I have one public ip address that I would like to share among two private networks. To this end I have a first router/firewall and second router/firewall.
Today, the second firewall terminates the public address on one of its ports and provides nating and filtering to one of the private networks, let's call it the second private network.
I now would like to 'highjack' the public ip address with the first router without the second router noticing too much (except changing the default gateway ip address on the second router perhaps). That is, I would like to terminate the public ip address on the first router directly and then redirect traffic to the second router without blocking any ports or anything, as if the second router was terminating the public ip address directly.
Then I would like to use the first router to also make the internet connection through the public ip address available to another private network, let's call it the first private network, hanging off one of the first router's ethernet ports and implementing a firewall there, however with the possibility to have any port from the public ip address available also on this first private network.
Thus, as an example, one scenario that could happen with this setup is that somebody sets up a webserver on the second private network and configures port forwarding of port 80 on the second router/fw to this webserver. At the same time, I configure port forwarding of port 80 on the first router to a webhost on the first network.
So, there is an ambiguity here: somebody connecting to port 80 on the public address, should s/he be directed to the first or second private network?
Could this be resolved somehow? If so, could it be done with the resources described or do I need more network equipment?
How, roughly described, would I set this up practically? For any configuration example, I use Vyatta/Vyos/Edgemax routers if you are familiar with those.
Best Answer
If you only need to direct http/https connections to different web servers, then you need a reverse-proxy.
If you need to share other ports, then you have to find a way to decide why each packet must go in which network. In most case this is very difficult and require to write your own reverse-proxy.