeur97
in Networking
 Share
Go to solution Solved by brwainer,
1 hour ago, Homeless Pineapple said:

Any particular reason why each system needs to be on the same port? With NAT you can assign domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:80 to the internal port 192.178.11.51:8080.

 

If you would rather not use NAT, I'd say you would need to run your own DHCP and DNS servers that point to an internal IP address, or you use a squid3 reverse proxy. 

https://wiki.squid-cache.org/SquidFaq/ReverseProxy

 

1 hour ago, bcredeur97 said:

so you can use NAT with specific external addresses like that? If so... that's an unbelievably simple solution to my problem lol
I thought NAT settings typically ask for a source but that makes more sense now that I think about it...

so IN THAT CASE... I think I can have the same service on the same port but just two different addresses like I want... idk I'll have to look into it some more.

also no real reason for them to be on same port besides to save some work by not having to change default port on the "servers". If I have to go that route then I can... THANKS!

I think @Homeless Pineapplemade a typo, and they meant to write "domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:8080 to the internal port 192.178.11.51:8080." or "domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:8080 to the internal port 192.178.11.51:80." When a router is processing the port forwarding (Port Address Translation or PAT, which is part of NAT, and normally implemented firewall) it has no idea what hostname you have put in. At the level of TCP/IP, the hostname isn't included only the IP address. Yes messages from the browser will include the full hostname, but that is in the HTTP layer and a normal router will never look there in order to route things differently. If your router is capable of making Layer 7 Firewall Rules then you may be able to do something like this, but otherwise it is not possible to use the same outside IP:Port with two different inside services.

Posted

Not what I'm doing but identical scenario from a networking standpoint:

I want to host two different websites on two different machines on the same network.
ex. machine 1 has IP: 192.168.11.50

ex. machine 2: 192.168.11.51

 

Both will host the web service on port 80.

A domain of "domain.com" is assigned to the WAN IP of the network. Theoretically I want to seperate the two machines by domain... so a user requesting "machine1.domain.com" goes to 192.168.11.50:80 on the local network; and a user requesting "machine2.domain.com" goes to 192.168.11.51:80 on the local network.

How do I accomplish this? What do I need? Can this at all be done on a simple "home" style network (on a business network service so all ports are unblocked and such... but just consumer equipment so just a typical little home router/access point/switch/etc.) and just...you know....basic.

I can get a pfsense router setup if I really need to... but basically I just want to know what I need and how to do this...

"If a Lobster is a fish because it moves by jumping, then a kangaroo is a bird" - Admiral Paulo de Castro Moreira da Silva

"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.6 GHz - Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 minutes ago, bcredeur97 said:

Not what I'm doing but identical scenario from a networking scenario:

I want to host two different websites on two different machines on the same network.
ex. machine 1 has IP: 192.168.11.50

ex. machine 2: 192.168.11.51

 

Both will host the web service on port 80.

A domain of "domain.com" is assigned to the WAN IP of the network. Theoretically I want to seperate the two machines by domain... so a user requesting "machine1.domain.com" goes to 192.168.11.50:80 on the local network; and a user requesting "machine2.domain.com" goes to 192.168.11.51:80 on the local network.

How do I accomplish this? What do I need? Can this at all be done on a simple "home" style network (on a business network service so all ports are unblocked and such... but just consumer equipment so just a typical little home router/access point/switch/etc.) and just you know basic....

I can get a pfsense router setup if I really need to... but basically I just want to know what I need and how to do this...

This is the reason why Apache Virtual Hosts exist. You are not required to host two different sites on the same server to use this. Read more about the setup process here:

 

https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts

Make sure to quote me or use @PorkishPig to notify me that you replied!

 

 

Desktop

CPU - Ryzen 9 3900X | Cooler - Noctua NH-D15 | Motherboard - ASUS TUF X570-PLUS RAM - Corsair Vengeance LPX DDR4-3200 32GB Case - Meshify C

GPU - RTX 3080 FE PSU - Straight Power 11 850W Platinum Storage - 980 PRO 1TB, 960 EVO 500GB, S31 1TB, MX500 500GB | OS - Windows 11 Pro

 

Homelab

CPU - Core i5-11400 | Cooler - Noctua NH-U12S | Motherboard - ASRock Z590M-ITX RAM - G.Skill Ripjaws V DDR4-3600 32GB (2x16)  | Case - Node 304

PSU - EVGA B3 650W | Storage - 860 EVO 256GB, Sabrent Rocket 4.0 1TB, WD Red 4TB (x6 in RAIDZ1 w/ LSI 9207-8i) | OS - TrueNAS Scale (Debian)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 minutes ago, Homeless Pineapple said:

This is the reason why Apache Virtual Hosts exist. You are not required to host two different sites on the same server to use this. Read more about the setup process here:

 

https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts

im not acually hosting websites.. im hosting two of the same "service" on two different machines on one network. But I don't want to change port #'s if I don't have to because this can grow to be a large # of machines in the future so I want to find a better way than having to remember port #'s

I just used "websites" as my analogy

"If a Lobster is a fish because it moves by jumping, then a kangaroo is a bird" - Admiral Paulo de Castro Moreira da Silva

"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.6 GHz - Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
21 minutes ago, bcredeur97 said:

im not acually hosting websites.. im hosting two of the same "service" on two different machines on one network. But I don't want to change port #'s if I don't have to because this can grow to be a large # of machines in the future so I want to find a better way than having to remember port #'s

I just used "websites" as my analogy

In that case, you would need to use NAT forwarding to internally assign a local IP address to a public IP address.

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

Make sure to quote me or use @PorkishPig to notify me that you replied!

 

 

Desktop

CPU - Ryzen 9 3900X | Cooler - Noctua NH-D15 | Motherboard - ASUS TUF X570-PLUS RAM - Corsair Vengeance LPX DDR4-3200 32GB Case - Meshify C

GPU - RTX 3080 FE PSU - Straight Power 11 850W Platinum Storage - 980 PRO 1TB, 960 EVO 500GB, S31 1TB, MX500 500GB | OS - Windows 11 Pro

 

Homelab

CPU - Core i5-11400 | Cooler - Noctua NH-U12S | Motherboard - ASRock Z590M-ITX RAM - G.Skill Ripjaws V DDR4-3600 32GB (2x16)  | Case - Node 304

PSU - EVGA B3 650W | Storage - 860 EVO 256GB, Sabrent Rocket 4.0 1TB, WD Red 4TB (x6 in RAIDZ1 w/ LSI 9207-8i) | OS - TrueNAS Scale (Debian)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
6 minutes ago, Homeless Pineapple said:

In that case, you would need to use NAT forwarding to internally assign a local IP address to a public IP address.

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX

the issue here is I want two services on the same port. And for the network to "know" which machine's service to go to by determining which subdomain is being requested... i.e. subdomain1.domain.com and subdomain2.domain.com would both lead to port 80... but each is on two different machines with two different IP addresses..

Im not sure if this possible... but it seems like it should be.

"If a Lobster is a fish because it moves by jumping, then a kangaroo is a bird" - Admiral Paulo de Castro Moreira da Silva

"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.6 GHz - Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

Link to comment
Share on other sites
Link to post
Share on other sites
Posted (edited)
43 minutes ago, bcredeur97 said:

the issue here is I want two services on the same port. And for the network to "know" which machine's service to go to by determining which subdomain is being requested... i.e. subdomain1.domain.com and subdomain2.domain.com would both lead to port 80... but each is on two different machines with two different IP addresses..

Im not sure if this possible... but it seems like it should be.

Any particular reason why each system needs to be on the same port? With NAT you can assign domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:80 to the internal port 192.178.11.51:8080.

 

If you would rather not use NAT, I'd say you would need to run your own DHCP and DNS servers that point to an internal IP address, or you use a squid3 reverse proxy. 

https://wiki.squid-cache.org/SquidFaq/ReverseProxy

 

Edit: Just to clarify, 1:many NAT allows for translation between private and public ports.

Edited by Homeless Pineapple

Make sure to quote me or use @PorkishPig to notify me that you replied!

 

 

Desktop

CPU - Ryzen 9 3900X | Cooler - Noctua NH-D15 | Motherboard - ASUS TUF X570-PLUS RAM - Corsair Vengeance LPX DDR4-3200 32GB Case - Meshify C

GPU - RTX 3080 FE PSU - Straight Power 11 850W Platinum Storage - 980 PRO 1TB, 960 EVO 500GB, S31 1TB, MX500 500GB | OS - Windows 11 Pro

 

Homelab

CPU - Core i5-11400 | Cooler - Noctua NH-U12S | Motherboard - ASRock Z590M-ITX RAM - G.Skill Ripjaws V DDR4-3600 32GB (2x16)  | Case - Node 304

PSU - EVGA B3 650W | Storage - 860 EVO 256GB, Sabrent Rocket 4.0 1TB, WD Red 4TB (x6 in RAIDZ1 w/ LSI 9207-8i) | OS - TrueNAS Scale (Debian)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
3 minutes ago, Homeless Pineapple said:

Any particular reason why each system needs to be on the same port? With NAT you can assign domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:80 to the internal port 192.178.11.51:8080.

 

If you would rather not use NAT, I'd say you would need to run your own DHCP and DNS servers that point to an internal IP address, or you use a squid3 reserve proxy. 

https://wiki.squid-cache.org/SquidFaq/ReverseProxy

so you can use NAT with specific external addresses like that? If so... that's an unbelievably simple solution to my problem lol
I thought NAT settings typically ask for a source but that makes more sense now that I think about it...

so IN THAT CASE... I think I can have the same service on the same port but just two different addresses like I want... idk I'll have to look into it some more.

also no real reason for them to be on same port besides to save some work by not having to change default port on the "servers". If I have to go that route then I can... THANKS!

"If a Lobster is a fish because it moves by jumping, then a kangaroo is a bird" - Admiral Paulo de Castro Moreira da Silva

"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.6 GHz - Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Solution
1 hour ago, Homeless Pineapple said:

Any particular reason why each system needs to be on the same port? With NAT you can assign domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:80 to the internal port 192.178.11.51:8080.

 

If you would rather not use NAT, I'd say you would need to run your own DHCP and DNS servers that point to an internal IP address, or you use a squid3 reverse proxy. 

https://wiki.squid-cache.org/SquidFaq/ReverseProxy

 

1 hour ago, bcredeur97 said:

so you can use NAT with specific external addresses like that? If so... that's an unbelievably simple solution to my problem lol
I thought NAT settings typically ask for a source but that makes more sense now that I think about it...

so IN THAT CASE... I think I can have the same service on the same port but just two different addresses like I want... idk I'll have to look into it some more.

also no real reason for them to be on same port besides to save some work by not having to change default port on the "servers". If I have to go that route then I can... THANKS!

I think @Homeless Pineapplemade a typo, and they meant to write "domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:8080 to the internal port 192.178.11.51:8080." or "domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:8080 to the internal port 192.178.11.51:80." When a router is processing the port forwarding (Port Address Translation or PAT, which is part of NAT, and normally implemented firewall) it has no idea what hostname you have put in. At the level of TCP/IP, the hostname isn't included only the IP address. Yes messages from the browser will include the full hostname, but that is in the HTTP layer and a normal router will never look there in order to route things differently. If your router is capable of making Layer 7 Firewall Rules then you may be able to do something like this, but otherwise it is not possible to use the same outside IP:Port with two different inside services.

Looking to buy GTX690, other multi-GPU cards, or single-slot graphics cards: 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
15 minutes ago, brwainer said:

 

I think @Homeless Pineapplemade a typo, and they meant to write "domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:8080 to the internal port 192.178.11.51:8080." or "domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:8080 to the internal port 192.178.11.51:80." When a router is processing the port forwarding (Port Address Translation or PAT, which is part of NAT, and normally implemented firewall) it has no idea what hostname you have put in. At the level of TCP/IP, the hostname isn't included only the IP address. Yes messages from the browser will include the full hostname, but that is in the HTTP layer and a normal router will never look there in order to route things differently. If your router is capable of making Layer 7 Firewall Rules then you may be able to do something like this, but otherwise it is not possible to use the same outside IP:Port with two different inside services.

I believe you saw my reply before I wrote my 1:Many NAT edit. To my understanding, 1:many allows translations between public and local ports, though I haven't worked with NAT in quite a while.

https://meraki.cisco.com/blog/2014/08/1many-nat-for-meraki-mx/

Make sure to quote me or use @PorkishPig to notify me that you replied!

 

 

Desktop

CPU - Ryzen 9 3900X | Cooler - Noctua NH-D15 | Motherboard - ASUS TUF X570-PLUS RAM - Corsair Vengeance LPX DDR4-3200 32GB Case - Meshify C

GPU - RTX 3080 FE PSU - Straight Power 11 850W Platinum Storage - 980 PRO 1TB, 960 EVO 500GB, S31 1TB, MX500 500GB | OS - Windows 11 Pro

 

Homelab

CPU - Core i5-11400 | Cooler - Noctua NH-U12S | Motherboard - ASRock Z590M-ITX RAM - G.Skill Ripjaws V DDR4-3600 32GB (2x16)  | Case - Node 304

PSU - EVGA B3 650W | Storage - 860 EVO 256GB, Sabrent Rocket 4.0 1TB, WD Red 4TB (x6 in RAIDZ1 w/ LSI 9207-8i) | OS - TrueNAS Scale (Debian)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
12 minutes ago, brwainer said:

 

I think @Homeless Pineapplemade a typo, and they meant to write "domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:8080 to the internal port 192.178.11.51:8080." or "domain1.example.com:80 to the internal port 192.168.11.50:80 and domain2.example.com:8080 to the internal port 192.178.11.51:80." When a router is processing the port forwarding (Port Address Translation or PAT, which is part of NAT, and normally implemented firewall) it has no idea what hostname you have put in. At the level of TCP/IP, the hostname isn't included only the IP address. Yes messages from the browser will include the full hostname, but that is in the HTTP layer and a normal router will never look there in order to route things differently. If your router is capable of making Layer 7 Firewall Rules then you may be able to do something like this, but otherwise it is not possible to use the same outside IP:Port with two different inside services.

looks like ill just have to do different ports I guess and make an excel spreadsheet for all my hosts lol

 

alright... thanks

"If a Lobster is a fish because it moves by jumping, then a kangaroo is a bird" - Admiral Paulo de Castro Moreira da Silva

"There is nothing more difficult than fixing something that isn't all the way broken yet." - Author Unknown

Spoiler

Intel Core i7-3960X @ 4.6 GHz - Asus P9X79WS/IPMI - 12GB DDR3-1600 quad-channel - EVGA GTX 1080ti SC - Fractal Design Define R5 - 500GB Crucial MX200 - NH-D15 - Logitech G710+ - Mionix Naos 7000 - Sennheiser PC350 w/Topping VX-1

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, Homeless Pineapple said:

I believe you saw my reply before I wrote my 1:Many NAT edit. To my understanding, 1:many allows translations between public and local ports, though I haven't worked with NAT in quite a while.

https://meraki.cisco.com/blog/2014/08/1many-nat-for-meraki-mx/

The Meraki MX system is capable of Layer7 inspection and is a poor example to use unless you know someone has that system or one that is equally capable. 

 

EDIT: actually looking at the Meraki page you linked, the 1:Many NAT is just normal PAT or Port Forwarding. That feature on its own can’t distinguish between HTTP hosts. I believe a full featured Meraki system is capable of doing so, but not with the feature you linked. When that page talks about 1:1 and 1:many, they are talking about using one public IP for multiple inside servers, as opposed to the 1:1 which is just transferring all traffic between a public IP and a private one. This is useful for devices that you need a lot of external ports publicly available but you still want to provide UTM protection to.

Looking to buy GTX690, other multi-GPU cards, or single-slot graphics cards: 

 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×