-2

Basically, I'm interested how to make one of my servers hop in tracert.

My first server is located within DC in France

My second server if located within DC in Russia

I want my 1st server to be in traceroute behind my 2nd server

Current path to my server (let's imagine its like that):

1. Hop #1 (your IP)
2. Hop #2 (my 2nd server)

How I want it to be:

1. Hop #1 (your IP)
1. Hop #2 (my 1st server)
2. Hop #3 (my 2nd server)

Reason: I want all of the traffic to filter through my firewall within 1st server, and only afterwards go to the 2nd server. Both of the servers are not in local network, they're based within two different hosting providers and its impossible to make them in local network. Is it possible, to start routing all of the traffic through the 1st server before it reaches 2nd server without making 1st server a UDP/TCP proxy and giving users its IP to connect and than route traffic to my back-end basically (which is being my 2nd server) and drop all traffic coming except from 1st server?

If I need network access: I do understand that I may need network access directly, but what access I really need? Is it router access within the DC where the 2nd server is located? Or I need access to routers in both DC's? How can I really configure it?

Why I'm asking here?: I tried to google this issue and find explanation for more than a week now, and I still had no clear explanation except people saying "Just do TCP/UDP proxy from your 1st server".

Why I don't want to do proxy?: Because I think ping is going to increase too much to the second server if using first server as proxy, however if I do put in traceroute I think ping is not going to be "seriously increased" since this server can sometimes act just as a switch and route traffic, if I'm wrong here - please, say I'm wrong and ping is going to be the same as traffic still will need to go through this server anyway and TCP/UDP proxy is my easiest solution.

Thomas
  • 4,155
  • 5
  • 21
  • 28
dnleiman
  • 23
  • 4
  • Do you control the endpoints? Building your own WAN is a somewhat different problem than services for the public Internet. – John Mahowald Jun 17 '18 at 00:58
  • @JohnMahowald what do you mean by "do you control endpoints"? I do control both of the servers for sure if that's a question. – dnleiman Jun 17 '18 at 02:11

2 Answers2

0

Impossible. You say you want to convince the entire world to change its routing (i.e. to route in a sub-optimal way). In fact all the Internet routers try instead to always figure out an optimal route to each IP.

To play with this, you need to own at least an entire public /24 subnet, although I'm not sure what regulations come to play between these two countries.

So, unless you are a big player, to direct the entire world to Internet provider 1 you need to use IP that belongs to that provider. You could use DNAT&SNAT at the first server, not necessarily a "heavy" proxy.

kubanczyk
  • 13,502
  • 5
  • 40
  • 55
  • Thanks for your reply, basically what I'm trying to achieve - is DDoS Protection, by routing all of the traffic through 1st server (with ddos protection) to 2nd server (which is not ddos protected, but 1st server will filter all of the DDoS attacks) – dnleiman Jun 16 '18 at 01:09
  • @dnleiman I see. Then you need to keep a secret about the unprotected IP, because if attacker figures it out, you're toasted. The DNAT/SNAT approach will work, it's faster and simpler than VPN, but has no encryption and unprotected_IP logs will see all traffic as coming from protected_IP. (google "hairpin NAT" - it's the same idea) – kubanczyk Jun 16 '18 at 08:38
  • I will just limit all the traffic coming to it from any IP address except the one which is protected. I understand about logs. What I want to achieve is: 1st server to my users = 70 ms ping, 2nd server to my users = 5 ms ping. However 2nd server is not protected from DDoS attacks, my goal is to reach minimum increase in ms and protect second server (and primarily - to keep second IP, so users won't connect to IP which is linked to first server, but will connect to IP which is linked to second server and their connection will flow through first server anyway). – dnleiman Jun 17 '18 at 04:25
  • @dnleiman DDOS saturates your entire link, so no filtering on your side can prevent it. That's why you always need ISP protection. About your users knowing the unprotected IP: impossible. This is what I explained in my answer. – kubanczyk Jun 17 '18 at 13:55
  • That's actually a bit wrong. I'm protecting 1 gbps link on the 2nd server, my 1st server is also 1 gbps link. If 1st server will detect an attack it will filter it, 1st server is able to handle large DDoS attacks (due to the capacity of network being more than 500 gbps (it's OVH if it matters)), therefore any malicious traffic isn't going to reach 2nd server and so it will be protected. My target is to allow users to connect to my 2nd server IP straight away, but make all the traffic flow through firewalls on 1st server, and my second target is to minimize ping increase from such action. – dnleiman Jun 17 '18 at 16:10
0

Create a VPN containing both servers. Set up the second server to route between the Internet and the VPN. Ensure that the first server does not accept traffic directly from the Internet.

James Youngman
  • 334
  • 1
  • 8
  • That's exactly what I don't want. Since it will massively increase ping to my 2nd server and it would be just easier to host everything on 1st server from the start. What I want to achieve is: 1st server to my users = 70 ms ping 2nd server to my users = 5 ms ping However 2nd server is not protected from DDoS attacks, my goal is to reach minimum increase in ms and protect second server – dnleiman Jun 17 '18 at 04:22
  • Well, you can't change the topology or routing metrics of other people's networks, except by paying them to do it. – James Youngman Jun 17 '18 at 09:25
  • As for ping times, compare distances of the hosts with speed-of-light travel time. The speed of light is a hard limit. – James Youngman Jun 17 '18 at 09:26
  • That's true. And that's actually what I'm trying to do somehow, since both of my servers are not in the same local network and I cannot manipulate them in that way, but I'm pretty sure there's good solution to setup such network conditions. As I've written in the comment below: "My target is to allow users to connect to my 2nd server IP straight away, but make all the traffic flow through firewalls on 1st server, and my second target is to minimize ping increase from such action ". Thanks for your help btw, I appreciate it a lot – dnleiman Jun 17 '18 at 16:13