Calling any VPS/Hosting providers : Networking Setup advice

Hi I am looking for some help from more experienced VPS/Hosting admins.

I may be trying to make this more complicated than it is. I may already have understood this and then convinced myself that It is more complicated than it is.

Basic scenario:

I have a direct internet connection with a Public IP block that I want to use for VPS and Web Hosting purposes. It comes into a Cisco router and then a dedicated IDPS platform.

Currently the lan side of the IDPS is a private Class C network.

So a number of servers are on the private network with private class C addresses.

I want to use N number of these servers as VPS hosts.

So the Host ethx interfaces have private class C and the external Public IP’s are onthe other side of the IDPS/Cisco router.

I can map and forward the relevant Public Ip’s/ports to the lan hosts. But from outside when I connect to the VPS it shows as the lan IP not the external public IP even though I have configured 1:1 nat etc.

Do I have to connect the VPS hosts directly to the public network or am I missing something fundamental in the way I need to setup networking. Can I setup a virtual interface at the Virtualmin level and give it a Public IP? So the virtual machine is on a Public IP and is hosted inside a Host that is on the Private Network. If so how do I get it to route into/out of my network.

As you can see I am maybe a little confused here and maybe have not explained myself fully. So any help appreciated. I have scoured google looking for answers.

How do other VPS/Hosting providers setup their networking? Is there a how to somewhere for Virtualmin that I have missed?

Thanks for your attention.

Cheers
Spart

What virtualization software are you using? What do you mean with “from the outside when I connect it shows as the LAN IP”? Where exactly do you see the LAN IP when you’re expecting the external IP?

Also, Virtualmin has no influence on the networking setup/routing. You configure all networking related things independently from it. (Of course you can use the respective Webmin modules, in addition to manually editing config files.)

Various Virtualisation technologies.

For instance logging in via FTP the server reports itself using the private address not the public external address.

Do you have any experience setting up this type of network? The issue is not the virtualisation but the networking setup of the internal/external addresses.

Cheers
Spart

I’m operating a similar (virtual) setup on my servers… no hardware routers though. I use VMware ESXi 5 and virtual software routers (the FreeBSD based router distro “pfSense”). So if you have concrete questions, I might be able to help.

Concerning FTP, that’s a bit of an exception, because the server’s IP address is not only used on TCP/IP level, but also inside the control connection protocol. It’s a matter of correctly configuring the FTP server, to have it present the external IP in its commands/replies and not the internal one.

Thanks for the reply.

Do you run your VPS/Virtual Machines using a Private address and nat (1:1 or otherwise) them out through your routers? Then forward the various public IP ports back to the right private address?

Or, do you connect your vps/virtual machines to Public IP addresses directly so that they are internet facing?

Re: FTP

Where do you configure the external IP address? I have set masquerade address to the ext ip, but it makes no difference it still presents the internal IP on connect.

Cheers
Spart

OK, I think i have solved the FTP part. I had the masquerade address in the main proftpd config section and not within the virtual host directives. It is now showing the correct external IP when I connect. Obviously without any kind of name based virtual hosting it is quite limited. I do understand that it is the ftp protocol that is lacking support for the hostname directive. So this is not possible.

Cheers
Spart

Re: NAT: Actually I do both. Some virtual machines have external IPs and the router is simply a router for those, and some have private IPs, and the router performs outbound NAT and inbound port forwarding via its own external IP (no 1:1 NAT).

Except for FTP and possibly other protocols that use IP addresses/randomized port numbers in their connection (SIP comes to mind, as well as web hosting if you host the DNS zones), applications should have no problem with a NAT setup.

Yes, FTP has in contrast to HTTP no notion of hostnames. All you can do there is IP-based virtual servers.

Thanks for coming back to me.

Without 1:1 nat the outbound connections would all appear to come from a single gateway IP that potentially would not match the desired public IP of a domain. If you have only 1 public IP this is fine, but my understanding is that with a block outbound connections would need to be mapped to the correct public IP.

So you connect and expose the virtual machines with external ip’s directly to the internet by connecting them to the public ip subnet and the others sit behind “something” on a private sub net right. Irrespective of hardware or software routers physical connections have to be made to the public and private subnets right?

My network topology is as follows:

Internet -> Cisco Router -> IDPS -> Switch -> LAN -> Hosts

So, currently I have a public IP subnet from the Cisco Router to the IDPS and then Private subnet on the Lan side. All hosts are currently forwarded to specifically depending on the destination public ip and service being requested. 1:1 nat is configured for various hosts so that outgoing connections are identified as coming from the correct IP.

Is this the only way to do this without directly exposing the hosts to the internet? Or is this a moot point as I am already poking holes through to the services!

Question as to how others setup their networking for VPS provision still stands. I am assuming this is not some kind of secret! I don’t need ip’s etc. just topology.

Cheers
Spart

My amount of available IPv4 addresses is limited, therefore I have assigned those VMs that don’t necessarily need a public IP a private one and am using port forwarding for those. And I have a few VMs that should only be reachable through a VPN, those have a private IP too (though that’s not strictly required - the router can filter ports - it’s just to save addresses).

From a security point of view, it doesn’t really matter if a VM has a public or private IP if it’s behind a router/firewall anyway which only lets specific ports through. Especially so if your router receives traffic for all your public IPs and you use 1:1 NAT. Those ports you need have to be forwarded anyway, and those you don’t are filtered by the router anyway.

“IDPS” is supposed to mean “intrusion detection and prevention system”?

So what question EXACTLY remains? What “secret” do you want revealed? What topology question remains? It all just depends on your requirements how you set up your “VPS provision”. If you want 1:1 NAT, use it. You gain a tiny bit of security, but have a more complex setup on the servers who have to deal with their private and the public IP (see FTP, SIP). If you want to give them public IPs, do it, and have the router filter ports.

From a security point of view, it doesn’t really matter if a VM has a public or private IP if it’s behind a router/firewall anyway which only lets specific ports through.

How are you giving a VM that’s behind a router firewall a public IP? Unless I really have misunderstood. For me to achieve this I would need to create a new VLAN for my Public IP subnet within my switch and plug a physical network card into it and then also plug my router into it. I could then give a VM a bridged connection to the interface and assign it a public IP. This would be the equivalent of directly connecting the VM to the internet. But I think it would use one of my public IP’s up for the Physcial Interface and then possibly N for the VM’s.

As I said at the beginning of this thread “I may be trying to make this more complicated than it is. I may already have understood this and then convinced myself that It is more complicated than it is.”

How do other VPS/Hosting providers setup their networking? Is there some way for me to configure a Virtualmin host with a public IP on a private network?

Obviously IP4 addresses are expensive and limited. Hence my quest to understand some of this in more detail to understand what options are available.

You keep asking me, but I have no idea how other “VPS/hosting providers set up their networking”, how would I? :slight_smile: You probably need to ask someone who works for a VPS/hosting provider about that.

I also cannot really follow your setup, I can only tell what I’m doing: I have a virtual pfSense router and my virtual machines deployed on one physical ESXi 5 server (well actually I have two of those, but they are completely independent in terms of network setup, except for a VPN tunnel), which has three virtual switches defined. An individual IPv4 for management, and a /28 IPv4 subnet, is routed to pfSense by my hoster.

The physical NIC and the router (which has three virtual NICs) are connected to switch 1, those VMs with public IPs (and a router NIC) are connected to switch 2, those VMs with private IPs (and a router NIC) to switch 3.

For those VMs with public IPs, the router simply routes, since it knows about the /28 subnet that’s on virtual switch 2. For those VMs with private IPs, the router acts as outbound NAT gateway, and it has port forwardings defined via its external IP.

Hope that explains my situation. You need to see for yourself if it is useful and can be adapted to your situation.

OK thanks for the explanation of your setup. I think I need to do some more reading and research.

Your setup is essentially the same as mine except I am using separate physical devices and you are using virtual devices inside a host with an external NIC connecting it to the internet. There may be an answer in VLAN’s and trunking as my devices support VLAN tagging as does linux natively. This may allow me to route multiple subnets down a single cable and then allow me to seperate the traffic depending on the VLAN its attached to. So essentially combining both the private and public subnets into one physical nic at the server end.

Back to the grindstone I think. I could not really find any information on network topology and setups for VPS/hosting provision. Maybe I need to find out the right questions as you suggest.

Cheers
Spart