Hi all,
I would like your opinion on what im trying to achieve here and the best way to do it.
I have a web server amongst other servers sat on my ESXi box on a Dell R610.
I want to expose my web server to the outside world so I can access it without having to VPN in and access it locally. Its currently residing on my local network to which if I want access I VPN in from outside. Its running some internal stuff like nagios and other bits an pieces that are password protected but I also want to run a pubic page on it too. Keeping it on my local network and opening port 80 i know is clearly a bad idea. I did this once before years ago when I was still learning about networking. Long story short the web server got hacked....got into the rest of my network and cleared off a 2TB drive of data...luckily I had a backup!
I have thought of two ways of achieving this goal but not sure which would be the best way to implement and also considering security keeping the webserver separate from the rest of my network should it get compromised.
Option 1:
Using a DMZ
Option 2:
Create a new Vswitch in ESX and put it on a separate vlan from the rest of my network. Setup firewall rules within mikrotik so that traffic cant come from the web server into my local network but local network traffic can get into the web server to update the website.
Setup a port forward to port 80 to the web server on that vlan for external traffic.
-------------------------------------------
Which would be the best option to implement do you guys think?
Just to add to this in case it helps. I have 6 NIC ports on my ESX host. Currently two are serving my management interface, one for main one for fail over. Two are serving a vswitch for my guest VMs one for main one for failover.
The final two ports are currently not in use.
Thanks in advance for your help
Ross
Re: Best way to achieve this goal?
Just to add to this,
I am also running with a dynamic public IP address. Are either of the above options possible with a dynamic IP? I need to expose the web server to the public but keeping it separate from the LAN should it get compromised
I am also running with a dynamic public IP address. Are either of the above options possible with a dynamic IP? I need to expose the web server to the public but keeping it separate from the LAN should it get compromised
Re: Best way to achieve this goal?
DMZ would be the way to go.
Create a DMZ network and attach it to the interface where the server is connected.
Set up the pinhole NAT just like you would with any other network, and make sure the forward filter chain blocks new connections from the DMZ to the LAN network. DMZ and LAN can both be masqueraded to the dynamic public iP without any issue.
You'll need a dynamic dns updater script in order to be able to find your public IP from the remote side.
Create a DMZ network and attach it to the interface where the server is connected.
Set up the pinhole NAT just like you would with any other network, and make sure the forward filter chain blocks new connections from the DMZ to the LAN network. DMZ and LAN can both be masqueraded to the dynamic public iP without any issue.
You'll need a dynamic dns updater script in order to be able to find your public IP from the remote side.