Newbie network setup question

Hello.

Any assistance that someone might be able to provide would be greatly
appreciated.

Here is the situation:

I have a small business with DSL having 5 static IPs. I have a LAN with
eight workstations. I have a domain name, and want to run my own web
and mail servers, since thats what the static IP is for.

How should I set up the systems, so that the workstations are behind a
firewall or proxy or whatever, but still can access the web and mail,
which would also need to be accessible from the outside?

Who gets the static IPs? I assume the router gets one, but does a
static IP go to both the WAN and LAN sides of the router? And then, of
course, one goes to both the mail and web servers, and another to the
firewall/proxy machine. I assume that from behind the firewall, I could
use a 192.168.X.X scheme for the workstations...

Internet<--->router<------>web
|
--->mail
|
--->proxy<--->LAN

Would this be the proper way to do it? Or should the mail and web also
be behind the firewall/proxy machine?

Any help is appreciated...

"Christopher Dick" <(E-Mail Removed)> wrote in message
news:zRkjb.58028$(E-Mail Removed) hlink.net...
> Hello.
>
> Any assistance that someone might be able to provide would be greatly
> appreciated.
>
> Here is the situation:
>
> I have a small business with DSL having 5 static IPs. I have a LAN with
> eight workstations. I have a domain name, and want to run my own web
> and mail servers, since thats what the static IP is for.
>
> How should I set up the systems, so that the workstations are behind a
> firewall or proxy or whatever, but still can access the web and mail,
> which would also need to be accessible from the outside?
>
> Who gets the static IPs? I assume the router gets one, but does a
> static IP go to both the WAN and LAN sides of the router? And then, of
> course, one goes to both the mail and web servers, and another to the
> firewall/proxy machine. I assume that from behind the firewall, I could
> use a 192.168.X.X scheme for the workstations...
>
> Internet<--->router<------>web
> |
> --->mail
> |
> --->proxy<--->LAN
>
> Would this be the proper way to do it? Or should the mail and web also
> be behind the firewall/proxy machine?
>
> Any help is appreciated...
>

Is your router a dedicated router, e.g. a cisco box or is it another linux
box with routing capabilities?
If it is the letter then you can set it up to do all of these on the one
machine. I have this setup with a P2-333 w 192MB and it works perfectly
well. In this setup, you would only need one static IP address for the
external interface, and could use the 192.168.x.x on the internal interface
and other workstations.
If you have a router which isnt a computer (if you know what I mean), then
you will need one static IP for the external interface, and one for the
internal interface. You will then need one for the web/email
server/servers.
In both setups you can have one machine which will act as a web server and
email server or you can have separate machines. If you do have separate
machines then you will need multiple DNS entries which will cost you more
from your ISP, or you can use NAT on the router.
We could help a little more, if you tell us your intented load for the
web/mail servers.
As for the workstations, they can connect directly to the router (each would
need their own firewall), or go through another machine which can setup a
firewall.
HTH
Allan

> I have a small business with DSL having 5 static IPs. I have a LAN with
> eight workstations. I have a domain name, and want to run my own web
> and mail servers, since thats what the static IP is for.

If you mean static ip = official ripe ip's you have no problem at all.
just connect each of the servers and provide a firewall to each of the
servers.

if you mean static-ip = static, but non-internet-ip's you have to use
one router/firewall and allow port-forwarding to the other servers.

> Who gets the static IPs? I assume the router gets one, but does a
> static IP go to both the WAN and LAN sides of the router?

If you want to build up some "privacy" behind your firewall -and I
think that's what your firewall shall do- you will have to configure
eth0 of your router to ip e.g. 10.0.0.0 and eth1 to e.g 80.0.0.1 (your
static ripe-ip).
Set up your firewall and port forwarding to your other private ip's.
Let's say web-server (10.0.0.1) gets TCP/IP port 80. Etc...
You can use 192.168.x.x. or 10.x.x.x. whatever you like.

> Internet<--->router<------>web
> |
> --->mail
> |
> --->proxy<--->LAN
>
> Would this be the proper way to do it? Or should the mail and web also
> be behind the firewall/proxy machine?

It depends. From my point of view the figure looks as if they ARE
behind the router/firewall (in a private ip-range). PLUS: You have a
proxy (what kind of?) in front of your LAN.

> Any help is appreciated...

Let me know if this was helpful or not.

cedrix

Allan Bruce wrote:
> Is your router a dedicated router, e.g. a cisco box or is it another
linux
> box with routing capabilities?
> If it is the letter then you can set it up to do all of these on the one
> machine. I have this setup with a P2-333 w 192MB and it works perfectly
> well. In this setup, you would only need one static IP address for the
> external interface, and could use the 192.168.x.x on the internal interface
> and other workstations.
> If you have a router which isnt a computer (if you know what I mean), then
> you will need one static IP for the external interface, and one for the
> internal interface. You will then need one for the web/email
> server/servers.
> In both setups you can have one machine which will act as a web server and
> email server or you can have separate machines. If you do have separate
> machines then you will need multiple DNS entries which will cost you more
> from your ISP, or you can use NAT on the router.
> We could help a little more, if you tell us your intented load for the
> web/mail servers.
> As for the workstations, they can connect directly to the router (each would
> need their own firewall), or go through another machine which can setup a
> firewall.
> HTH
> Allan
>
>

My router is a Cisco 827 DSL router.

The answer you provided is what I needed to know regarding the router
configuration regarding how many of my assigned IPs get used by what
hardware. So it would, in fact, be two IPs to the Cisco, one to each of
the servers, and one to the proxy/firewall that isolates my LAN.

Okay. I think I have it now. Thanks so much!