Home network routing: Avoid routing via Internet for server attached to cable modem

I'm painfully unfamiliar with routing and have always been annoyed by an inefficiency in my home network's layout: all traffic to my (local) server via its public IP has much less bandwidth than traffic on the local network only. Here's a diagram of my network structure:

                         +----------+
                         | Internet |
                         +-----+----+
                               |
                      +--------+--------+
                      |   Cable Modem   |
                      | (Cisco DPQ2935) |
                      +---+---------+---+
                          |         |
 +------------------------+--+   +--+----------+
 |          Router           |   |   Server    |
 | (Netgear WNDR3700-100NAS) |   |  (eddings)  |
 +-------------+-------------+   | (public IP) |
               |                 +-------------+
       +-------+-------+
       |  Workstation  |
       |    (feist)    |
       | (192.168.1.x) |
       +---------------+

Running iperf between feist and eddings, I'm told that the bandwidth is 372 Mbits/sec. Running it between feist and another workstation connected to the router, I'm told that the bandwidth is 937 Mbits/sec. In addition, any time my internet connection goes out, I'm unable to connect to eddings without munging around the cabling and network configuration (haven't had this happpen here yet, but it was definitely a problem at my previous location with a different cable modem).

One option I've played with in the past is the fact that eddings has dual NICs: I've connected the second NIC to the router and given it a 192.168.1.x address, as well. However, managing the split DNS this necessitated proved to be a PITA, especially for any laptops that I took out of my network, which would end up trying to unsuccessfully use the local IP for eddings until I remembered to flush their DNS cache.

I guess I'm just hoping that there are some other, brilliant options available here that I'm not aware of. For instance, could I instead connect eddings to the Netgear router and somehow manage for it to use its public IP through the router, but have the router configured such that local workstations don't touch the cable modem to get to it? Any suggestions would be much appreciated.

Karl M. Davis

Posted 2013-09-15T05:34:52.630

Reputation: 121

We're missing some information here. What firmware is the Netgear running? Is it running the stock Netgear firmware or something more powerful like openwrt? What are the DNS settings? Are you using a dynamic DNS service and if so which one and are there any restrictions imposed on what kind of records you use? Do you run your own public DNS server and are you also running an internal DNS server? – Michael Yasumoto – 2013-09-15T06:29:43.153

Possible useful reading: http://serverfault.com/questions/49765/how-does-ipv4-subnetting-work

– Hennes – 2013-09-15T08:54:10.317

looks like a very technical question from somebody very well informed technically.. i wonder why it got migrated, maybe 'cos it had "home" in the title?! – barlop – 2013-09-15T12:09:08.227

Michael: The Netgear router is running stock firmware, though it's a "v2" and would support OpenWRT. The server eddings does host its own public DNS server (via bind). – Karl M. Davis – 2013-09-15T12:35:03.313

Answers

You can give the server (eddings) two IPs. Either both on on the same NIC, or by using two NICs.

One would be your normal public IP, the other IP would be on the same network as your workstation (192.168.1.0/24). If you have a second NIC (and give it 192.168.1.x) then you can plug that into a switch (LAN, not WAN) port of the Netgear. If you only have one NIC then we will need to configure proper routing in both the Cisco DPQ2935 and in the Netgear WNDR3700.

In the latter case we indeed need more information on the Netgear's firmware and settings.

Hennes

Posted 2013-09-15T05:34:52.630

Reputation: 60 739

Hennes: Would this require me to go with a split/shadowed DNS setup where clients on the internal network are told that eddings IP is 192.168.1.x while clients on the external network are given its public IP? If so, is there any way to avoid the types of DNS caching problems I mentioned in the question with laptops that regularly move back and forth between the internal and external networks? – Karl M. Davis – 2013-09-15T12:38:03.340

There is a way...but that requires using IP v6 (Which is a very good idea, but which sadly does not work everywere yet). – Hennes – 2013-09-15T18:28:31.387

I'd be curious to read more about the split DNS tie-in to IPv6, if you have any links. However, I think I'll avoid the IPv4 split-DNS solution: I use LDAP & Kerberos logins on all my boxes and those caching problems I mentioned have left me unable to login/unlock once or twice in the past, which... sucks. – Karl M. Davis – 2013-09-15T18:32:45.947

You could move your server (eddings) to be connected to the router. Then set up your cable modem to have no firewall, and let the router do the fire walling. This is sometimes called 'passthrough mode', but I'm sure if you muck around in the cable modem's settings interface you'll find it. Basically this means any incoming connections from the internet get passed straight through the cable modem to the router.

On the router, you have two options.

You can set up eddings (or it's static IP address) as the default DMZ (demilitarized zone) server. Incoming connections arriving at the router that are designated to go somewhere else specific by other options on the router will be forwarded to the designated DMZ server (now eddings). Eddings will function as if it was connected directly to the internet, but will only need a local IP address within the router's subnet. This can be static or DHCP, but if DHCP should be a reserved address.
The more secure option is to only forward the specific ports to eddings from the router that eddings is actually interested in, e.g. only SSH and HTTP(S). There should be a port forwarding interface on your router's configuration web page. Again, Eddings will function as if it was connected directly to the internet where the forwarded ports are concerned, but will only need a local IP address within the router's subnet. This can be static or DHCP, but if DHCP should be a reserved address. Eddings will still be fully available locally though in this case, unless you have a firewall on eddings itself.

As a bonus, setting things up in this layout means that your local traffic to eddings (from feist for example) will no longer go through the cable modem. Judging by the information you've given regarding throughput speeds, I'd guess that currently your traffic is not being routed via the internet, but that your cable modem is slower than your router, which is not unsurprising since in normal cases it only needs to bridge a slow internet connection with the intranet, not carry large volumes of intranet traffic.

Finally, if you use a dynamic DNS service (doesn't sound like it, but just in case) get your cable modem to run the update if its firmware allows it, otherwise, if eddings runs an update script, you may have to jump an additional hoop to get the actual public IP you've been assigned to submit to the DNS service.

sirlark

Posted 2013-09-15T05:34:52.630

Reputation: 121

The DMZ is a decent idea. However, eddings is actually a VM host and has a number of guests with their own public IPs. Apologies: it appears I simplified my diagram above too much. – Karl M. Davis – 2013-09-15T14:18:41.547

As an alternative to the DMZ, is there a way with the stock firmware (e.g. static routes?) to configure it to intelligently handle traffic on the private subnet and on the public subnet? If not, would there be a way to do this with OpenWRT or a more advanced router? – Karl M. Davis – 2013-09-15T14:32:55.873

Does eddings do anything other than host the VMs, and does it have it's own public IP? – sirlark – 2013-09-16T11:04:20.350