After my investigation of fibre connections yesterday, I got to thinking about how many IP addresses I really could whittle down to, and whether I could use my firewall more creatively.
First, I combined the functions of two servers that had been doing pretty similar things. That wasn't too difficult, and meant I could eliminate one server completely. That also saves a little bit of electricity.
Then I tried to do the same with two more servers, and ran into trouble. With Apache (the web server), you can have "Virtual Nameservers". That means you can use the same server to pretend to be several different ones. So, for example, I have dovecot.drsolly.com on the same physical server as www.drsolly.com, and Apache knows which file to serve, based on the server that your browser was trying to access.
I've used that a lot, and I've used it somewhat on drsolly.com. But when I tried to add another server with a different name, it just wouldn't work. That server is running RedHat version 6.2, and it's been running now for eleven years. I think that updating it would probably be a good fix, but I'm reluctant to mess with something that's been so solid. So I found a cheap-and-nasty way to do the same thing, and that's a second server I can power off, and another external IP address I don't need..
But the third one is more interesting. For that, I wanted to keep the two servers running, but have them on one IP address, and as you can imagine, that's a bit tricky. Of course, they're actually on two IP addresses, 10.149.17.2 and 10.149.17.3, which are purely internal addresses, because (as I explained yesterday) I have 16 million of them I can use. It's the external addresses that I'm trying to economise on. Anything that starts with a 10 is free for anyone to use, but it only works inside your own network, anything outside wouldn't be able to talk to it.
Normally, my firewall connects an internal address with and external address on a one-to-one basis, so 10.149.17.2 would connect to 220.127.116.11 and 10.149.17.3 would connect to 18.104.22.168. But I want to use only one external address.
Here's how I did it.
To access web services on 10.149.17.2, you would access 22.214.171.124, port 80 and to access web services on 10.149.17.3, you would access 126.96.36.199, port 80, and the firewall translates the network addresses. But I'm running a Cicso Pix, with version 6.5 of the software, and I was guessing that I could do a lot better. Guessing, I say, because the only manual I have is for version 4.4. Why the old manual? because a new Pix is about £500 and a second hand one is about £50, and they pretty much go on working for ever, so guess what I buy when I need another Pix? And second hand Pixes don't tend to come with a manual. Pixi? Pixen? But, I'm glad to say, I was able to find more recent documentation online.
The way that you connect an inside server to the outside world is like this:
static (inside,outside) 188.8.131.52 10.149.17.2
That's a version 4.4 config. But with version 6.5, you can do this:
static (inside,outside) tcp 184.108.40.206 80 10.149.17.2 80
And that connects the web service of 10.149.17.2 to the outside world at ip address 220.127.116.11
And now the clever part.
static (inside,outside) tcp 18.104.22.168 81 10.149.17.3 80
That connects the web service of 10.149.17.3 (a different physical server to 10.149.17.2) to the outside world using the same IP address 22.214.171.124 but a different port number, 81.
Here's the result of doing this.
If you access with your browser http://126.96.36.199 then you get to browse the files on 10.149.17.2. But if you access with your browser http://188.8.131.52:81 then you get to browse the files on 10.149.17.3
The same external IP address, 184.108.40.206, is being used to access two different internal servers. And thatr means that I need one fewer IP address!
And why am I trying to be stingy with IP addresses? Well, it isn't a problem now, but if I do change over to using two BT fibre connections a couple of years from now, I'll only have 10 IP addresses. And with the actions that I've done above, it just so happens that 10 IP addresses is *just* enough.
There's a lot more servers here, of course, but they're all on internal IP addresses, because they're used for backup, or for mass storage, or whatever.