Re: FreeBSD 2 nic one to route one to DB - how do I?

Who Know wrote:
"Who Know" <jr_115@xxxxxxxxxxx> wrote in message news:44f568bb$0$13992$edfadb0f@xxxxxxxxxxxxxxxxxxxxxxx
"Tim Judd" <tjudd@xxxxxxxxxxx> wrote in message news:dOKdnR47wp5bhmjZnZ2dnUVZ_qCdnZ2d@xxxxxxxxxxxxxx
Who Know wrote:
"Who Know" <jr_115@xxxxxxxxxxx> wrote in message news:44f4dc04$0$13977$edfadb0f@xxxxxxxxxxxxxxxxxxxxxxx
"Edward Salonia" <esalonia@xxxxxxxxx> wrote in message news:IO6dnYYghv8dUmnZnZ2dnUVZ_v-dnZ2d@xxxxxxxxxxxxxxx
Who Know wrote:
"Edward Salonia" <esalonia@xxxxxxxxx> wrote in message news:ztydnRCD2YEbI2nZnZ2dnUVZ_r2dnZ2d@xxxxxxxxxxxxxxx
Who Know wrote:
I have a lovely server whit two nics. I want to "abuse" them both :)

The first nic should handle the normal www traffic (The outsite card)
The second nic should route to the DB server.

My OS is FreeBSD 6.1-RELEASE
www= Apache 2.2

The DB is Mysql 5.x

My IP-Addresses is 87.52.171.128/24 and the IP to the first nic is 87.52.171.131

How do I set this up to force the second nic only to get to the DB server (Only one nic installed)

Other hardware to use for networking build is two swicthes One fare better than the second, therefore I'll prefere to only use that one. One Cisco router.

I have been reading a lot on this site http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html but i didn't understand it :/ mayby I have been reading to little.

Please give me the exact scipting lines and setup (For dummies)


Not sure of the config file with MySQL but with regards to apache. There is a directive to specify what address/nic it will listen on. I would guess the same goes for the sql config file.
My sitution is better explained here:
http://www.vbulletin.org/forum/showthread.php?t=111191

or if you can't access the page you can see a copy here:

http://gndindex.com/showthread.php?p=3410#post3410
Oh ok, I didn't understand fully... It seems to me, and I could be wrong. But I dont think you need a public IP for the DB server. Just put the DB server and the second nic on the webserver on its own private network. I think that will work since the Web server will be talking to the db server, not the public clients accessing the site... As for routing, you should have to do anythign special since from the point of view of the web server, it will be able to hit both networks it is attached to.

for example. the webserver will have 2 nic's (1 has pub ip for http access) (1 for private net between itself and db server for db connect)

priv nic on webserver 192.168.1.1 255.255.255.252
nic on db server 192.168.132.2 255.255.255.252

Am I any closer to understanding what you want to do?
Very close :) but....

What do I set the defaultrouter="?" to on the DB server? and should I add
gateway_enable="YES" and/or router_enable="YES" on the www server?

rc.conf on www server:

defaultrouter="87.52.171.129"
hostname="ns0.reck.dk"
ifconfig_em0="inet 87.52.171.131 netmask 255.255.255.224"
inetd_enable="YES"
keymap="danish.iso"
keyrate="fast"
sshd_enable="YES"
usbd_enable="NO"
sendmail_enable="NONE"
xntpd_enable="YES"
xntpd_flags="-g -p /var/run/ntpd.pid"

ifconfig_em1="inet 192.168.1.1 netmask 255.255.255.252"

#gateway_enable="YES"
#router_enable="YES"
#natd_enable="YES"
#natd_interface="87.52.171.131"

Make this result: (2 difrent switches)

ns0# ping db.reck.dk
PING db.reck.dk (192.168.132.2): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host

make this result: (same switch)

ns0# ping db.reck.dk
PING db.reck.dk (192.168.132.2): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host

The same happen from db to www server :(


you won't get very far without a proper DNS where th FBSD machine can work with.

You won't get very far between any link or connection with missing information.


So your FBSD machine is dual homed (2 NICs).. how do you want to setup the apache server? example:

<Big Internet>
\-> (NIC #1 on FBSD) FBSD NIC
\-> (NIC #2 on FBSD) DB server

-OR-

<Big Iternet>
|-> FBSD NIC #1
\-> DB server



Option 1 needs both NICs, option 2 only needs one NIC.

Do you have DHCP on your internal network? DNS? Is the FBSD your gateway aka router?

the advantage of option 2 is that anybody in the world can hit your database server, and exploit it, if there's a bug. Big benefit. J/K

The advantage of option 1 is security -- you only have one machine exposed.

please post more specs, I won't likely help again without them. Post the specs I asked for above, and I'll consider assisting.
I'm Working on option 1, both for the security, and to share the traffik on both nics, since there is a huge traffik between the www and the db.

My network build:

WAN
|
Router (Cisco 806)
|
Switch 10/100/(1000 Fiber only)
| | |
FBSD- www,dns,mail,db1 Workstatios FBSD- www,dns(2 nics)

|

FBSD-DB

This is how I want it. A this moment I have the FBSD-DB hooks directly to the switch.

Other network hardware availeble to me:
1 switch
I would also like to get the workstation behind the FBSD- www,dns(2nics machine) and the use it a router, since that FBSD is more than powerfull enaough to handle it.

In the earlier attemps to make this work, i added the FBSD-DB host name to the /etc/hosts file on the FBSD- www,dns(2 nics) machine.

Hope this will do it.


Here is a link to the network http://gndindex.com/showpost.php?p=3437&postcount=2



if i were you, i'd use simply a crossover cable between NIC2 and DB server. You can make them yourself and/or buy a premanufacturered one.

The crossover will allow the WWW talk to the DB, and vice versa, but if someone wants to talk to the DB directly, they have to break into the WWW server first.

Second alternative:

Internet -> Router -> FBSD NIC#1 -> FBSD NIC#2 -> switch -> rest of the network.

Third:

Internet -> FBSD NIC#1 -> FBSD NIC#2 -> switch -> rest of the network


the "third" option isn't traditionally used. the FBSD takes a LOT of unsolicited packets that are broadcast on the internet, but the advantage is that the third doesn't need ports open on any router or firewall. Oh, speaking of firewall. Here's the optimal way I'd do it.

Fourth:

Internet -> Router -> Firewall -> FBSD NIC#1 -> FBSD NIC#2 -> switch -> rest of network.

Fifth:

Internet -> Firewall -> FBSD NIC#1 -> FBSD NIC#2 -> switch -> rest of network.

your first line of defense is a product designed to take abuse and crap the Internet does.

Your FBSD is (relatively) safe, accessible from either side.

All these are options, and it depends on how you wanna hook it up.


If I was doing the work, and there are <NO> restrictions, cost, time, or energy getting it online:

Optimal:

Internet -> router -> Firewall -> Switch -> FBSD NIC#1
-> FBSD NIC#2 -> DB server
-> PC workstations, other terminals

Install a rock-solid OS (FBSD is GOOD! But I see OpenBSD better if the role of the hardware is going to be a server in ANY WAY).and keep a good eye on it. a compromised system so close to the network outlet won't have to go far before it's free. Make a strict firewall, only allowing what's necessary. Make an internal RFC1918 network on the inside (IPv6 if you choose), so you don't run out of "exposed" IP addressed.


I must admit that I'm still not getting a 100% picture, but you've painted a 95% picture for what you want, the topology of the network, but not software to use. (OpenBSD vs FreeBSD, Apache 1.3.x vs 2.x, MySQL vs PostgreSQL [ALL AS AN EXAMPLE]).

there are several ways, but what I think you're looking for EXACTLY is a crossover ethernet cable. You'll still need an IP address, and subnet for each end of the cable... but it's a simple and effortless after initial setup.


Post back if you have more issues.
.

Relevant Pages

  • Re: ConnectComputer Problem
    ... I'm a little confused by your network configuration. ... Switch2 --- SBS Server ... switch has internet access all the time, the second switch has the client ... NICs ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... laptop plugged into port on DSL router. ... service, e-mail, and RWW is available to all users on the network. ... The server is a SBS2003 SP1 Standard box without ISA, ... of the two NICs by clicking the Advanced tabs, it won't open that box, ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot browse the network after migration
    ... the cause is the multiply NICs are all enable NetBT. ... >>> browse the network. ... >>> 189101 Understanding NetBIOS Resource Record Flags ... >>> NetBIOS setting from the DHCP server. ...
    (microsoft.public.windows.server.migration)
  • RE: How Does ISA 2004 Performs Routing
    ... Since I'm still not very clear about the network topology, ... The output of "IPconfig /all" command on ISA and an internal computer. ... >referring to routing between the 2 NICs but was referring to how the ISA ... >server itself routed to the next proxy server in the proxy chain. ...
    (microsoft.public.isa)
  • Re: Still cant connect to RWW or OWA remotely
    ... The server is a SBS2003 SP1 Standard box without ISA, ... the two NICs by clicking the Advanced tabs, it won't open that box, and ... program or service is running that might use the network address translation ... Is the Modem also your Router? ...
    (microsoft.public.windows.server.sbs)