4

Is it possible for some computers on a network to have their own public IP addresses and serve content over the internet while other computers on the same network only have private IP addresses but still have the ability to make requests over the internet (like a home computer would through a router)?

More information:

I have a group of 15 servers (and only 12 Public IP addresses available)

2 servers:

  • Need to be able to server content over the internet
  • Need to be able to make requests to the other 15 servers
  • These servers are load balancers, they will forward requests to 4 other nginx servers that will server http content.

13 servers:

  • Do not need to be able to serve content over the internet
  • Need to be able to serve content the the other 15 servers
  • Need to be able to make requests over the internet (to external APIs and such)
  • 4 of these servers are nginx servers that will serve http content to the load balancers. They need to be able to make requests to external APIs (like google maps)

  • 9 of these servers are database servers (they don't need to make requests to APIs, but it would be nice to be able to Teamviewer into them)

    • Is this possible?
    • Do I just need a layer 3 switch?
    • What do I need to look into in order to figure out how to do this?

Visual description of problem:

enter image description here

Chris Dutrow
  • 725
  • 7
  • 19

3 Answers3

3

IPv6 has plenty of IPs and so everything will have a public IPv6 address, so I take it you are talking about IPv4. IPv4 allows a type of routing called Network Address Translation (NAT), which allows multiple private IP devices use the public internet with a single public IPv4 address on the router.

You don't need any fancy switches, a simple switch will be fine. The router is what is deciding which mac address to send packets to and if NAT routing needs to be performed.

If using public IP addresses on any of your servers. On one or both of your load balancing servers you need to have two IP addresses, the public one and the internal one, preferably on a separate nic each. It/they can run Squid in reverse proxy load balancing mode and they will talk with the actual web servers, which have private IP addresses, to obtain and serve content.

That being said, you don't even need to have public IP addresses on any of your servers, just your router, and it can decide which of your private IP addresses to send the packets to, and it can provide NAT routing for all of your internal IP address servers so they can use the internet.

Edit: every http/https request, and for that matter tcp packet, includes the source IP and source port of the request. Every http/https request includes the website name being requested as well. Based on that info the load balancer has in its config a list of IP addresses it can contact to fulfil the request. Based on the IP address of the machine it is trying to talk to, the OS routing table will determine which nic will be contacted.

BeowulfNode42
  • 2,595
  • 2
  • 18
  • 32
  • Thanks so much for your help. I have a really dumb question: How does the load balancer know which NIC to use depending on if its receiving requests from the internet or forwarding those requests to the other servers in the network? Is it in configuration somewhere? – Chris Dutrow Mar 23 '16 at 06:47
  • I apologize, another question: whats the deal with IPV6 these days? I was under the impression there was still some compatibility issues with old hardware around the net? – Chris Dutrow Mar 23 '16 at 07:37
  • @ChrisDutrow How old? If it's old enough to not support IPv6, it's almost certainly at the top of your list of things that desperately need to be replaced for other reasons. In a rare bit of forward thinking, the US government mandated that anything sold to it had to be IPv6-capable by 2008, and most companies met this deadline (even though it was pushed back). Virtually anything you've bought in the last decade that wasn't a consumer device has sufficient IPv6 support (maybe with a firmware update). Ironically, consumer devices have only begun getting support in the last few years. – Michael Hampton Mar 23 '16 at 18:11
  • All my equipment should be fine. I was thinking like if there was a relay along the way between my equipment and a website user that had an issue. Is this not a valid concern? – Chris Dutrow Mar 23 '16 at 23:51
  • @ChrisDutrow yes every router along the path needs to understand IPv6 for it to work, unless there is some tunnelling over IPv4. I believe that any ISP that is providing IPv6 to customers has the full path to all of their IPv6 capable partners fitted out already with the required equipment and settings. – BeowulfNode42 Mar 24 '16 at 07:44
2

Yes it's possible.

There are a few approaches.

  1. If your provider offers IPv6 make the Servers that need to be publically accesible dual stack and make the servers that don't need to be publically accessible IPv6 only. If the non-public servers need to access IPv4 only resources on the internet then you will need to use NAT64/DNS64 to provide access to the IPv4 internet, if your provider is especially forward looking they may provide this for you or you may have to run it yourself.

  2. Have a public subnet and a private subnet and have the existing gateway router for the network perform routing between the two subnets and NAT between the private subnet and the internet. This requires that the existing router has sufficiently flexible NAT support (Linux can do it, not sure about other implementations)

  3. Have a public subnet and a private subnet and use one of your own machines to provide NAT so the private machines can access the internet. Either set up routing so the public and private machines can see each other or give the public machines IPs on both subnets.

Peter Green
  • 4,056
  • 10
  • 29
1

If you are running some publicly available website with some database backend, I would recommend at a minimum you use a dedicated firewall. The basic setup is where to start, and can be built upon as needed:

  • Setup firewall as only access point to the internet. Give it the first IP in your block of 12 IPs. Initial setup is similar to how a home router would be setup... All computers on the internal LAN can access the internet. If the go to whatismyip.com, the result is the firewall external IP. All internal machines are protected by the firewall.
  • Setup the loadbalancers with public IPs: Configure the load balancers with an IP address on your internal network. Use NAT feature in firewall to map loadbalancerA internal IP to your second public IP, and loadbalancerB internal IP to third public IP. (You will also have to set firewall rules to allow the incoming requests)

You would also need a switch to accomodate the physical connections of all the servers... Basically, plug Internet to Firewall External Interface. Firewall Internal Interface to Switch, then all servers to the switch.

Dre
  • 1,375
  • 6
  • 12