hi guys and gals, im trying to set up a pretty hardcore online game with server farm to accompany. i was wondering if you could tell me how to set it up, or point me in the right direction for URLS.

ok, say the game has the addy game.co.uk, users type that into the url bar, and get forwarded to the default server at our HQ. we will have more than one machine at the HQ though, a couple of webservers, a database server, and a number cruncher. I want all the webservers to be accessible from the internet (that is, have an internet connection), but i want the database server and cruncher to be internal, and no way accessible from the net. i was really in need of a server topography. i was thinking something like this. (they use 1 internet connection)


webserver1
/
-----------(router) - webserver 2
internet \
connection webserver 3



thats ok, but i NEED the servers to be able to access the database machine, and the database machine needs to access the cruncher. This is the only machine that needs to see the cruncher. the webservers are running PHP to access a mysql database on the db machine. so i was thinking


webserver1 \
/ \
-----------(router) - webserver 2 ---- DB machine -- Cruncher
internet \ /
connection webserver 3 /



but i dont want the last two to be visible from the internet AT ALL. the cruncher can only see the db etc. how would i set this up? using a router?

would i use a switch to make up the internal network?

also, how would i be able to access each webserver from the internet by typing in http://webserver1.game.co.uk etc. Would the router do this too? i want ALL ports except 80 to be totally BLOCKED. i figure all this will be done with NAT (on the router).

the boxes are loaded with RH7 linux, apache 1.3 PHP 4.3.1, the DB has RH7 + mysql, the cruncher has linux and a custom crunching program.


any links or advice would be highly appreciated. cheers :D

arbz

to segment this out and keep the db and cruncher private and the webservers public, i would set it up thus:




Internet
|
|
Router
|
|
|
Firewall - - - - DMZ with Webservers
|
|
|
Private LAN with DB and Cruncher server


you will need a firewall with 3 ethernet ports ( 1 public, 1 private and 1 DMz port)

Cisco, Watchguard etc offer firewalls like this.

Here are a couple of Cisco links:
Firewall - www.cisco.com/go/pix
DMZ config: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800941c8.shtml

thanks for the reply.

ill look into seperate routers and firewalls! would the webservers be branching off of the router? also, how would i access a specific machine by typing machine1.game.co.uk?

thanks

arbz

you can do it 2 ways:

1) a 2 ethernet port router and build a static route to direct unsolicited traffic out the ethernet port that leads to the DMZ.

2) let the firewall take care of directing all the traffic not solicited by the private LAN directly into the DMZ (see the DMZ config to make this happen).

The router and firewall solution is the preferred method as it gives you a more robust security solution than a router alone (especially if this is a business that you are talking about).

thanks so much for the help, one final question, do you know any links that talk about sorting this kind of thing out?

thanks again :D

arbz

edit: oh, and using the DMZ layout as youve explained, can the webservers access the db server?

have i got this right?



(private)
Internet ---- [Router] ---- [Firewall] --------------- [Switch] -- Db
| |
|(DMZ) Cruncher
|
Webserver1--[Switch]---Webserver2
|
Webserver3

yes the websevers, if you grant access, can hit the db servers.

your diagram is correct.

I will poke around for a weblink or 2.