WinGate Forums

[andy-ru]

Hi,
I need your help guys!
I've prepared some schema to make my question more clear.
Please look at schema attached and tell me please, how can i configure Wingate to make Web, FTP, Mail, and other servers which have public IP addresses accessible from internet on different ports?
for instance, I'd like install HTTP servers (open port 80) on all of them with public IPs 93.125.1.4, 93.125.1.5, and 93.125.1.6 and make them available from Internet. Ho to do it?

Thanks in advance for any assistance!

[andy-ru]

Guys,
can anybody help with this?

[andy-ru]

Actually, the problem is in routing setup on the server where wingate installed.
I've tested this configuration without of using wingate and it works.
Please, tell me, why I can't access to the public IPs from the internet?
NAT option is switched on in Wingate and it allows connection from internet (checkbox allow packets is on).
what's wrong?

[Alen]

andy-ru
Look in manual for WWW Proxy -> Web server settings.
I believe you can try to solve the task using "Redirect the request" option of Web server and "Host tags".

I never tried it myself, just giving you direction...


Andrey, ya dumayou lokhanulis my s Vingeitom... ;-(

[andy-ru]

Thanks, Alen,
I'll try and put my investigation results here.

[adrien]

Hi andy-ru

there are several options for what you want to do. I guess therefore there are some questions.

1. are you going to want access other than http to these servers?
2. do these servers need to know the client IP on the net connecting to them?

If you're only going to do HTTP, and the servers don't need the client IP (or can use it from the X-Forwarded-for header that WinGate can insert), you may not even need all those IPs, since you can use the WWW proxy to reverse-proxy to any number of internal servers based on host tag, and they don't then need a public IP.

An alternative could be to set up a DMZ, which would require an additional adapter on the WinGate computer for the DMZ but would then take the public IP servers off your LAN (unless they also had a second NIC each on the LAN).

Some routing products actually allow you to set up rules on a per-route basis so you could solve this with routes and rules. Unfortunately WinGate 6.x doesn't allow this, although we have had plans for some time to resolve this, it's unlikely to make the next major release.

[andy-ru]

Hi andy-ru

there are several options for what you want to do. I guess therefore there are some questions.

1. are you going to want access other than http to these servers?
2. do these servers need to know the client IP on the net connecting to them?

If you're only going to do HTTP, and the servers don't need the client IP (or can use it from the X-Forwarded-for header that WinGate can insert), you may not even need all those IPs, since you can use the WWW proxy to reverse-proxy to any number of internal servers based on host tag, and they don't then need a public IP.

An alternative could be to set up a DMZ, which would require an additional adapter on the WinGate computer for the DMZ but would then take the public IP servers off your LAN (unless they also had a second NIC each on the LAN).

Some routing products actually allow you to set up rules on a per-route basis so you could solve this with routes and rules. Unfortunately WinGate 6.x doesn't allow this, although we have had plans for some time to resolve this, it's unlikely to make the next major release.

Hi adrien
1. are you going to want access other than http to these servers? - yes i do. https, svn, etc.
2. do these servers need to know the client IP on the net connecting to them? - yes, for logging purposes.

when i dont wanna use one more network adapter for the DMZ, is it possible to combine DMZ and LAN by one adapter (sorry for the stupid question)?

Also i see, that when i create more than ten bandwidth control rules, its order is broken after wingate has been restarted. It's because you are storing the rule number as a string in a registry like 1,2,..., 10,20. When wingate is starting it does not sort the rules properly (as integers), it sorts them as Strings. And finally it becomes in wrong order.

[adrien]

Hi

Since you already have a DSL/NAT/firewall, you could conceivably do the following.

1. Set all WinGate adapters to internal.
2. Create a route on the WinGate machine so that the subnet for your internal public IPs is out your LAN adapter
3. Create routes on those machines to use WinGate's IP as default gateway.
4. either add a route to your ADSL so it knows to go via WinGate for those public IPs. Or you can spoof ARP on the "external" interface on WinGate for those IPs.

What this will do is.

a) turn WinGate into a router for access to those public IPs. You won't be able to restrict access except for IP black holing, since we don't have port security tables for routed traffic.
b) WinGate will still NAT for internet access from the LAN, since the next hop will be a default gateway (the ADSL modem). This means you can still intercept things like HTTP to the WWW proxy.
c) open WinGate computer up. You might then need to lock down ports in port security, or even use the Windows firewall. Depends what the ADSL firewall lets in.

Regards

Adrien

[andy-ru]

Thanks adrien,
I'll try. Just need to wait a holiday for that exercises to turn off internet in our office :)
and one more think. Will I be able to use bandwidth control (set up priorities of the traffic) in the scenario you have described?
and can i monitor internet traffic in that case?
Thanks in advance.

[adrien]

You'll still be able to control bandwidth and see activity for the NAT traffic (LAN-originated), but I don't think you will for the routed traffic (to the public computers).