A virtual server is a gateway server that sends services behind a NAT wall to real servers on a port-by-port basis.
For example, suppose you have a NAT gateway called domain.example.com with an address of 17.100.0.1 that is set to forward web traffic (port 80) to 10.0.0.5 (port 80) behind the firewall and that sends packet requests for ssh traffic (port 22) to 10.0.0.15 (port 22).
In this example, the NAT gateway is not really serving the web content (the server at
Chapter 5 Working with NAT Service 121
Viewed from the Internet you have one server, but viewed from behind the NAT barrier, you have as many or as few as you need. You can use this setup for load balancing or as an organizational scheme for the network’s topography.
Virtual servers also enable you to easily reroute network traffic to other computers on the LAN by reconfiguring the gateway.
Virtual servers require three service configurations:
 NAT: The NAT service must be configured with port forwarding of the desired virtual port.
 DNS: The DNS record for the server should accept a few aliases of common services and resolve them all to the same IP address.
 Firewall: The firewall must permit traffic on specific ports to have access to the NAT LAN.
In this example, you set up a NAT gateway and route two domain names and services to different computers behind the gateway firewall. Assume the following
configuration details:
 Ethernet interface names and functions: Ethernet Built-in (connected to Internet), PCI Ethernet Slot 1 (connected to internal network)
 Internet or public IP address: 17.100.0.1 (example only, your IP number and netmask information will be provided by your ISP)
 Private network IP address range and netmask: 192.168.0.0–192.168.0.255 (also expressed as 192.168.0.0/24 or 192.168.0.0:255.255.255.0)
 Gateway server’s private network IP address: 192.168.0.1  Web server’s private network IP address: 192.168.0.2  Mail server’s private network IP address: 192.168.0.3
 Web and mail server’s IP address settings: Configure IPv4 Using DHCP
This last setting in not required because NAT can be used with static IP addresses instead of DHCP. However, configuring this setting makes it easier to configure computers.
To configure virtual servers:
1 Open Server Admin and connect to the server.
2 Click the triangle to the left of the server.
The list of services appears.
3 From the expanded Servers list, select DHCP.
4 Click Subnets and create an address group for the internal LAN with the following configuration parameters:
 Subnet name: <whatever you want>
 Starting IP address: 192.168.0.2
 Ending IP address: 192.168.0.254  Subnet mask: 255.255.255.0  Network interface: en1  Router: 192.168.0.1
 Lease time: <whatever you want>
 DNS: <provided by ISP>
 Static mapping (web): <web server’s Ethernet address> mapped to 192.168.0.2  Static mapping (mail): <mail server’s Ethernet address> mapped to 192.168.0.3 For more information, see “Creating Subnets” on page 26 and “Assigning Static IP Addresses Using DHCP” on page 35.
5 To start DHCP service, click the Start DHCP button (below the Servers list).
6 In Server Admin, choose NAT from the expanded Servers list.
7 Configure NAT using the following setting:
 External network interface: en0
 Port forwarding: TCP port 80 (web) to 192.168.0.2  Port forwarding: TCP port 25 (mail) to 192.168.0.3 8 Click Save.
9 To start NAT Service, click the Start NAT button below the Servers list.
10 In Server Admin, choose Firewall from the expanded Servers list.
11 Create Firewall rules to permit access to your private network.
For more information, see “Creating an Address Group” on page 90.
12 Enable the two services you want the Internet to access on your private LAN (web and SMTP mail) using the “any” address group.
For more information, see “Configuring Services Settings” on page 88.
13 Click Save.
14 To start Firewall service, click the Start Firewall button (below the Servers list).
15 Contact your DNS provider (usually your ISP) to add two aliases to your gateway server’s DNS record.
Request an A record with the name www.example.com to the IP address 17.100.0.1.
Request an MX record with the name mail.example.com to the same IP address.
These records are in addition to existing A and CNAME records for your domain.
Now all web traffic to www.example.com is forwarded to the internal server at 192.168.0.2, and incoming mail traffic sent to mail.example.com is delivered to the internal server at 192.168.0.3.
Chapter 5 Working with NAT Service 123
If you want to change the servers behind the NAT (for example, to perform a hardware upgrade), now all you need to do is change the DHCP static IP address to the Ethernet addresses of the new servers. The new servers are assigned the existing internal IP addresses designated for web and mail, and the gateway forwards the traffic to the new servers seamlessly.
Where to Find More Information
For More Information About natd
The daemon process that controls NAT service is natd. For information about how to access natd features and implement them, see the natd man page.
Request For Comment Documents
Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol should behave.
If you’re a novice server administrator, you’ll probably find some of the background information in an RFC helpful.
If you’re an experienced server administrator, you can find the technical details about a protocol in its RFC document.
You can search for RFC documents by number at www.ietf.org/rfc.html.
For NAT descriptions, see:
 RFC 1631  RFC 3022