Is this possible? (re. multiple external IP's)

[Sumanji]

Hey,

We've got a 3Com 3CRWDR300A-73 router running on ADSL24's service here. They've supplied us with 8 static IP's, of which only 5 are usable by devices.

What I want is to keep all 5 x Windows PC's under one external IP, and therefore fully firewalled. And then I want a few other devices (2 x PS3, IP Phone) to have their own external IP's and to be put in the DMZ.

Is this possible?

Cheers,

Su

[peterb]

Out of those 8 addresses, 1 is the subnet, one is broadcast (for the subnet) and one will be required for the router, leaving you with five usable addresses. The one going to the router can be used for NAT, so you still have 5 public IP addresses for other things. How easy it is to use them will depend on the router - I use a Draytek 2800 and route some of my public IP addresses to devices such as VoIP phones, but I keep my computers behind NAT as it makes security a little easier to manage.

[malfunction]

Originally Posted by peterb

depend[s] on the router

+1

@ Sumanji - I'm not familiar with the 3COM router you have but you will need a router than you can assign multiple IP addresses to (likely on the single inbound interface) and that can route inbound traffic to each individual address to different destinations (if it can do the former it should definitely be able to do the latter). As with peterb I've also used a draytek - a "DrayTek Vigor 2950" - that can do this though but that's a dedicated ethernet firewall / router rather than an ADSL router... That said if your ISP is able to give you a dedicated subnet rather than a dynamically allocated IP they may be able to recommend and / or sell you an appropriate router.

[Sumanji]

Hey,

Digging around in the router settings, I came across this page. It was suggested by a guy on some other forums that 3Com routers can do 1-to-1 NAT, but I'm unsure how exactly to set it up... is it as simple as just typing in the relevant IP addresses here?!



Cheers,

Su

[malfunction]

That looks like a winner - you *might* need to register the alternate IPs as 'aliases' elsewhere but start with that page and see what you get. I'm sure you *do* understand the risks but never the less I feel the need to point out that you'd be forwarding all traffic for the IPs in question - no filtering / security applied at all.

[Sp00n]

That page shows that it will map public ip > local ip, that exactly wht you need.

have the first public ip for the routed NAT, then use 2 more on that DMZ page, job done.

[Sumanji]

Hey,

I presume the router will not protect against traffic between the firewalled PC's and the consoles, since internally they are both on the same subnet? I kinda understand the risks, but I guess it's not a bad idea to discuss them with you my thinking was to keep all the Windows PC's behind the firewall under the default IP, as they are the most vulnerable to attack from North Korean super ninja assassin hackers

The main reason for doing this is to "free" the PS3's from the firewall. UPnP does not work with them (totally kills internet connectivity on them for some reason?!),and there aren't enough slots to forward all the necessary ports to both consoles. Also, I can't put both consoles in the DMZ at the same time (on the same IP).

The way I figure, although I would be openly exposing devices with an internal IP to the WWAN side, you'd have to be pretty special to hack a PS3 and use it gain access to the Windows machines. Likewise with the IP Phone...

Cheers,

Su

[edit] Ok cheers Sp00n, will give it a go now and report back

[malfunction]

Might be worth asking others with PS3s how they get around that problem

[Sumanji]

Hey,

It's entirely router dependant mate - some play ball with the PS3/UPnP (like my old D-Link) and others just don't! Was I roughly right re. my security risk assumptions though?

Well I tried just setting it up simply by typing public IP in the left column and local IP in the right... seems to have worked!! Both PS3's show "NAT Type 2" when simultaneously connected, which never used to happen before.

So thanks all

Su

[peterb]

The pc's behind the NAT firewall will be pretty safe (assuming you don't have port forwarding on. so even if the PS3 was hacked, that shouldn't give access to the windows machines.

Your solution seems pretty sound (and simple!).

If you have multi-nat (ie, able to have two NAT subnets) you could do that, but my guess is that if the PS3 doesn't play nicely with a NAT setup that you have, it probably wouldn't even if it was on its own subnet.

[Maegan1979]

Hi.
Nice sharing.
I'm glad to be here.