Hi,

We have a T1 connection at our office with a block of 5 IPs. The external interface is simply one RJ45 jack. Currently we have a home spec router connected to the external interface, and then a switch connected to the router. Certain ports are forwarded to our server in the home spec router for things like OWA, etc.

I would like to start putting our other IPs to use. Is this usually done by having a switch connected to the external device and then have multiple routers connected to the switch? Or is it one router capable of VLAN or is it something entirely different?

Really, what I want to know is what the rest of the industry typically does to use their multiple IPs.

What gear would you recommend for this?

Thanks,
Mike

Usually it's done with NAT. You can "assign" one of the public IPs to a device by NATing the plublic IP to the devices private IP.

where the devices live in your DMZ for protection....

so if my network is 12.34.56.0/24

my web server on 12.34.56.78
mail server on 12.34.56.79
dns server on 12.34.56.80

all residing in my dmz 192.168.1.0/24

I'd nat
12.34.56.78 to 192.168.1.2 and open port 80 on the firewall to allow traffic in to the DMZ
12.34.56.79 to 192.168.1.3 and open port 25 on the firewall to allow traffic in to the DMZ
12.34.56.80 to 192.168.1.4 and open port 53 on the firewall to allow traffic in to the DMZ

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

DMZ is important, my bad.

Could you please clarify for me. When you refer to the firewall, could this mean one or more of many different things? For example, the software firewall in windows, a physical firewall box in between the router and the network, or a firewall built into the router?

I was thinking about using a DD-WRT router to do the one-to-one nat. So is it possible that DD-WRT has a firewall in it that I would just open up the relevant ports on? So that way I can do it all with one device?

Again, I'm not just wondering if that will work but what most companies do.

Thanks,
Mike

firewall - device where NATing takes place.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

companies normally do
subinterfaces on the WAN port, each one being tied to a unique subnet and vlan on the "inside" network

or a dmz, but not so much, unless you have a web server or something that requires constant access to and from outside/public, and rarely if ever needs access from the inside / local network. DMZ sits outside of the firewall which you never want for your pc etc. maybe for a true public web server and not too much else.

If you have a box that you want to access from outside the LAN, but is also a LAN resource, setup the other static IP's as WAN IP alias' on the router, and also set static NAT pointing one of those IP's to the inside IP on your LAN device/pc/server (outside ip <> inside IP)

then on the routers firewall (or your external dedicated firewall) you setup rules to allow entry to that IP/device from the sources you choose (by source IP, source TCP port, etc)

Or alternatively, you can use the 1 WAN IP for everything, and forward to inside LAN devices like PC/server using TcP ports. For example port 21 forwards to your ftp server or port 443 forwards to your windows server. You just type in ip address:port # and then the router knows where to send you based on your firewall rules and the ports you "forwarded".

sorry just realized you said you were already port forwarding so ignore my last paragraph, you're already doing port fwd

So you can do subinterfaces if you have a router that supports it. SoHo routers (consumer grade etc) probably have IP/WAN alias's feature instead. Same idea more or less. Then you can tie 1 outside IP to 1 inside IP (1:1 static nat) if you have enough IP's for each LaN device you want and no port fwd needed