|Sep 1, 2013, 07:11 AM||#1|
OS X Server setup, WAN/LAN advice
Hello all. Sorry for the long post but I want to make sure I'm clear.
I'm setting up a proof of concept of sorts for an architect's small business. I want to set up some OS X Server services (contacts, calendars, wiki, FTP,...) with FileMaker Server and a CAD solution running on top. This will allow the architect's small office to be mobile, sharing and collaborating on projects.
At the moment I have a Mac Mini running OS X Server and a domain name up and running. I have a dynamic IP address from my ISP - swapping to a static solution would both cost more and reduce my available bandwidth. For the purposes of testing I can live with this as I have the Mini tweeting me it's WAN IP when I send it an email in case I'm not at home so I can edit my domain zone file. I'm still learning some python to edit a script to automatically update the zone file, but for the moment it's OK.
My biggest problem is that the cable modem/router provided by the ISP has very limited capabilities. The main problem being that it cannot forward enough ports to the Mac Mini to make all services available at once. For the last few months we have been testing either FileMaker Server or the CAD server, but not both for example.
For the moment there is no budget at all so I want to do this all from my home so that we can test everything for a few months or a year with this architect.
Here comes the part where I ask for advice. I'm going to be trying it out on my weekends anyway, but basically I'm learning all this stuff as I go along so any help and sharing of past experiences would be greatly appreciated.
In order to make the Mac Mini available to as many services as possible, I now want to switch my modem-router into bridge mode and connect the Mac Mini server directly to the internet. Using the thunderbolt ethernet adapter, I then want to share the internet connection to the rest of my LAN (a few macs, Apple TV, etc).
So the plan is:
WAN -> modem bridge -> Mac Mini Server + NAT/DHCP/IceFloor -> ethernet Switch -> LAN + Airport
I have been told this can be quite risky security wise, but I've discovered an app called IceFloor that seems to help (basically taking over the role of the router's limited firewall). I have of course searched many posts here and forums elsewhere. There is a lot of info out there but it's often just fragments. My biggest concern is the NAT part for my LAN as I've seen many people say it doesn't work, but as usual nobody complains when it does work!
Thanks for any advice, help and/or links.
|Sep 1, 2013, 07:28 AM||#2|
The ideal configuration would be to purchase a hardware firewall and place between them. A proper edge device should not have any difficulty forwarding services to the internal server.
|Sep 2, 2013, 05:16 AM||#3|
Thanks for pointers and references. There is no real value to the data on the server during this test, so as long as I restrict the service ports to what I need then I just have to trust each software to do it's job.
Just a couple of questions to chase up on what you said:
Will my LAN be fairly protected when using NAT through the Mac Mini server (as I understand it is when using a standard modem-router)?
And what do you mean by "edge device"?
|Sep 5, 2013, 09:42 AM||#4|
I don't think combining your core services and your firewall/gateway into one device is an intelligent choice in this scenario. The solution to the lacking router is another router, not overly centralizing ALL of your services. Furthermore, you are going to find the firewall options for this to be incredibly lacking in OSX, unless you plan on getting dirty with editing the pF or ipfw configs.
Also - why don't you just use dynamic DNS to access your services instead of manually changing your zone files?
What he means by edge device is a system that sits between your network ingress and egress points - something that is almost always a router.
|Sep 17, 2013, 08:06 PM||#5|
Your idea is something that can be done with OS X Server, but I warn you that NAT may not work very well in 10.7+ installations.
As mentioned previously, it would be MUCH MUCH better to simply go buy a cheapo ethernet router that has a basic firewall. This provides better protection, guaranteed NAT services (you can still run DHCP from the OS X Server) and prevents the server from being exposed directly on the internet.
Given that you have no budget, again, OS X Server CAN be made into a NAT gate but test it cautiously and slowly as lots changed between 10.6 to 10.7+.
Yes, your internal LAN would be fine and protected as if you had any other router/firewall, provided no one can compromise the server externally and make it malicious (i.e. remote SSH access with Root/Administrator privileges)
|Thread Tools||Search this Thread|
|thread||Thread Starter||Forum||Replies||Last Post|
|FYI: You can use an APE(2nd) WAN to LAN in extender mode.||blueroom||Mac Peripherals||0||Apr 24, 2014 11:53 AM|
|Home server setup - advice||Johnnybegoode||Mac OS X Server, Xserve, and Networking||1||Dec 11, 2013 10:35 PM|
|Wake Up on WAN/LAN works again :)||acctman||OS X Mavericks (10.9)||0||Oct 23, 2013 08:45 AM|
|Airport Express LAN port takes duty of fried WAN port?||InfoTime||Mac Peripherals||3||Jul 30, 2013 12:50 PM|
|New AirPort Express - Configurable LAN/WAN||HCR93||Mac Peripherals||4||Jun 17, 2012 08:27 AM|
All times are GMT -5. The time now is 02:38 PM.