Multiple Static IP's on ADSL, how?

Xenoxide · 1 Apr 2008 at 15:43

Hey,

How does multiple static IP's work on an ADSL connection (ie. Be Internet). Are you given a switch instead of a router? I presume a router isn't needed as you wouldn't be routing between an internal and external network, merely multiple IP's on the same external network.

Can someone please clarify how this works for me please?

Cheers

growse · 1 Apr 2008 at 17:11

Routers don't route between ip addresses, they route between subnets. When you get more than one ip from your ISP, you just get a bigger subnet rather than a /32. I get a /31 which gives me 5 ips.

daz · 1 Apr 2008 at 17:16

growse said:
I get a /31 which gives me 5 ips.

/29 = 5 usable IPs

/pedant

mdjmcnally · 1 Apr 2008 at 17:42

The way it works is this

On a normal ADSL where you have one external IP address you have an internal network with a private IP range, ie 192.168.1.x/24.

To connect with the Internet then your ADSL Router performs NAT so that your private IP range is address translated through the router so the traffic appears on the Internet with your public address which is typically dynamic, so unless you login to your ADSL Router you do not know what your public IP is.

On a Multiple Static IP then the NAT does not take place, ie you are allocated a block of IP addresses typically a /29

ie 202.202.202.0/29 This would give you a usable range as follows. This isn't my range so apologies to whoever it does belong too.

202.202.202.0 - Network
202.202.202.1 - Routers Ethernet Address
202.202.202.2 - Usable Address
202.202.202.3 - Usable Address
202.202.202.4 - Usable Address
202.202.202.5 - Usable Address
202.202.202.6 - Usable Address
202.202.202.7 - Broadcast

You would give your PC an address of 202.202.202.2 and a DG of 202.202.202.1. Your traffic would be seen on the Internet as 202.202.202.202.

Note this means that your PC is effectively connected directly to the Internet and there is no protection between you and the Internet apart from what you are putting on the PC.

Traffic locally on your network would be switched as normal. You would however still be routing across the router to get to the Internet.

Unless you want to run services at home then for most people dynamic ip is perfectly usable.

OllyM · 1 Apr 2008 at 19:02

Doesn't work like that on Be - they give you 8 (or 16) IP's from a big block, and your modem runs in bridge mode, using a gateway address at Be's end. A very stupid way of doing things if you ask me.

growse · 1 Apr 2008 at 21:14

No reason why you can't NAT with multiple IPs.

mdjmcnally · 2 Apr 2008 at 01:34

growse said:
No reason why you can't NAT with multiple IPs.

No but if you are going to NAT why bother having public ip block. You may just as well have a private range internally.

The whole point of having static ip is that so can be used to access from the Internet. If you are going to NAT these then would need to perform inbound NAT on your ADSL router, and if doing that you may as well have private address space.

Xenoxide · 2 Apr 2008 at 04:34

Thanks guys, I don't know if I worded it clearly enough as my question was mainly about the hardware required, as it's not like you have an RJ45 jack in your wall! That's pretty much how I figured they'd assign the IP's though, just by expanding the subnet.

OllyM said:
Doesn't work like that on Be - they give you 8 (or 16) IP's from a big block, and your modem runs in bridge mode, using a gateway address at Be's end. A very stupid way of doing things if you ask me.

Thanks for that, that's the answer I was looking for. So basically I could plug a switch into the DCE (In this case being the modem), and plug all my stuff into the switch having given them each one of the different static IP's.

Presumably I could then plug a router into the switch, and route traffic via NAT to an internal network, correct?

You say it's a stupid way of doing it though, what other ways do other providers use?

Xenoxide · 2 Apr 2008 at 04:43

mdjmcnally said:
Traffic locally on your network would be switched as normal. You would however still be routing across the router to get to the Internet.

Ah, sorry just saw your post. So basically on that setup you'd have a router with all your devices connected to it, each with one of the static IP's. The router would also then plug into the modem (?) with an outward facing IP address on whatever network you're hooked into? NAT is completely turned off, right?

So what is the hardware that the ISP provides? Is it just your normal ADSL router but with NAT turned off? Or is it a modem in bridge mode like Be apparently does it?

Dist · 2 Apr 2008 at 04:55

Since this thread seems semi relevent to my question i hope no one minds me posting it here. My ISP only gives me 1 IP, but why do they give me that 1 IP from a /23 subnet?

tolien · 2 Apr 2008 at 10:46

No but if you are going to NAT why bother having public ip block. You may just as well have a private range internally.

Not quite. It's stupid (insecure, waste of IPs) using IPs for devices that don't need direct access to (and from) the internet, but most routers don't do a good job of a mixture of one-to-one and one-to-many NAT.

Xenoxide said:
So basically on that setup you'd have a router with all your devices connected to it, each with one of the static IP's.

That's the one. The setup's no different from with one public IP, except some of the devices behind the router take a public IP too.

NAT is completely turned off, right?

Depends if you can get as many IPs as devices, or want every device exposed to the internet.

So what is the hardware that the ISP provides?

Depends on the ISP. Be will give you a router, and if you use their config for multi-IPs it'll disable NAT etc.

My ISP only gives me 1 IP, but why do they give me that 1 IP from a /23 subnet?

If you used a subnet for every user, you'd lose dozens of IPs to broadcast IPs, and you'd have to route between them somewhere.

growse · 2 Apr 2008 at 11:43

mdjmcnally said:
No but if you are going to NAT why bother having public ip block. You may just as well have a private range internally.

The whole point of having static ip is that so can be used to access from the Internet. If you are going to NAT these then would need to perform inbound NAT on your ADSL router, and if doing that you may as well have private address space.

Because sometimes you want to be able to access a number of different services on the same port but different ip addresses.

I've got more than 5 servers behind my router, and that's not counting client machines (laptops / desktops) etc. I run NAT because I can't do a 1-1 mapping of clients to public ips, and there are some services that I want to be able to access on the same port number (e.g. 443). The only way to do this is to have more than 1 public ip.

mdjmcnally · 2 Apr 2008 at 12:42

growse said:
Because sometimes you want to be able to access a number of different services on the same port but different ip addresses.

I've got more than 5 servers behind my router, and that's not counting client machines (laptops / desktops) etc. I run NAT because I can't do a 1-1 mapping of clients to public ips, and there are some services that I want to be able to access on the same port number (e.g. 443). The only way to do this is to have more than 1 public ip.

So do I, I have an ADSL Router with a /29 and no NAT. I then have a Firewall inside of the Router that performs my NAT from the public IP to private ranges. My Public IP isn't NATted on my ADSL box. The traffic leaves my firewall with a public IP and the ADSL box just routes out to the Internet for me.

I have a mail server and a web server sharing the same public IP, and then another web server on another IP address, so I am perfectly aware of how and why you use NAT, I just don't see the point of NATting Public IP address on your network to the external IP of your ADSL Router.

Or maybe we are both actually doing the same thing.

growse · 2 Apr 2008 at 15:02

Ah, I see what you mean. Misinterpreted what you said.

How are you handling the risk of sticking the servers in front of the firewall? Are you using a firewall on the router, or software firewalls on the servers?

bigredshark · 2 Apr 2008 at 15:37

mdjmcnally said:
So do I, I have an ADSL Router with a /29 and no NAT. I then have a Firewall inside of the Router that performs my NAT from the public IP to private ranges. My Public IP isn't NATted on my ADSL box. The traffic leaves my firewall with a public IP and the ADSL box just routes out to the Internet for me.

I have a mail server and a web server sharing the same public IP, and then another web server on another IP address, so I am perfectly aware of how and why you use NAT, I just don't see the point of NATting Public IP address on your network to the external IP of your ADSL Router.

Or maybe we are both actually doing the same thing.

Because his solution doesn't require two boxes to make it work would be a good reason.

It's a fairly standard solution for some very big customers with us, a /26 assigned for web services, all pointed to one interface on the firewall and then nat'd (using MIPs in juniper terminology) to the privately addressed servers. Lots of good reasons to do it.

bigredshark · 2 Apr 2008 at 15:39

tolien said:
Not quite. It's stupid (insecure, waste of IPs) using IPs for devices that don't need direct access to (and from) the internet, but most routers don't do a good job of a mixture of one-to-one and one-to-many NAT.

Well most consumer routers don't, but if you're running something which needs a public range then probably you can stretch to something beyond a £60 netgear.

tolien · 2 Apr 2008 at 17:51

bigredshark said:
Well most consumer routers don't, but if you're running something which needs a public range then probably you can stretch to something beyond a £60 netgear.

Most cheap consumer routers don't do a particularly good job of no-NAT at all, but it's worth bearing in mind before you wind up paying more for extra public IPs or whatever.