How do you distribute Public IPs to servers

[Nam061]

Hello

This may be an odd question but my brain somehow cannot wrap around how it's done. Okay so let me explain. Currently, my ISP has assigned me a public static IP address. I run a few home servers that I make publicly accessible via port forwarding the servers LAN IP over to the WAN IP.  That said, I want to ask my ISP to give me three more public IP addresses or a block of public IPs.  And when I have these said IP addresses, I want to assign them each directly to my home servers. 

Now, here's where the problem comes in. Say they do lease me two extra IPs, how on earth would I distribute those IPs directly to my servers? I assume I need a router for that obviously, but how will it be set up in the router, generally speaking, no specific router in question. Would the router need to be compatible for something like this? If yes, what capabilities should the router have? 

I basically need the full scope on how I would directly connect one of my servers to these public IP addresses once provided to me, please?

[brwainer]

Two options:

1. plug in a switch before your router, and connect all the devices that need a public IP (the router and the servers) directly into that switch.
2. (using a router capable of this) set up 1:1 NAT. 1:1 NAT is basically port forwarding but on a whole IP basis - every incoming or outgoing connection on any port is directly mapped between a public IP and a LAN IP. It is named 1:1 because port 1 forwards to port 1, port 2 forwards to port 2, etc.

 

Most installs I support use a mixture of the two - we tend to have multiple routers/firewalls which are connected via the switch, but for servers we do 1:1 NAT because that allows the IPS on the firewall to protect the server against obvious attacks like brute force attempts. This is a feature you normally pay a subscription for, on devices from companies like Cisco, Fortinet, Watchguard, Sonicwall, etc. You can set up IPS yourself for free using PFSense and Snort or Suricata, or you can get a home license of Untangle for $50/year which saves you a lot of hassle of setup and fine tuning.

[Master Disaster]

53 minutes ago, Nam061 said:

Hello

This may be an odd question but my brain somehow cannot wrap around how it's done. Okay so let me explain. Currently, my ISP has assigned me a public static IP address. I run a few home servers that I make publicly accessible via port forwarding the servers LAN IP over to the WAN IP.  That said, I want to ask my ISP to give me three more public IP addresses or a block of public IPs.  And when I have these said IP addresses, I want to assign them each directly to my home servers. 

Now, here's where the problem comes in. Say they do lease me two extra IPs, how on earth would I distribute those IPs directly to my servers? I assume I need a router for that obviously, but how will it be set up in the router, generally speaking, no specific router in question. Would the router need to be compatible for something like this? If yes, what capabilities should the router have? 

I basically need the full scope on how I would directly connect one of my servers to these public IP addresses once provided to me, please?

The basic answer if your ISP won't sell you additional IP Addresses. Its strictly one per connection.

[sphbecker]

47 minutes ago, Master Disaster said:

The basic answer if your ISP won't sell you additional IP Addresses. Its strictly one per connection.

That is not exactly correct. Many ISPs limit multiple IP addresses to business connections, but nothing is stopping them from providing them to consumers as well. For a long time, AT&T had a consumer U-verse option to add 5 static IP addresses alongside your dynamic one, it was $10 a month extra, I paid for it and it worked as expected. It comes down to the IPS' policies, not a technical restriction.

 

Most consumer focused routers do not support multiple WAN IP addresses, so you may hit issues there. You might be able to switch to DDWRT for more options, but even that is very limited. You would really need to either get a professional router or use something like PFSense as a router.

 

Let me give a very quick high-level conceptional overview of how it would work, but like I said, most home-use routers don't have any of these options.

There are two ways the ISP can give you extra IP addresses, they can either assign additional IP addresses to your existing WAN subnet, similar to the way a computer can have more than one IP address on a single network connection. Using that approach, your NAT port forwarding would take care of what you want, it would just need to allow you to specify for each rule which WAN IP and port you wanted to forward (most SOHO routers don't have that feature, they only let you choose a port). If this is the approach your ISP takes, then the suggestion of using a network switch between the modem and router will work (removes the requirement that your router support multiple IP addresses), just make sure your servers are running their own firewall.

 

The 2nd and more correct way is for them to assign you an additional routed subnet alongside the single IP address they already give you. With that approach, your router would "consume" the single IP Address on its WAN interface, and would then assign the 2nd subnet to its LAN interface (no NAT). The ISP sets your own router as the route to that internal subnet and your router routes traffic just like an internet router would (in some cases, you even make your own BGP advertisements). From there, you just assign IP addresses from that LAN subnet on your severs directly (so they have a 183.23.142.23 style address, not a 192.168.1.2). Firewall settings become very important with that approach because your servers become fully reachable by everyone on the internet. The term for that kind of public reachable internal network is a DMZ VLAN, you would typically also have a private VLAN because you don't want things like iPhones and laptops getting publicly routable IP addresses.

 

But going back to the basic answer given, your ISP probably doesn't allow it unless you move to a business package.

[mynameisjuan]

15 minutes ago, sphbecker said:

That is not exactly correct. Many ISPs limit multiple IP addresses to business connections, but nothing is stopping them from providing them to consumers as well. For a long time, AT&T had an U-verse option to add 5 static IP addresses alongside your dynamic one, it was $10 a month extra, I paid for it and it worked as expected. It comes down to the IPS' policies, not a technical restriction.

His comment was if the ISP is not allowing you to purchase a /29 you are not able to get more IPs.

 

16 minutes ago, sphbecker said:

you even make your own BGP advertisements

No. Unless you purchase a /24 from your provider, they won't even begin to speak to you about BGP.

[sphbecker]

13 minutes ago, mynameisjuan said:

His comment was if the ISP is not allowing you to purchase a /29 you are not able to get more IPs.

 

No. Unless you purchase a /24 from your provider, they won't even begin to speak to you about BGP.

I don't mean to argue, but both of those points are not correct. An ISP can assign more than one WAN IP address without it being in the form of a subnet such as a /29, this is more common on connections like Business Cable, not dedicated connections. Also, that is not what he said, he simply said it can't be done. I have worked with ISPs who provided /28 and /29 subnets and gave the option to use BGP instead of static...we ordered the circuit that way, it was delivered and worked as expected. Just because some IPS have rules about something doesn't mean all follow the same set of rules.

[mynameisjuan]

8 minutes ago, sphbecker said:

An ISP can assign more than one WAN IP address without it being in the form of a subnet such as a /29, this is more common on connections like Business Cable, not dedicated connections

Yes I know. I'm an network engineer for an ISP. If you want more than one static, you're getting a /29. If you need more than 5, your going through a contract and paying quite a bit more. There is no limitations, it's just the standard everyone sticks to

 

8 minutes ago, sphbecker said:

have worked with ISPs who provided /28 and /29 subnets and gave the option to use BGP instead of static...we ordered the circuit that way, it was delivered and worked as expected

False. If they are to be taken serious by other carriers, they will and cannot advertise less than a /24. Sure they can peer with you can send you a full table but they are not going to advertise your /28 or /29 to the world. They probably gave you the impression that you were actually advertising your subnets.

[sphbecker]

2 minutes ago, mynameisjuan said:

False. If they are to be taken serious by other carriers, they will and cannot advertise less than a /24. Sure they can peer with you can send you a full table but they are not going to advertise your /28 or /29 to the world. They probably gave you the impression that you were actually advertising your subnets.

I am sure they do subnet summerization before advertising the routes outside of their own network, but that doesn't change the fact that your route is still being advertised via BGP. That is all I said and it is a correct statement. I never said that you are making unmodified subnet advertisements to the entire world. You seem to jump to conclusions and assume people are saying more than they actually said, then use those assumptions to argue. That is called a strawman argument and typically used for grandstanding, no need for all of that. You don't need to try to impress me with your knowledge, I am not in a postion to offer you a job, I am just some rando from the internet

[mynameisjuan]

42 minutes ago, sphbecker said:

You don't need to try to impress me with your knowledge, I am not in a postion to offer you a job, I am just some rando from the internet

You have an almost 6 paragraph explaination to a simple comment. Don't call me out for trying to impress people when you are being "that guy" with starting a quote with "well let me give you a highlevel view". I'm not here to impress people, but if wrong information is said, imma call them out.

[Master Disaster]

1 hour ago, sphbecker said:

I don't mean to argue, but both of those points are not correct. An ISP can assign more than one WAN IP address without it being in the form of a subnet such as a /29, this is more common on connections like Business Cable, not dedicated connections. Also, that is not what he said, he simply said it can't be done. I have worked with ISPs who provided /28 and /29 subnets and gave the option to use BGP instead of static...we ordered the circuit that way, it was delivered and worked as expected. Just because some IPS have rules about something doesn't mean all follow the same set of rules.

I did not say it cannot be done, I said they won't do it. Pretty big difference.

[sphbecker]

2 minutes ago, mynameisjuan said:

You have an almost 6 paragraph explaination to a simple comment. Don't call me out for trying to impress people when you are being "that guy" with starting a quote with "well let me give you a highlevel view". I'm not here to impress people, but if wrong information is said, imma call them out.

You and I are likely coming from the same place. I am the same way. I like to educate people, not in a way to showoff but because I genuinely enjoy it. I was a bit rubbed wrong by your callout attempts because like I said, I feel like you put words in my mouth and then told me those words I didn't say were wrong. It would be as if I said I drove my car cross country and you replied with "not possible, no car made has a large enough fuel tank." Anyway, no hard feelings, I was just trying to explain my point of view for how the conversation went. See you around, thanks for sharing your knowledge.

[sphbecker]

8 minutes ago, Master Disaster said:

I did not say it cannot be done, I said they won't do it. Pretty big difference.

I said both that it was technically possible and gave an example of a major ISP who offers the feature. Without knowing the OP's ISP, I don't think any of us can say for sure that they won't do it. Most likely, you are correct, most do not offer it.

[BSpendlove]

Now now ladies, we all know my router is bigger than both of yours.

 

I don't see anything wrong with the above comments, sure 99% of the ltt community won't understand things like BGP or how something like NAT work, I think you both are having a good discussion but then it got a bit heated.

 

But let's be serious here, by reading the Ops initial post, he probably doesn't need anything more than just NAT just for the purpose of the post. But you've listed many scenarios which are good 

[Nam061]

Quote

 

Two options:

1. plug in a switch before your router, and connect all the devices that need a public IP (the router and the servers) directly into that switch.
2. (using a router capable of this) set up 1:1 NAT. 1:1 NAT is basically port forwarding but on a whole IP basis - every incoming or outgoing connection on any port is directly mapped between a public IP and a LAN IP. It is named 1:1 because port 1 forwards to port 1, port 2 forwards to port 2, etc.

 

Most installs I support use a mixture of the two - we tend to have multiple routers/firewalls which are connected via the switch, but for servers we do 1:1 NAT because that allows the IPS on the firewall to protect the server against obvious attacks like brute force attempts. This is a feature you normally pay a subscription for, on devices from companies like Cisco, Fortinet, Watchguard, Sonicwall, etc. You can set up IPS yourself for free using PFSense and Snort or Suricata, or you can get a home license of Untangle for $50/year which saves you a lot of hassle of setup and fine tuning.

 

Quote

 

Let me give a very quick high-level conceptional overview of how it would work, but like I said, most home-use routers don't have any of these options.

There are two ways the ISP can give you extra IP addresses, they can either assign additional IP addresses to your existing WAN subnet, similar to the way a computer can have more than one IP address on a single network connection. Using that approach, your NAT port forwarding would take care of what you want, it would just need to allow you to specify for each rule which WAN IP and port you wanted to forward (most SOHO routers don't have that feature, they only let you choose a port). If this is the approach your ISP takes, then the suggestion of using a network switch between the modem and router will work (removes the requirement that your router support multiple IP addresses), just make sure your servers are running their own firewall.

 

The 2nd and more correct way is for them to assign you an additional routed subnet alongside the single IP address they already give you. With that approach, your router would "consume" the single IP Address on its WAN interface, and would then assign the 2nd subnet to its LAN interface (no NAT). The ISP sets your own router as the route to that internal subnet and your router routes traffic just like an internet router would (in some cases, you even make your own BGP advertisements). From there, you just assign IP addresses from that LAN subnet on your severs directly (so they have a 183.23.142.23 style address, not a 192.168.1.2). Firewall settings become very important with that approach because your servers become fully reachable by everyone on the internet. The term for that kind of public reachable internal network is a DMZ VLAN, you would typically also have a private VLAN because you don't want things like iPhones and laptops getting publicly routable IP addresses.

 

But going back to the basic answer given, your ISP probably doesn't allow it unless you move to a business package.

 

Hi @brwainer & @sphbecker

Thank you for your input, you both appear to have the same answer. While I do understand what you guys are saying, something just does not add up. Firstly, take note this is all home testing and SUPER small scale. One critical key point I missed is that my servers are all VMs. Both solutions you guys provided sounds like my servers need to be physical dedis, well apart from the NAT suggestion. Correct me if I am wrong, since they are VMs, I believe the best solution in this case would be the static NAT 1:1 setup, assuming my consumer router supports it. 

But what puzzles me, is that with this approach, I would still need to set a LAN IP to my VM servers, and then use NAT. But when I look at an actual data centre VPS that I work with, and I do a ipconfig/ifconfig command, the IP address is literally the public IP and not the LAN IP. Soooo now this all makes no sense again? Would that imply a data centres VM is directly connected to a switch? Whaaat?

Also, a side question, Is it possible to get multiple IPs on a LTE connection to the router? I guess I would just need a router that supports static NAT?

[sphbecker]

2 minutes ago, Nam061 said:

Hi @brwainer & @sphbecker

Thank you for your input, you both appear to have the same answer. While I do understand what you guys are saying, something just does not add up. Firstly, take note this is all home testing and SUPER small scale. One critical key point I missed is that my servers are all VMs. Both solutions you guys provided sounds like my servers need to be physical dedis, well apart from the NAT suggestion. Correct me if I am wrong, since they are VMs, I believe the best solution in this case would be the static NAT 1:1 setup, assuming my consumer router supports it. 

But what puzzles me, is that with this approach, I would still need to set a LAN IP to my VM servers, and then use NAT. But when I look at an actual data centre VPS that I work with, and I do a ipconfig/ifconfig command, the IP address is literally the public IP and not the LAN IP. Soooo now this all makes no sense again? Would that imply a data centres VM is directly connected to a switch? Whaaat?

Also, a side question, Is it possible to get multiple IPs on a LTE connection to the router? I guess I would just need a router that supports static NAT?

Your question about IP addresses depends on if you are using NAT or not. If you are using NAT, then the router is translating a public address to a privet address. If you don't use NAT (this requires that your ISP assign you a routable subnet), then you can route the public IP directly to the server.

 

I would be surprised if any LTE carrier would provide multiple IP addresses. Find out what your ISP offers. If they don't offer anything, then ask them about converting your account to a business account, they should allow for more options.

If you are already running VMs, then you could always look into setting up a virtual PFSense or VyOS instance and use it as a virtual router, but figure out how you can get those IP addresses before you spend any time working on how to route them.

[sphbecker]

Food for thought, if your ISP offers native IPv6 and if this is more of a home project than something you actually need to publish to the world, then you might consider just using IPv6 to do what you need.

 

Another thing you could consider (again, depending on your needs) is setup an OpenVPN server and just have your users connect to the servers via VPN. You could still use NAT port forwarding for services that truly need to be public.

 

I know neither of those answer your question, but figured I would point them out.

[brwainer]

3 hours ago, Nam061 said:

One critical key point I missed is that my servers are all VMs. Both solutions you guys provided sounds like my servers need to be physical dedis, well apart from the NAT suggestion

The point of a virtual machine, is that once you are talking about the network, it is indistinguishable from a physical device. Do your servers already have their own IP on the LAN side of your router? Or do the servers share the IP of the host? If they share, then that means your VM Host is doing its own layer of NAT, and you want to get rid of that. As long as the router can directly reach an IP, you can 1:1 NAT to it. (I’m simplifying here, there are ways with routing to NAT a device that isn’t directly on a router’s LAN, but that’s beyond the scope of your situation).

 

If you wanted to take the “switch between the modem and router” option, then there are still two possibilities for the VMs to have public IPs, but the host to have a private IP:

1. Use a second ethernet adaptor on the host, and only assign the VMs which should have public IPs to it

2. Learn VLANs and get a switch that is capable of them. This would allow you to use a single port on the host, but have the VMs go to a different network than the host and other VMs.

 

3 hours ago, Nam061 said:

when I look at an actual data centre VPS that I work with, and I do a ipconfig/ifconfig command, the IP address is literally the public IP and not the LAN IP.

The VPS provider is doing one or both of the things I said above. Typically they will have separate ports for the management of the host versus the VPS traffic (and other port(s) for storage tasks like replication and backup), and sometimes each customer has their own VLAN for their VPSs so they can communicate “directly”