Private Dancer
August 23, 2007 9:18 AM Subscribe
How do I make services publicly available behind a private network?
I have a department that uses NAT to hide a bunch of machines behind a single public IP address.
Is there an easy way to allow some (2 or more) of those machines to run services, e.g. web or VNC — whatever — such that someone from outside the NAT could connect to those machines?
What kind of service would I run in conjunction with the NAT box?
I have a department that uses NAT to hide a bunch of machines behind a single public IP address.
Is there an easy way to allow some (2 or more) of those machines to run services, e.g. web or VNC — whatever — such that someone from outside the NAT could connect to those machines?
What kind of service would I run in conjunction with the NAT box?
Response by poster: I'm not sure a VPS would apply here, unless I'm confused about what a VPS does. Multiple devices on the private network would need to make accessible all kinds of services, not a single device running virtualization software.
posted by Blazecock Pileon at 9:29 AM on August 23, 2007
posted by Blazecock Pileon at 9:29 AM on August 23, 2007
Response by poster: One thing I don't understand about VPNs with NAT is how to get to a specific machine. Presumably, once you are on the VPN, you have to know the private address ahead of time — what if this is not static?
Is there a way to solve this without use of a VPN client, so that a service can be made publicly available?
posted by Blazecock Pileon at 9:35 AM on August 23, 2007
Is there a way to solve this without use of a VPN client, so that a service can be made publicly available?
posted by Blazecock Pileon at 9:35 AM on August 23, 2007
You can do this easily via port forwarding, assuming your router supports it. If your router's outward IP address is 10.10.10.10, you assign ports to specific addresses behind it. So, if you're running two web servers you need to access, you forward 10.10.10.10:80 to the first and 10.10.10.10:81 to the second.
I use those ports as examples- you can use whatever ports you want.
Though, bare in mind, you're now making those services available TO THE PUBLIC (depending on your router config). If you're exposing stuff like VNC, a VPN will be much more secure (and expensive, and difficult). When a machine logs into the VPN, it's just like it's on the internal network.
posted by mkultra at 9:36 AM on August 23, 2007
I use those ports as examples- you can use whatever ports you want.
Though, bare in mind, you're now making those services available TO THE PUBLIC (depending on your router config). If you're exposing stuff like VNC, a VPN will be much more secure (and expensive, and difficult). When a machine logs into the VPN, it's just like it's on the internal network.
posted by mkultra at 9:36 AM on August 23, 2007
Response by poster: You can do this easily via port forwarding, assuming your router supports it. If your router's outward IP address is 10.10.10.10, you assign ports to specific addresses behind it. So, if you're running two web servers you need to access, you forward 10.10.10.10:80 to the first and 10.10.10.10:81 to the second.
I use those ports as examples- you can use whatever ports you want.
So I'd have to configure the services on each computer differently, and then set up the NAT device to do port forwarding to map those port assignments to a specific IP address. I could see that quickly becoming an administrative nightmare.
Is there a cleaner solution, which does not require a VPN client?
posted by Blazecock Pileon at 9:54 AM on August 23, 2007
I use those ports as examples- you can use whatever ports you want.
So I'd have to configure the services on each computer differently, and then set up the NAT device to do port forwarding to map those port assignments to a specific IP address. I could see that quickly becoming an administrative nightmare.
Is there a cleaner solution, which does not require a VPN client?
posted by Blazecock Pileon at 9:54 AM on August 23, 2007
One thing I don't understand about VPNs with NAT is how to get to a specific machine. Presumably, once you are on the VPN, you have to know the private address ahead of time — what if this is not static?
We get round this by using an internal DNS server, with a custom extension. Once you're in the VPN, you can just type, say, mother.internal and get taken to that machine.
the VPN is really pretty clean -- on OS X and OS X Server at least -- but I don't know how you'd do it if you wanted all the machines openly available to the public apart from NAT setup hell.
posted by bonaldi at 10:00 AM on August 23, 2007
We get round this by using an internal DNS server, with a custom extension. Once you're in the VPN, you can just type, say, mother.internal and get taken to that machine.
the VPN is really pretty clean -- on OS X and OS X Server at least -- but I don't know how you'd do it if you wanted all the machines openly available to the public apart from NAT setup hell.
posted by bonaldi at 10:00 AM on August 23, 2007
Well if you don't need to cope with multiple machines running the same service (and therefor needing the same port) then uPnP would solve this problem. uPnP application (like, say, Azureus) will negotiate the port forwarding the the router themselves.
However you have to specify at the router how it handled repeat/conflicting requests.
posted by phearlez at 10:02 AM on August 23, 2007
However you have to specify at the router how it handled repeat/conflicting requests.
posted by phearlez at 10:02 AM on August 23, 2007
It depends what kind of device is separating your internal network from the outside.
What you use to hide those internal IP's right now is typically called hide NAT.
You have some other options depending on what your device supports. For one thing it might support static NAT. Static NAT will translate inbound requests to an outside IP address to an inside IP address, which is exactly what you want. That said there are two possible ways to accomplish this:
*Tell your ISP you need an additional IP. Technically terms for what to do with this depend on your device, but essentially you'll "host" an extra IP on the outside interface of your device, and NAT it to a single address on the inside which runs www or vnc or whatever you want.
*If another IP isn't an option, you might try PAT if your device supports it. In other words you configure your device to do a NAT for inbound reuqests coming to the IP you have for specific services only. For example, for an incoming request on port 80 to your public address, your device NATs this and only this type of request to a certain internal address on the inside.
Sorry these are vague but there are many variable here which depend on what your outside device is there.
posted by poppo at 10:06 AM on August 23, 2007
What you use to hide those internal IP's right now is typically called hide NAT.
You have some other options depending on what your device supports. For one thing it might support static NAT. Static NAT will translate inbound requests to an outside IP address to an inside IP address, which is exactly what you want. That said there are two possible ways to accomplish this:
*Tell your ISP you need an additional IP. Technically terms for what to do with this depend on your device, but essentially you'll "host" an extra IP on the outside interface of your device, and NAT it to a single address on the inside which runs www or vnc or whatever you want.
*If another IP isn't an option, you might try PAT if your device supports it. In other words you configure your device to do a NAT for inbound reuqests coming to the IP you have for specific services only. For example, for an incoming request on port 80 to your public address, your device NATs this and only this type of request to a certain internal address on the inside.
Sorry these are vague but there are many variable here which depend on what your outside device is there.
posted by poppo at 10:06 AM on August 23, 2007
So I'd have to configure the services on each computer differently, and then set up the NAT device to do port forwarding to map those port assignments to a specific IP address. I could see that quickly becoming an administrative nightmare.
Yep it's a pain, but I think that's your only option if you want to do this with cheapo NAT. Static IPs for the servers, manual port forwarding. The servers can be serving traffic on their normal ports (ie: web on port 80), but port 80 on the router can only be forwarded to one server. You can configure port 81 on the router to forward to port 80 on server #2.
Beware, most cheap routers have a limited number of slots for port forwarding, about 10-20 ports.
You could maybe jury-rig something with Universal Plug n Play or NAT-PMP. That way the server boxes could tell the router to forward the ports without having to configure it manually. I wouldn't count on this being particularly robust.
If you're serious about this, you've outgrown your NAT router and need to do some more real routing or VPN solution.
posted by Nelson at 10:07 AM on August 23, 2007
Yep it's a pain, but I think that's your only option if you want to do this with cheapo NAT. Static IPs for the servers, manual port forwarding. The servers can be serving traffic on their normal ports (ie: web on port 80), but port 80 on the router can only be forwarded to one server. You can configure port 81 on the router to forward to port 80 on server #2.
Beware, most cheap routers have a limited number of slots for port forwarding, about 10-20 ports.
You could maybe jury-rig something with Universal Plug n Play or NAT-PMP. That way the server boxes could tell the router to forward the ports without having to configure it manually. I wouldn't count on this being particularly robust.
If you're serious about this, you've outgrown your NAT router and need to do some more real routing or VPN solution.
posted by Nelson at 10:07 AM on August 23, 2007
Is there a cleaner solution, which does not require a VPN client?
Port forwarding is as clean and easy as it gets. It sounds like you want to do this to a lot of machines, well, at that point VPN is your best bet.
Another cheap and easy solution is to allow ONLY ssh. Port forward port 22 to the ssh server. Now you have one hole in your firewall.
Now, install VNC on every computer. Now lets say youre at home and you really need to access the computer with the address 192.168.1.105. You would use your ssh client (putty most likely) to make a tunnel to 192.168.1.105 port 5900. Now make vnc connect to locahost:5900 and there you are.
You just need to make a different tunnel for every machine. No fuss no muss.
Also, once you VNC into one machine you can VNC into others from that session. So lets say you just have one tunnel set up and it connects you to 192.168.1.101. and you want to get to .105. Well just run VNC again on the remote computer and make it connect to .105. No need for extra tunnels.
You can even dispense with ssh and just have one VNC port listening and do what I said above. Its a lot more secure with ssh or a vpn. A bit foolish to do it without it, imho.
I believe VNC's authentication has been cracked and if someone sniffs your network while you are authenticating they can easily retrieve your plaintext password by cracking the sniffed ciphertext. Some VNC distributions have different authentication, so you may want to look into that if you are not going to vpn/ssh it.
posted by damn dirty ape at 12:04 PM on August 23, 2007
Port forwarding is as clean and easy as it gets. It sounds like you want to do this to a lot of machines, well, at that point VPN is your best bet.
Another cheap and easy solution is to allow ONLY ssh. Port forward port 22 to the ssh server. Now you have one hole in your firewall.
Now, install VNC on every computer. Now lets say youre at home and you really need to access the computer with the address 192.168.1.105. You would use your ssh client (putty most likely) to make a tunnel to 192.168.1.105 port 5900. Now make vnc connect to locahost:5900 and there you are.
You just need to make a different tunnel for every machine. No fuss no muss.
Also, once you VNC into one machine you can VNC into others from that session. So lets say you just have one tunnel set up and it connects you to 192.168.1.101. and you want to get to .105. Well just run VNC again on the remote computer and make it connect to .105. No need for extra tunnels.
You can even dispense with ssh and just have one VNC port listening and do what I said above. Its a lot more secure with ssh or a vpn. A bit foolish to do it without it, imho.
I believe VNC's authentication has been cracked and if someone sniffs your network while you are authenticating they can easily retrieve your plaintext password by cracking the sniffed ciphertext. Some VNC distributions have different authentication, so you may want to look into that if you are not going to vpn/ssh it.
posted by damn dirty ape at 12:04 PM on August 23, 2007
Port forwarding.
You configure your router to forward an external port to a port on the internal machine.
E.g., if you wanted to run a webserver, you'd forward external port 80 to port 80 on the internal webserver machine. (Actually the internal machine could have its webserver running on pretty much any port you want, but you just have to set the forwarding up right.)
Repeat for all other services -- as long as they are services that use a consistent port number. (Active FTP and some other protocols that randomly choose a port to connect on are harder.)
posted by Kadin2048 at 12:49 PM on August 23, 2007
You configure your router to forward an external port to a port on the internal machine.
E.g., if you wanted to run a webserver, you'd forward external port 80 to port 80 on the internal webserver machine. (Actually the internal machine could have its webserver running on pretty much any port you want, but you just have to set the forwarding up right.)
Repeat for all other services -- as long as they are services that use a consistent port number. (Active FTP and some other protocols that randomly choose a port to connect on are harder.)
posted by Kadin2048 at 12:49 PM on August 23, 2007
« Older Why would room temperature water be coming out of... | Need help finding an sci-fi story. Newer »
This thread is closed to new comments.
posted by bonaldi at 9:24 AM on August 23, 2007