A bit of a complicated question about public domains and local IP addresses

Hi all,

I have a question, which I believe is related to NAT configuration. I have an OpenWRT router at home, and have a public IP address from my ISP, and servers running game servers, and an IIS webserver. Is there a way to just simply direct address requests to local IP addresses? For example, lets say I have 'subdomain1.domain.com', 'subdomain2.domain.com' and 'subdomain3.domain.com', and I want the first one to point to my router, at port 80, so I can access my router settings anywhere, the second one to point to an IIS webserver, for a website, and the third one to another website in the same IIS webserver. I would want each domain to point to where it should, and nothing else. At the moment, I've got these three subdomains pointing to my public IP address, and I'm running an Exchange server, which also runs the IIS, and i use 'mail.domain.com/owa' to access the outlook web app, for Exchange, however, I can also access the outlook web app by going to 'subdomain1.domain.com/owa' and all the other subdomains. This means I can also access my game server by going to 'mail.domain.com'. Is there a way to only point the public domains to the local network locations needed? Sorry for the long post, I tend to be bad at explaining things.

Many thanks,

When it comes to PAT, you can use one port per protocol only once. So tcp/80 can be forwarded to 1 host in the lan or the router can listen to it (bad practice and security risk).
If you have IPv6 it is easier, as every host has a public routable address an you don't need NAT.
Easy way is to forward different ports to different hosts, for example subdomain1.domain.com 8080/tcp -> server1.lan tcp/80
Otherwise you'll need to setup a reverse proxy.

Assuming all your servers lie behind the single public IPv4 address then this is always going to be the case. There's nothing you can do about that.

You can do this with your websites (as long as they're all running on the same IIS instance). You just need to edit the bindings for each site and add a hostname to the HTTP and HTTPS binding. For example, if you add a binding for 'mail.domain.com' to the Exchange site in IIS then it will only respond when the address 'mail.domain.com' has been used in a browser, it should ignore everything else.

This doesn't solve access your router separately (where you would need a reverse proxy) but you really don't want to allow access to your router from the public internet. It is not a good idea.

But if I setup IPV6 in DHCP, in OpenWRT, will the IPV6 addresses given out by the router be public? If my router gives an IPV6 address to a server in my network, will I be able to ping it from outside the network? I'm not quite familiar with IPV6.

Does your ISP provide you with an IPv6 allocation? If not then you'll need to use some other mechanism, such as a 6in4 tunnel from somewhere like www.tunnelbroker.net, to get public IPv6 addresses.

1 Like

That, I do not know. I will call them and ask. So, my ISP gives me a public IPV4 address, and with NAT, I can have multiple private IPV4 addresses. I'm very curious about how the IPV6 setup would work. Could you explain it, in a nutshell, and what is the role of the ISP in all this? Thanks, and sorry for the questions, but I genuinely want to find out, and possibly implement it in my network.

Yes, generally ISPs will assign one public IPv4 address to a residential subscriber. You can then use NAT to allow multiple private IPv4 addresses access the internet through that one public address. You can also use port forwarding to allow external requests to be passed through to an internal private IP, e.g. port 80/443 for web servers.

IPv6 has a substantially larger address space and it is recommended/required (depending on how you read the docs relating to IPv6 deployment) that each subscriber is provided with at least a /64 allocation (this is approximately 18.5 billion billion addresses). What this means is each host in your network can have a publicly addressable IP so you no longer have to worry about NAT or port forwarding.

As for your ISP, some provide native IPv6 so will assign addresses to their customers (hopefully at least a /64, but preferably a /56 or /48); however, many ISPs do not yet support IPv6 so don't do this. In the latter case you have to use other mechanisms like I mentioned in my previous post. For example, my ISP only provides IPv4 access, but I use Wireguard to create an IPv6-in-IPv4 tunnel to a virtual private server hosted by a company that does have native IPv6. You can do the same thing with easier setup and for free using something like www.tunnelbroker.net, but you have to compromise over the speed you will get with such a setup.

It's actually recommended that each subscriber get a /56, so that each subscriber can have 256 internal networks each with 2^64 addresses in them.

Lots of broken ISPs give just a /64 which is just a broken config. It should be made illegal for any ISP to give less than a /56 because it's a way of creating artificial scarcity so they can charge more to use different numbers. Network numbers are an essentially unlimited public good. Giving out a /64 is like showing up and pumping air pollution into someone's front yard and then offering to stop for a fee.

@MagicPants, remember that IPv6 will only help you provide services to other people who have IPv6. While in the US for example that's about 50% of all network devices, it's still the case that lots of programs, particularly games, only use ipv4.

What you need to provide multiple websites on multiple computers inside your LAN is a reverse proxy. This device sits on your router, or on one of your LAN machines, and receives requests. It looks at the URL requested, and decides which machine serves that URL, and then forwards the request to the machine on your LAN that handles that. This system will work whether or not you use IPv6.

nginx can do reverse proxy in a relatively lightweight way. For a system where you're running servers I'd advise to not go cheap on your router. Get something with some power and space and stuff, and run the proxy on the router, and forward your requests to the appropriate internal machines. If your current router won't handle running nginx sufficiently well, get yourself an RPi4 and set it up as your wired router.

That's off topic, but unless you have enough resources, it's probably not good idea to run Exchange server at home. You would ideally need email reliability more than you can get from running a home server.