3

I want to NAT a certain group of servers in my datacenter so that they all access clients from a single IP. This will make it much easier for documentation that we provide clients.

However there will be a large amount of data traveling between the given servers and clients so I don't want to flood a single proxy machine with all the traffic. What could I do in this scenario?

Wesley
  • 32,320
  • 9
  • 80
  • 116
ckliborn
  • 2,750
  • 4
  • 24
  • 36
  • This sounds like a really bad idea. Why do you want to use Nat like this, and trade time to document for time troubleshooting issues? – Jim B Apr 26 '12 at 11:34
  • I just want to give Clients one IP to allow access from. – ckliborn Apr 26 '12 at 12:32

1 Answers1

7

However there will be a large amount of data traveling between the given servers and clients so I don't want to flood a single proxy machine with all the traffic.

Unless you're talking about 10Gbps+ of traffic, the option that you've ruled out is the option that would be your best bet. In fact, even if you are dealing with tens of gigabits of traffic, it's likely that this is the best and safest architecture to keep sessions from being bobbled. Simply NAT your servers behind a firewall / router and be done with it. If you're worried about a single point of failure, then get an Active / Active or Active / Passive HA partner for the device.

To attempt to load balance or virtualize one IP address behind multiple NAT devices and then have said scheme manage multiple TCP/IP sessions for the servers behind the NAT array across multiple ingress and egress points will be... skull-fracturingly, eyeball-gnawingly troublesome. If you do it and manage to keep from running at full speed into a nest of bald faced hornets to distract yourself from the NAT-hurt, please write a book about it and I will order a thousand copies.

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • Thanks - do you have any recommendation on software that will do this? Also I don't want to be tied to any particular hosting provider, what is the best way to get a IP that I can use if I switch hosting providers? – ckliborn May 15 '12 at 18:03
  • @ckliborn I would recommend choosing a firewall to NAT your services based on the experience of those who will be working on it. Cisco, Juniper, SonicWall, Astaro, pf -- Any of them will work. Certainly some have strengths and weaknesses, but a full discussion of them is really best for a conversation with a consultant over the course of a few days. There is no way to "migrate" an IP address like you can a phone number. Everyone that has dedicated IP addresses is, in effect, tied to the provider that owns that block. – Wesley May 15 '12 at 18:10
  • 1
    @ckliborn If it was me doing the job, I'd probably look into Juniper equipment. If it was someone else like say, ShaneMadden, he might be more inclined to use Cisco. Voretaq7 might prefer pf on an OpenBSD box. Who's right? All of us. =) – Wesley May 15 '12 at 18:11
  • @Wesley unless they own the block themselves....... – Peter Green Jan 06 '20 at 19:15