Naked Science Forum
Non Life Sciences => Geek Speak => Topic started by: chris on 03/02/2018 11:26:47
-
Dear all
I don't know if anyone can answer this, because it's a bit technical and possibly beyond the scope of this forum, but I'll try anyway, and if anyone can help me that would be terrific.
I have been assigned a block of 5 public IPs by our ISP. The idea is to put certain NS resources - like codecs, recorders and ftp servers - onto these different addresses. Then they may be accessed publicly; port forwarding is not appropriate in this situation.
The VDSL modem / router supplied by the ISP has a "routed subnet" option that exposes the additional IP addresses to the Internet. However, as far as I can tell, these IPs are not behind the firewall that protects the LAN originating from the router (which is the DHCP server for the LAN 192.168.xx.xx subnet). The router also seems to lack a 1:1 NAT config option.
My questions are:
1) What is the best way to protect my downstream devices on those public IPs? Ideally I'd like to put some sort of firewall between them and the wider web.
2) Is there another way to build the config whereby I can put all of the devices on the same LAN, with a LAN address each, but then also route a public IP to them individually also?
Any advice would be gratefully received.
-
Are these content sources you think of yourself?
-
Pardon?
It's a question I'm trying to solve!
-
You might need a new router, but it may be possible to configure the existing one. It depends on the router. What's the router model number?
Edit: one way to solve this might be to use the VDSL modem as a gateway (that's probably the routed subnet option), and then add a second ethernet/WiFi router behind the first one, which has a firewall. But doing that is often a bit fiddly to set up, for example you need to make sure there's at most one DHCP server.
-
Thanks; I thought of that; trouble is that most consumer routers make things "easy" by being totally locked down and "inconfigurable"; so I might end up not being able to translate the IP across the NAT to the new devices...
What I think I need is a solid state firewall device that can do 1-to-1 NAT allocations, so I can forward the IP addresses on from the VDSL modem (routed subnet option) and then when the output hits the firewall it is then translated to the correct targets on the network. But what happens to the "normal" LAN traffic with this config, I don't know. I'm guessing that the firewall would go between the modem/router and the switch to which everything else is connected...
Does anyone
-
You should avoid NAT if possible and even more so, double NAT (NAT behind NAT). Double NAT is reasonably bad news, it works a bit, but it breaks quite a few things, ftp has a hard time through even normal NAT, I think double NAT is even worse.
Provided these devices have their own firewalls, you don't need additional firewalls in the router, they should, indeed must take care of themselves if they have a public IP address. If they don't have their own firewalls putting them on the internet with their own IP addresses is probably a bad idea. If they have firewalls, putting them in the DMZ is not ridiculous.
And the security advantages of NAT are anyway generally overstated, there are many ways to get past NAT and onto the local lan. For example, if a web server, anywhere on the internet gets nobbled, it can serve up web pages that directly attempt access to the local LAN, and then anyone usiing a browser that accesses that web server, unless there's a firewall there, the malware can directly access the local net, behind the NAT.
Overall, keeping them well backed up is probably more important than absolute security.