Should I ask for routed IP or forwarded IP from my provider?

  • Hi Everyone,

    My provider currently provides me 3 usable IPs through one 100Mbps port that they are giving me. They are also forward a /27 subnet of IPs to one of my IPs. This puts me in a tough position regarding setting configuration and also the fact that I want to use Asterisk server and lots of SIP.

    I need to make sure that my multiple servers and also VPSs that I run are capable of obtaining their own IP addresses or at least provide them the full 65k+ ports so that I can run multiple services on each server.

    I mainly use the Alix boards that come with three NIC ports only. If I were to ask my provide to allow me to do routing rather than forwarding the /27 subnet to my main IP, how would I be able to obtain those IPs given I have only three NIC ports on this router board? Some clarification on this would be of great help.


  • Rebel Alliance Developer Netgate

    You could use that as-is in a number of different ways.

    If you want to use CARP, give each box an IP and make the shared carp VIP the one they route the /27 to.

    You can use the /27 on an internal interface, give the router an IP in that subnet (or for CARP, give each box one and make a CARP VIP…) and then put your servers in that subnet, disable NAT for that subnet, and they should be fine.

    You could also use the /27 with 1:1 NAT or port forwards by declaring them as 'other' type VIPs so long as the IP the /27 is routed to is the firewall's IP.

  • Thanks for giving me ideas. Using CARP would be a good way of doing this but would using CARP put all my services on the same subnet? I guess not right. I can still choose to have different subnets?

    Segment A- I have a farm of 4 servers that are running some apache application.
    Segment B- I have another farms that is running Asterisk servers and Proxmox.

    I don't want the people who access Segment A to notice there is a Sement B at all. Of course they won't have any access to the router but so these should be separate subnets.

    Furthermore, now I am really used to firewall rules and the NAT forwarding (I have learned it more or less after lots of tries) and I am wondering if that would change things a lot. I really don't want ALL the servers to have their own firewall rules. Maybe some of them can have one of the /27 IPs but the rest maybe even have IPs routed to them but obtain their connection through local subnet IPs.

    Thanks again for your great input.

  • Rebel Alliance Developer Netgate

    In that case you'd use the whole /27 on a "DMZ" segment (And you can still do CARP there if you want if you need redundant routers) which doesn't get NAT, and then have a "LAN" segment with private IPs that does get NAT. You can filter between the interfaces that way.

    If you want to split the /27 on the inside into multiple interfaces you'd have to setup one interface with the /27 on it and then bridge the second internal interface to that one. I try to avoid bridging if at all possible, though.

Log in to reply