This manual describes a few key configuration steps to take when introducing a new host to the internal LAN/DMZ behind the Advanced Router.
DMZ Host Configuration Steps:
1. Ethernet Interface Configuration
a. IP Address Selection
b. Broadcast, Netmask, and Gateway Settings
c. Name Server Routine Settings
2. Virtual Host Settings
3. Domain Name Records
4. Advanced Router Reconfiguration
1. Ethernet Interface Configuration
a. IP Address Selection
b. Broadcast, Netmask, and Gateway Settings
c. Name Server Routine Settings
2. Virtual Host Settings
3. Domain Name Records
4. Advanced Router Reconfiguration
a. IP Address Selection
2. Virtual Host Settings
The DMZ host requires only one ethernet interface. Its IP address should be a non-routable address in the number space of the internal interface of the Advanced Router. Which IP address to choose is easily determined by what kind of translation this host will be receiving, which in turn depends on the number of routable IP addresses on each ISP network. The number of routable IP addresses determines how many hosts in the DMZ will be able to both serve and browse, as opposed to just browse.
A useful way to think of this is that the first block of IP addresses in the DMZ IP space will be translated as serving hosts as well as browsing hosts, while the rest will only browse (or not be visible to the internet at all). This block should be the same size as the number of routable IP addresses. For instance, if the ISPs are providing 32 routable IP addresses each, then the first 32 IP addresses out of the full 255 available in the DMZ IP space will be translated as serve-and-browse hosts, while the other 224 will be either browse-only or no-translation. Serve and Browse: A good rule-of-thumb for easy translation is to choose a number in the DMZ IP address space that corresponds to the external, routable IP addresses that the Advanced Router will be using for translation, which should also correspond to each other. Try to choose IP addresses that are in the same place in each of their spaces. For instance, if there are two ISP networks each of which is providing a 32-space, and the 11th IP address is chosen in one space, it helps if the 11th is also chosen from the other space, even if the spaces don't start at the same number in the space. In such a case, the internal ip to choose would be .11 in the internal IP address space. This makes it easy to remember which IPs are available and which have already been assigned. Browse Only or No Translation: For these hosts, the only consideration should be that the number chosen should be above the highest routable number. Using our 32-space example above, only addresses above .32 should be chosen for these hosts, to avoid the one-to-one translations in the first IP block. Browse Only hosts will all have their outgoing requests translated to the primary external IP addresses of the Advanced Router randomly, so no external address correspondence is necessary.
b. Broadcast, Netmask, and Gateway SettingsA useful way to think of this is that the first block of IP addresses in the DMZ IP space will be translated as serving hosts as well as browsing hosts, while the rest will only browse (or not be visible to the internet at all). This block should be the same size as the number of routable IP addresses. For instance, if the ISPs are providing 32 routable IP addresses each, then the first 32 IP addresses out of the full 255 available in the DMZ IP space will be translated as serve-and-browse hosts, while the other 224 will be either browse-only or no-translation. Serve and Browse: A good rule-of-thumb for easy translation is to choose a number in the DMZ IP address space that corresponds to the external, routable IP addresses that the Advanced Router will be using for translation, which should also correspond to each other. Try to choose IP addresses that are in the same place in each of their spaces. For instance, if there are two ISP networks each of which is providing a 32-space, and the 11th IP address is chosen in one space, it helps if the 11th is also chosen from the other space, even if the spaces don't start at the same number in the space. In such a case, the internal ip to choose would be .11 in the internal IP address space. This makes it easy to remember which IPs are available and which have already been assigned. Browse Only or No Translation: For these hosts, the only consideration should be that the number chosen should be above the highest routable number. Using our 32-space example above, only addresses above .32 should be chosen for these hosts, to avoid the one-to-one translations in the first IP block. Browse Only hosts will all have their outgoing requests translated to the primary external IP addresses of the Advanced Router randomly, so no external address correspondence is necessary.
The Broadcast IP Address setting should be .255 in the DMZ IP space. The Netmask should be 255.255.255.0. The Gateway IP Address should be the address of the internal ethernet interface of the Advanced Router, usually .1 in the DMZ IP space.
c. Name Server Routine Settings
The DNS settings should point at the DMZ Name Server(s).
The DMZ Name Server(s) should resolve all domains that refer to DMZ hosts with both Forward and Reverse lookup zones. All references to DMZ hosts should use their internal nonroutable LAN/DMZ IP addresses. All references to external hosts should use external, routable IP addresses.
The DMZ Name Server(s) should resolve all domains that refer to DMZ hosts with both Forward and Reverse lookup zones. All references to DMZ hosts should use their internal nonroutable LAN/DMZ IP addresses. All references to external hosts should use external, routable IP addresses.
Any virtual hosts on the new host (assuming Serve and Browse translation) should use the internal nonroutable LAN/DMZ IP address of the host in their directives, as the host knows nothing about the corresponding external routable ISP IP addresses. This includes web services, databases, mail servers, and any other daemons which need to know what IP address on which to listen.
3. Domain Name Records
Any domain names that resolve to the IP of this host (assuming Serve and Browse translation) must have Forward and Reverse lookup records inserted into all external ISP network name servers and internal DMZ name servers. External zones must refer to the external routable IP addresses that the Advanced Router translates for this host. Internal zones must refer to the internal nonroutable LAN/DMZ IP address of the host.
4. Advanced Router Reconfiguration
Once all the above settings have been put into place, log in to the Advanced Router web application. The Status page should reflect that a new host has been added. Click the Manage Hosts link to. Select a NAT Translation type, then click the Save link to save the changes to the database. Review the new default settings that have been preconfigured by the Advanced Router, and Save any further adjustments. Then click the Check and Apply Configuration link. This loads the Configuration Check interface which should show that the configuration is ready to be applied. Click the Apply Configuration link to apply the new configuration. Within one minute the new configuration will be in place and the new host should be able to make and receive requests as set in the application.
Copyright © 2003 Derek Doyle <dtd@skybuilders.com>.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
