Sun Jun 24 11:03:54 EDT 2012
Sandboxing main network for drop-in server replace
I'd like to test a replacement of a server on the 192.168.6.0/24
subnet (net6) without taking out the main server. How to sandbox
this? A NAT would be the solution, but it can't have net6 on both
sides because that would mess up the routing. Buffering it with an
intermediate network segment should work, i.e.
internet -NAT- net6 -ROUTE- net7 -NAT- net6'
The net6' is the sandboxed server for the new setup, and net6 is the
The net6' server doesn't know about net6 in this case because of the
NAT. The trouble is then, how to log in from net6 to net6' ? Seems
that I can only get to the net6' router by logging in through net7, or
using some other IP address space on the ethernet segment next to IP
With this setup, devices can be moved from net6 to net6' to test the
new server. Since NAT is one of the features of net6/net6' it comes
for free and doesn't need to be a separate box. Also, net7' I already
had for a different purpose (untrusted internal network only connected
to internet and a few limited services).
EDIT: It seems that when running a perfect copy (including fixed MAC
address for ISP workaround) this gives trouble. Workaround: a
separate dnsmasq instance running on a different host's secondary port
(I'm using VLAN connected to a programmable switch) + masquerading on
that host's main ethernet port to hide the IP address space.
I'm trying a
workaround using a VM, which should "buffer" the MAC. (
Hmm.. something else is going on... )