Cascading Bitcoin Nodes

[m0rph3us7]

Hi,

I want to setup a secure Wallet System with bitcoin core on linux.
First bitcoin node should be placed in the DMZ, behind the Front Firewall.
Second node should be placed in a secure net, without a direct internet connect.
The second node should sync with the first node.

I setup the 2 Nodes. First Node is syncing.
Second Node has configured:
connect=192.168.1.15
addnode=192.168.1.15

But it does not start loading blocks.

Any Ideas?

Kind regards, Morph

[1714961794]

1714961794

[1714961794]

1714961794

[1714961794]

1714961794

[1714961794]

1714961794

[1714961794]

1714961794

[achow101]

I don't think a node will serve blocks to any other node until it is fully synced. So if your first node is not synced yet, you should wait for it to be fully synced and then try again with the second node.

[cezar.crypto]

Hi,

I want to setup a secure Wallet System with bitcoin core on linux.
First bitcoin node should be placed in the DMZ, behind the Front Firewall.
Second node should be placed in a secure net, without a direct internet connect.
The second node should sync with the first node.

I setup the 2 Nodes. First Node is syncing.
Second Node has configured:
connect=192.168.1.15
addnode=192.168.1.15

But it does not start loading blocks.

Any Ideas?

Kind regards, Morph

Interesting idea. Why exactly would you want to do that though? For extra security on your wallet there are many things to do like encrypting wallet, creating new wallet instance and taking the private keys completely off Internet, etc. I don't think the node #2 (inside the secure net) will be able to transfer/receive anything from the main network without being synced in the first place. True it is getting sync only from node #1 but node #1 does not have any control over what goes on the main network.

Also as a suggestion you might try to see if second node 192.168.1.15 can communicate over the Bitcoin ports to the first node (maybe that is the reason it doesn't connect).

Regards

[TheQuin]

Interesting idea. Why exactly would you want to do that though? For extra security on your wallet there are many things to do like encrypting wallet, creating new wallet instance and taking the private keys completely off Internet, etc. I don't think the node #2 (inside the secure net) will be able to transfer/receive anything from the main network without being synced in the first place. True it is getting sync only from node #1 but node #1 does not have any control over what goes on the main network.

Also as a suggestion you might try to see if second node 192.168.1.15 can communicate over the Bitcoin ports to the first node (maybe that is the reason it doesn't connect).

Regards

That's the purpose of a DMZ. Only the node in the DMZ can communicate with the internet and therefore act as normal in receiving and transmitting blocks and transactions. The node on the secure network can only connect to the node in the DMZ. Because it can do that it can transmit and receive everything it needs to and still be completely inaccessible from the internet. I used to design similar security solutions for many other applications (email etc.) before I retired from the IT business.

It's often done with one firewall but is much more secure if you use two similar to this diagram. The node in the DMZ is acting as a proxy server and this a very good way to keep a hot wallet secure.

[ScripterRon]

Hi,

I want to setup a secure Wallet System with bitcoin core on linux.
First bitcoin node should be placed in the DMZ, behind the Front Firewall.
Second node should be placed in a secure net, without a direct internet connect.
The second node should sync with the first node.

I setup the 2 Nodes. First Node is syncing.
Second Node has configured:
connect=192.168.1.15
addnode=192.168.1.15

But it does not start loading blocks.

Any Ideas?

Kind regards, Morph

As achow101 noted, you need to wait for the first node to sync.  I run a two-node setup myself where the first node is an internet hub (around 95 connections at any given time) and does not have a wallet and the second node which has a wallet connects just to the first node.  I use a 'connect' statement so the second node connects to just the first node and specify 'listen=0' so the second node doesn't try to accept incoming connections.  But I don't do this for security but for convenience since the first node is on a VPS and the second node is on my desktop.  I compile Bitcoin Core from the source, so I'm not concerned about malware.  I suppose a node could be hacked by a malformed peer message but I don't consider it very likely.

[Anti-Cen]

Not sure I would use a DMZ and would use a LAN behind the firewall and then block access to the machines from
getting out to the tinternet and just map ports needed for inbound NAT

free/cheap wifi rooters are not firewall unless they offer outbound blocking even if they do offer a DMZ
on one of the rj45 sockets