Mixing NAT and DHCP with routable IPs
March 18, 2017 9:23 AM Subscribe
I want to have a VM with either a dedicated DHCP number or have it share the network interface of the Mac it's on with the Mac having the routable IP. How?
Here's the setup:
Mac Mini running Veertu and FreeBSD 10.3 AMD.
ISP: Mediacom.
Mini wireless to an Airport Time Capsule. Mini must stay wireless.
So what I would like:
I am trying to create a web dev environment to as closely as possible match the hosted environment I am using.
My goal is to be able to hit the VM from anywhere in my house, and ideally be able to control the Mac remotely and to ftp files to it remotely.
I pay for a second routable IP from Mediacom. I would like the VM on the mini to basically ignore the NATing the Airport doles out and go directly to my DOCSIS 3.0 cable internet modem for IP assignment. Barring this, I would just like the mini to do so.
I would prefer the web server not be accessible to the world, but would like the mini be able to do so.
Ideally, Mediacom would just sell me a static IP that I could just drop into the manual settings on the Mini and then they could give me access to the DNS records, but they won't do that, so I am trying to come up with a setup that will work.
I am not opposed to purchasing additional equipment or software, and am even considering just buying another WAP and setting it up in bridge mode, but that seems like the stupid way to do this.
Assume I am a technical person, but I won't take offense if you dumb your answers down. I have little experience managing my own FreeBSD environment, but I've been using a hosted environment with pair.com for a decade.
I'll be back online later to answer any specifics to the setup that I may have overlooked.
Here's the setup:
Mac Mini running Veertu and FreeBSD 10.3 AMD.
ISP: Mediacom.
Mini wireless to an Airport Time Capsule. Mini must stay wireless.
So what I would like:
I am trying to create a web dev environment to as closely as possible match the hosted environment I am using.
My goal is to be able to hit the VM from anywhere in my house, and ideally be able to control the Mac remotely and to ftp files to it remotely.
I pay for a second routable IP from Mediacom. I would like the VM on the mini to basically ignore the NATing the Airport doles out and go directly to my DOCSIS 3.0 cable internet modem for IP assignment. Barring this, I would just like the mini to do so.
I would prefer the web server not be accessible to the world, but would like the mini be able to do so.
Ideally, Mediacom would just sell me a static IP that I could just drop into the manual settings on the Mini and then they could give me access to the DNS records, but they won't do that, so I am trying to come up with a setup that will work.
I am not opposed to purchasing additional equipment or software, and am even considering just buying another WAP and setting it up in bridge mode, but that seems like the stupid way to do this.
Assume I am a technical person, but I won't take offense if you dumb your answers down. I have little experience managing my own FreeBSD environment, but I've been using a hosted environment with pair.com for a decade.
I'll be back online later to answer any specifics to the setup that I may have overlooked.
Response by poster: Yeah, that would be the ideal. Back to My Mac, remote screen sharing, whatever to control the Mac remotely. The VM accessible only from within the house.
posted by cjorgensen at 9:57 AM on March 18, 2017
posted by cjorgensen at 9:57 AM on March 18, 2017
I would like the VM on the mini to basically ignore the NATing the Airport doles out
To make this work, the Mini needs to live on the same network segment as the Airport's WAN port. The only way that can happen, as far as I know, is to turn the Airport's routing brains off altogether, and just use it as a pure wireless access point; that makes it equivalent to an Ethernet switch with some wireless "ethernet ports" as well as wired ones.
If the Airport is the only NAT router you're currently using, you'll need another one to serve all your other devices. If any of those are also wireless, you'll need another wireless router. So you might indeed be better off leaving the Airport as it is, connecting it to your DOCSIS modem via an Ethernet switch instead of directly, and just sticking a WAP in bridge mode on another port of the same switch to connect the Mini and its embedded VM.
If you want to expose the VM to the Internet but not the host OS on the Mini (or vice versa), that should still be doable even though they share the Mini's single physical network interface. Tricky, though; you'd end up needing 802.11q tagged VLANs to get it done, I would think.
If you can come up with some kind of diagram that shows all your existing endpoint devices and the IP address ranges you'd like them all to live in, it will be possible to make more specific suggestions.
posted by flabdablet at 9:59 AM on March 18, 2017 [1 favorite]
To make this work, the Mini needs to live on the same network segment as the Airport's WAN port. The only way that can happen, as far as I know, is to turn the Airport's routing brains off altogether, and just use it as a pure wireless access point; that makes it equivalent to an Ethernet switch with some wireless "ethernet ports" as well as wired ones.
If the Airport is the only NAT router you're currently using, you'll need another one to serve all your other devices. If any of those are also wireless, you'll need another wireless router. So you might indeed be better off leaving the Airport as it is, connecting it to your DOCSIS modem via an Ethernet switch instead of directly, and just sticking a WAP in bridge mode on another port of the same switch to connect the Mini and its embedded VM.
If you want to expose the VM to the Internet but not the host OS on the Mini (or vice versa), that should still be doable even though they share the Mini's single physical network interface. Tricky, though; you'd end up needing 802.11q tagged VLANs to get it done, I would think.
If you can come up with some kind of diagram that shows all your existing endpoint devices and the IP address ranges you'd like them all to live in, it will be possible to make more specific suggestions.
posted by flabdablet at 9:59 AM on March 18, 2017 [1 favorite]
Response by poster: That's more-or-less what I was afraid of.
I have a whole slew of wireless devices throughout the house. Wireless printers, iPads, iPhones, Apple TVs, Amazon Fire TV, Roku, house alarm, Chromecast, Mac Mini, Mac Pro, etc. Probably a lot of stuff I am not thinking of.
My setup is fairly straight forward:
DOCSIS —> Airport —> Everything.
I do have one Airport Express in extend mode dedicated to a laser printer.
I will probably just give up on the idea of having the Mini wireless, and plug it into ethernet, but then it can't be in the bedroom, and I like the idea of having a secondary station.
posted by cjorgensen at 10:24 AM on March 18, 2017
I have a whole slew of wireless devices throughout the house. Wireless printers, iPads, iPhones, Apple TVs, Amazon Fire TV, Roku, house alarm, Chromecast, Mac Mini, Mac Pro, etc. Probably a lot of stuff I am not thinking of.
My setup is fairly straight forward:
DOCSIS —> Airport —> Everything.
I do have one Airport Express in extend mode dedicated to a laser printer.
I will probably just give up on the idea of having the Mini wireless, and plug it into ethernet, but then it can't be in the bedroom, and I like the idea of having a secondary station.
posted by cjorgensen at 10:24 AM on March 18, 2017
I sadly gave my airport to my parents, so I can't look at whether it's possible for that device (I doubt the airport is friendly to this however). But the typical way that you'd do this is to put both IP addresses on the gateway device, and have the gateway device forward connections to the ports you're interested in on the public address over to ports on the internal address where your vm is. I'm doing it without even having static IPs - I just have a domain registered with a place that does free dynamic dns (namecheap), register a name there, and I just route (DNAT) connections to port 443 over.
posted by wotsac at 10:38 AM on March 18, 2017 [1 favorite]
posted by wotsac at 10:38 AM on March 18, 2017 [1 favorite]
I think you might be making this more complicated than necessary, if I understand what you are after correctly. Remote access services like back to my Mac or Logmein traverse NAT, so no need to do anything special as long as your Mini can reach out to the Internet. If you deploy a VM on top of the Mini, give it a "bridged" virtual network adapter in whatever VM host product you use. That will let it pull its own internal LAN IP from your router. Then you can either make that DHCP assignment a reservation on the router, or manually assign the VM a static IP within your normal LAN subnet (outside of the DHCP range). VM will be accessible from inside the house on that additional LAN IP. No need for another WAN IP from your ISP. Wired vs wireless won't really make a difference either. If you want to make specific services (FTP or HTTP) available from the internet, you'd forward those ports through the router to the appropriate internal IP (could be the Mini or the VM), although I'd advise against this for security purposes.
posted by mgr at 10:52 AM on March 18, 2017 [2 favorites]
posted by mgr at 10:52 AM on March 18, 2017 [2 favorites]
I am trying to create a web dev environment to as closely as possible match the hosted environment I am using.
What features of that hosted environment are you trying to emulate?
As mgr hints, you might well be overthinking this. If your aim is not to have one of your wireless-connected boxes fully accessible to the Internet, and all you need to make available to the world is certain selected services, then setting up port forwarding for those services in your Airport should be all you need to do.
posted by flabdablet at 7:57 PM on March 18, 2017
What features of that hosted environment are you trying to emulate?
As mgr hints, you might well be overthinking this. If your aim is not to have one of your wireless-connected boxes fully accessible to the Internet, and all you need to make available to the world is certain selected services, then setting up port forwarding for those services in your Airport should be all you need to do.
posted by flabdablet at 7:57 PM on March 18, 2017
Back to My Mac, remote screen sharing, whatever to control the Mac remotely. The VM accessible only from within the house.
If that's all you need, then you don't even need to do any port forwarding. Just tell your VM hosting software to put your VM's virtual Ethernet adapter in bridged mode rather than using internal NAT. That way, your VM shows up in your LAN in the same IP address range as all your real devices. And if the VM gets its IP address via DHCP, as I would expect it to be configured to do by default in what I would expect to be the default setup for VM hosting software that defaults to internal NAT for VM Ethernet adapters: once the VM's Ethernet is in bridge mode instead, I would expect your Airport's DNS server to register its hostname when it connects, so you wouldn't even need to give it a static IP.
posted by flabdablet at 8:02 PM on March 18, 2017
If that's all you need, then you don't even need to do any port forwarding. Just tell your VM hosting software to put your VM's virtual Ethernet adapter in bridged mode rather than using internal NAT. That way, your VM shows up in your LAN in the same IP address range as all your real devices. And if the VM gets its IP address via DHCP, as I would expect it to be configured to do by default in what I would expect to be the default setup for VM hosting software that defaults to internal NAT for VM Ethernet adapters: once the VM's Ethernet is in bridge mode instead, I would expect your Airport's DNS server to register its hostname when it connects, so you wouldn't even need to give it a static IP.
posted by flabdablet at 8:02 PM on March 18, 2017
Response by poster: > I think you might be making this more complicated than necessary […].
Probably. I tend to do that.
> What features of that hosted environment are you trying to emulate?
This is a bit embarrassing to admit, but my website workflow has always been to just modify live. I want to make a change in code, I just do it. I need to upgrade my CMS I just give it a go.
I back everything up first, but when I screw things up, I just take the downtime.
I've had a typo in an .htaccess file take my sites down for hours.
I'd like to start to use versioning, and I've like to reproduce my sites in a VM. I want to try to use the same OS, the same version of PHP, Apache, etc. Ideally, I could FTP the template changes to my local site, test them, and then upload them to my hosting environment.
Modifying live also means I tend to be way more conservative on my design than I'd like to be.
Thanks for all the answers. I am making progress!
posted by cjorgensen at 6:37 AM on March 20, 2017
Probably. I tend to do that.
> What features of that hosted environment are you trying to emulate?
This is a bit embarrassing to admit, but my website workflow has always been to just modify live. I want to make a change in code, I just do it. I need to upgrade my CMS I just give it a go.
I back everything up first, but when I screw things up, I just take the downtime.
I've had a typo in an .htaccess file take my sites down for hours.
I'd like to start to use versioning, and I've like to reproduce my sites in a VM. I want to try to use the same OS, the same version of PHP, Apache, etc. Ideally, I could FTP the template changes to my local site, test them, and then upload them to my hosting environment.
Modifying live also means I tend to be way more conservative on my design than I'd like to be.
Thanks for all the answers. I am making progress!
posted by cjorgensen at 6:37 AM on March 20, 2017
So really all you need is in-house HTTP, HTTPS, FTP and possibly ssh access to your VM by hostname?
posted by flabdablet at 8:40 AM on March 21, 2017
posted by flabdablet at 8:40 AM on March 21, 2017
This thread is closed to new comments.
posted by miles at 9:33 AM on March 18, 2017