Dangerous Things
Custom gadgetry for the discerning hacker

The Store is now open! Check out the gadgetry »
Like what you're reading?
Share It.

A cheap router that can do public traffic redirection

If you’ve ever had to move a bunch of public facing servers from one IP address subnet to another, you know there is a period of down time while your DNS records update around the world. That down time, as everyone familiar with DNS services knows, is usually between 4-48 hours, depending on TTL values in your SOA records and the various local DNS cache settings of potential users around the world. Unless you have a lot of cash, or already have a geographically diverse infrastructure set up, your services will be subject to this down time.

In most cases, it’s just something that is scheduled, planned for, and accepted. However, sometimes this down time is just unacceptable. In those cases, unless you have a lot of cash to build a solution, or already have a geographically diverse infrastructure set up, you’re usually stuck explaining your situation to your boss or your clients. You can only hope they aren’t planning moves of their own.

I’ve been a fan of SnapGear routers for a long time now. They are relatively cheap little boxes that run an open source custom linux OS. They also have rack mount gear and PCI cards too that can run as a router right in the machines. Snapgear was bought by CyberGuard, which then became Secure Computing, which then sold the hardware division to McAfee… but these things are still great little NAT/VPN/Router/Firewall boxes.

32573138-300x300-0-0_Secure+Computing+SG580+SOHO+Security+Appliance+1XWWell recently, just for kicks, I configured a NAT forward rule from the public interface to another public IP… and it worked! This was great news! It meant I could take one of my SG580 boxes and configure it to redirect all traffic coming to the old IP subnet and NAT it to the new subnet, all without visitors knowing. As visitor DNS records update and they start hitting the new IP subnet directly, this box will serve to bridge the gap and keep down time to an absolute minimum.

To do it, I simply left the public side of the redirector SG580 unplugged, then configured the public interface to the first IP address of the current subnet. I then configured additional aliases on the public interface for the rest of the IPs in the subnet. After that was completed, I created a map on paper that showed old public IP/port to new IP/port, then configured NAT forwarding rules for each item on the map. Once that was completed, I was free to shutdown and move servers. Once everything was moved and reconfigured, I connected the public side of the redirector SG580 to the Internet and that was it! Traffic was hitting the correct servers using either IP subnet.

Depending on your traffic requirements, you probably don’t need to use an SG580 to do this… after testing, I found every model of SnapGear does it (except for the old firmware on the SOHO and LITE models). I’d recommend the SG300 if you are going to buy one for this purpose.

Tags:

Leave a Reply

Get Adobe Flash player