How can I set up a webserver behind two routers?

6

I realise that this may be better suited to ServerFault, but this is my home network that I run in a non-professional enviroment.

At home I have my main router connected to the internet which the main family computer and laptop run from. I also have a "development" network with a m0n0wall firewall in a VM to provide internet services. I want to host a website (and eventually other services) on one of the machines on the dev network but cannot figure out how to "port forward" through my main (belkin) router, through to the m0n0wall firewall, and then through to webserver.

The traffic would have to come through the public ip, pass through port 80 of the main router (192.168.2.1) then be forwared through the WAN connection of the m0n0wall box (192.168.2.2), out of the LAN connection (192.168.10.2) and finally into the server. After the configuration is saved I can't work out while it is not working. I can host the site fine behind the main router. There is a firewall rule on m0n0wall to pass port 80 traffic from 192.168.2.1 through but it just isn't working.

I've drawn a very basic diagram below (unfortunately any advanced Visio stuff is currently black magic to me).

enter image description here

tombull89

Posted 2011-08-23T16:02:10.600

Reputation: 6 533

1small networking questions for personal use are on-topic – James Mertz – 2011-08-23T16:05:32.650

Are you able to access the web server from your family machine? I think you need to get that working first. Once that is working, then getting the belkin working should be easy. – Zoredache – 2011-08-23T16:12:42.037

What does your firewall rule in the m0n0wall look like? – MaQleod – 2011-08-23T16:15:20.803

@MaQleod - http://i.stack.imgur.com/sFCoJ.png.

– tombull89 – 2011-08-23T16:22:14.687

@Zoredache - no. looks like I'll start there. – tombull89 – 2011-08-23T16:22:24.157

@tombull: Please note that firewall rules work on data that passes by, they do not forward data they receive. Hence, the source IP refers to the IP who sent the actual packet which is most likely the internet. For example, if I have a web server; then my log would reveal the IP of the visitor for each request and not the IP of the main router. In your main router you said "make port 80 traffic explicitly go to M0n0wall" which only changes the destination address to be the firewall, this is why it doesn't end up at your web server. Why you need a separate router and firewall? – Tamara Wijsman – 2011-08-23T16:40:31.827

@Tom, I understand that now. The router and main family PC belongs to my parents and the firewall acts as a gateway for my development network. Really, I don't need it, I could probably do it with subnetting instead (I'd just prefer to aviod tampering with the router, just because) – tombull89 – 2011-08-23T17:20:31.660

Answers

1

Right, I have finally worked this out and got it as I wanted. Instead of the m0n0wall box forwarding packets twice I've moved to changed subnets. I now have a DD-WRT-based Linksys E1000 acting in "Client Mode", so that it acts as a "client" to the family wireless and has a DHCP/DNS server serving the wired connections on the development network. I have changed the subnet mask to from 255.255.255.0 to 255.255.252.0 on the Belkin router and on the DD-WRT. The belkin is on 192.168.2.1 and DD-WRT on 192.168.1.1. Machines on each network can see each other, so if I set a machine on my dev network with a static 192.168.2.x the Belkin will be able to port foward to it.

Diagram Time: enter image description here

I have no idea if m0n0wall is able to forward packets, but subnetting seems to have been the easiest way of going about this.

I can reccomend Wolfram Alpha for easy-to-use subnetting info.

tombull89

Posted 2011-08-23T16:02:10.600

Reputation: 6 533

If anyone thinks I should be better off re-writing my question please say. – tombull89 – 2011-10-10T15:08:44.333

1You might want to point out that you'll need to forward the ports on both routers in order to fully point to the Development Web Server. – James Mertz – 2012-03-20T15:58:54.310

1

  1. A separate IP range is unnecessary, this will work without it as the firewall sits between the cables.

  2. Your main router should forward to the web server and not to the firewall.

  3. Your firewall should accept any source address, the main router does not overwrite source address.

    This also allows access from your family machine.

  4. Your firewall should also allow traffic going to the other side.

  5. Use Can You See Me and Wireshark for more detailed troubleshooting.

Tamara Wijsman

Posted 2011-08-23T16:02:10.600

Reputation: 54 163

Thanks, Tom. The Belkin has a 255.255.255.0 netmask, so it doesn't even give me the option to portforward to 192.168.10.250 (the 192.168.2 bit is hardcoded in) so how can I forward it to the webserver directly? – tombull89 – 2011-08-23T16:28:03.273

I think I may have overestimated my ip addressing abilites... – tombull89 – 2011-08-23T16:29:41.790

1@tombull: Another option is to explicitly forward the port 80 traffic from the external IP of the firewall to the IP of the web server in the firewall config, but I don't know if M0n0wall can do this. Putting everything in the same IP range could solve this problem... – Tamara Wijsman – 2011-08-23T16:37:32.280

@tombull: If M0n0wall cannot forward packets, thenyou are going to need to put them all in the same subnet or have some kind of DNS service running, otherwise the Belkin router will have no idea where the webserver is. – surfasb – 2011-08-23T21:36:28.520

Asked: 2011-08-23T16:02:10.600

Viewed: 3 360 times

Active: 2016-03-16T15:44:52.133