A virtual server is a gateway server that sends services behind a NAT firewall to real
servers on a port-by-port basis.
For example, suppose you have a NAT gateway called domain.example.com with an address of 17.100.0.1 that is set to forward web traffic (port 80) to 10.0.0.5 (port 80) behind the firewall and that sends packet requests for ssh traffic (port 22) to 10.0.0.15
(port 22).
In this example, the NAT gateway is not really serving the web content. The server at
10.0.0.5 is, but it is invisible to the clients browsing the web site.
Viewed from the Internet you have one server, but viewed from behind the NAT barrier, you have as many or as few as you need. You can use this setup for load balancing or as an organizational scheme for the network’s topography.
Virtual servers also enable you to easily reroute network traffic to other computers on the LAN by reconfiguring the gateway.
Virtual servers require three service configurations:
 NAT: NAT service must be configured with port forwarding of the virtual port.
 DNS: The DNS record for the server should accept a few aliases of common services and resolve them to the same IP address.
 Firewall: The firewall must permit traffic on specific ports to have access to the
NAT LAN.
In this example, you set up a NAT gateway and route two domain names and services to different computers behind the gateway firewall. Assume the following configuration details:
 Ethernet interface names and functions: Ethernet Built-in (connected to Internet), PCI Ethernet Slot 1 (connected to internal network)
 Internet or public IP address: 17.100.0.1 (example only, your IP number and netmask
information will be provided by your ISP)
 Private network IP address range and netmask: 192.168.0.0–192.168.0.255 (also
expressed as 192.168.0.0/24 or 192.168.0.0:255.255.255.0)
 Gateway server’s private network IP address: 192.168.0.1  Web server’s private network IP address: 192.168.0.2  Mail server’s private network IP address: 192.168.0.3
 Web and mail server’s IP address settings: Configure IPv4 Using DHCP
This last setting is not required because NAT can be used with static IP addresses
instead of DHCP. However, configuring this setting makes it easier to configure
computers.
Now all web traffic to www.example.com is forwarded to the internal server at 192.168.0.2, and incoming mail traffic sent to mail.example.com is delivered to the
internal server at 192.168.0.3.
To change the servers behind the NAT (for example, to perform a hardware upgrade),
change the DHCP static IP address to the Ethernet addresses of the new servers. The
new servers are assigned the existing internal IP addresses designated for web and mail, and the gateway forwards the traffic to the new servers seamlessly.
To configure virtual servers:
1 Open Server Admin and connect to the server.
2 Click the triangle at the left of the server. The list of services appears.
3 From the expanded Servers list, select DHCP.
4 Click Subnets and create an address group for the internal LAN with the following
configuration parameters: Subnet name: <
 whatever you want>
Starting IP address: 192.168.0.2 Â
Ending IP address: 192.168.0.254 Â
Network interface: en1 Â
Router: 192.168.0.1 Â
Lease time: <
 whatever you want>
DNS: <
 provided by ISP>
Static mapping (web): <
 web server’s Ethernet address> mapped to 192.168.0.2
Static mapping (mail): <
 mail server’s Ethernet address> mapped to 192.168.0.3
For more information, see “Creating Subnets” on page 26 and “Assigning Static IP Addresses Using DHCP” on page 39.
5 To start DHCP service, click the Start DHCP button (below the Servers list).
6 In Server Admin, choose NAT from the expanded Servers list.
7 Configure NAT using the following setting:
 External network interface: en0
 Port forwarding: TCP port 80 (web) to 192.168.0.2  Port forwarding: TCP port 25 (mail) to 192.168.0.3
For more information about configuring port forwards, see “Configuring Port
Forwarding” on page 127.
8 Click Save.
9 To start NAT service, click the Start NAT button below the Servers list.
10 In Server Admin, choose Firewall from the expanded Servers list.
11 Create Firewall rules to permit access to your private network. For more information, see “Creating an Address Group” on page 98.
12 Enable the two services you want the Internet to access on your private LAN (web and SMTP mail) using the “any” address group.
For more information, see “Configuring Services Settings” on page 94.
13 Click Save.
14 To start Firewall service, click the Start Firewall button (below the Servers list).
15 Contact your DNS provider (usually your ISP) to add two aliases to your gateway server’s DNS record.
Request an A record with the name www.example.com to the IP address 17.100.0.1. Request an MX record with the name mail.example.com to the same IP address. These records are in addition to existing A and CNAME records for your domain.
Where to Find More Information
The natd daemon process controls NAT service. For information about how to access
natd features and implement them, see the natd man page.
Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol should behave.
If you’re a novice server administrator, you’ll probably find some of the background
information in an RFC helpful.
If you’re an experienced server administrator, you can find the technical details about
a protocol in its RFC document.
You can search for RFC documents by number at www.ietf.org/rfc.html. For NAT descriptions, see:
RFC 1631 Â
RFC 3022 Â