Should I ask for routed IP or forwarded IP from my provider?
My provider currently provides me 3 usable IPs through one 100Mbps port that they are giving me. They are also forward a /27 subnet of IPs to one of my IPs. This puts me in a tough position regarding setting configuration and also the fact that I want to use Asterisk server and lots of SIP.
I need to make sure that my multiple servers and also VPSs that I run are capable of obtaining their own IP addresses or at least provide them the full 65k+ ports so that I can run multiple services on each server.
I mainly use the Alix boards that come with three NIC ports only. If I were to ask my provide to allow me to do routing rather than forwarding the /27 subnet to my main IP, how would I be able to obtain those IPs given I have only three NIC ports on this router board? Some clarification on this would be of great help.
You could use that as-is in a number of different ways.
If you want to use CARP, give each box an IP and make the shared carp VIP the one they route the /27 to.
You can use the /27 on an internal interface, give the router an IP in that subnet (or for CARP, give each box one and make a CARP VIP…) and then put your servers in that subnet, disable NAT for that subnet, and they should be fine.
You could also use the /27 with 1:1 NAT or port forwards by declaring them as 'other' type VIPs so long as the IP the /27 is routed to is the firewall's IP.
Thanks for giving me ideas. Using CARP would be a good way of doing this but would using CARP put all my services on the same subnet? I guess not right. I can still choose to have different subnets?
Segment A- I have a farm of 4 servers that are running some apache application.
Segment B- I have another farms that is running Asterisk servers and Proxmox.
I don't want the people who access Segment A to notice there is a Sement B at all. Of course they won't have any access to the router but so these should be separate subnets.
Furthermore, now I am really used to firewall rules and the NAT forwarding (I have learned it more or less after lots of tries) and I am wondering if that would change things a lot. I really don't want ALL the servers to have their own firewall rules. Maybe some of them can have one of the /27 IPs but the rest maybe even have IPs routed to them but obtain their connection through local subnet IPs.
Thanks again for your great input.
In that case you'd use the whole /27 on a "DMZ" segment (And you can still do CARP there if you want if you need redundant routers) which doesn't get NAT, and then have a "LAN" segment with private IPs that does get NAT. You can filter between the interfaces that way.
If you want to split the /27 on the inside into multiple interfaces you'd have to setup one interface with the /27 on it and then bridge the second internal interface to that one. I try to avoid bridging if at all possible, though.