How can I set up a webserver behind two routers?

Question

^{I realise that this may be better suited to ServerFault, but this is my home network that I run in a non-professional enviroment.}

At home I have my main router connected to the internet which the main family computer and laptop run from. I also have a "development" network with a m0n0wall firewall in a VM to provide internet services. I want to host a website (and eventually other services) on one of the machines on the dev network but cannot figure out how to "port forward" through my main (belkin) router, through to the m0n0wall firewall, and then through to webserver.

The traffic would have to come through the public ip, pass through port 80 of the main router (192.168.2.1) then be forwared through the WAN connection of the m0n0wall box (192.168.2.2), out of the LAN connection (192.168.10.2) and finally into the server. After the configuration is saved I can't work out while it is not working. I can host the site fine behind the main router. There is a firewall rule on m0n0wall to pass port 80 traffic from 192.168.2.1 through but it just isn't working.

I've drawn a very basic diagram below (unfortunately any advanced Visio stuff is currently black magic to me).

Answer 1

1. A separate IP range is unnecessary, this will work without it as the firewall sits between the cables.

2. Your main router should forward to the web server and not to the firewall.

3. Your firewall should accept any source address, the main router does not overwrite source address.

   This also allows access from your family machine.

4. Your firewall should also allow traffic going to the other side.

5. Use Can You See Me and Wireshark for more detailed troubleshooting.

Answer 2

Right, I have finally worked this out and got it as I wanted. Instead of the m0n0wall box forwarding packets twice I've moved to changed subnets. I now have a DD-WRT-based Linksys E1000 acting in "Client Mode", so that it acts as a "client" to the family wireless and has a DHCP/DNS server serving the wired connections on the development network. I have changed the subnet mask to from 255.255.255.0 to 255.255.252.0 on the Belkin router and on the DD-WRT. The belkin is on 192.168.2.1 and DD-WRT on 192.168.1.1. Machines on each network can see each other, so if I set a machine on my dev network with a static 192.168.2.x the Belkin will be able to port foward to it.

Diagram Time:

I have no idea if m0n0wall is able to forward packets, but subnetting seems to have been the easiest way of going about this.

I can reccomend Wolfram Alpha for easy-to-use subnetting info.