Static IP routing

Hiya all,

I hope this is the correct place for this question. If not, a polite message will suffice.

My ISP, TalkTalk, has provided me with four static public IP addresses. I have a four port router. I would like to route each public IP to a specific port on my router.

EDIT:
My current router is a HUAWEI - HG533, I'd prefer a NetGear or DLink.

Is this possible?
Do I need a router with specific capabilities? If so, what capabilities do I need?
Can anyone recommend a router that can do this?
If no router is available, that can perform this function, would something like DD-WRT, router firmware, or IPCop, PC based router/packet filter, be able to do this?

Best regards
David

Edited by deleted (Sat 16-Apr-16 17:57:22)

If you have a VLAN capable router you can send a specific IP to a specific physical socket, but that is not what people usually want.

What most people want is just the ability for the device connected to a specific port to run in a NON mode, i.e. support routed IP Even the older Netgear routers would do this when you simply turn off the NAT part and it was then down to you configure the IP addresses for the attached devices.

The biggest question is what sort of Internet service do you have? ADSL or FTTC/VDSL2 as the modem will issue will be important.

Thank you for your reply.
My service is ADSL.

What I want to do is have four internal networks, each with a different external IP address.
Why do I want to do this?
I'm playing with/experimenting with/learning about computer networking and I just wanted to try it.

BR
David

So any of the old Netgear DG834 range and newer with a built in ADSL2+ modem will suffice.

They all support routed IP, you don't allocate the IP per physical LAN port, but rather what ever device is connected to the port says which IP address it wants to use.

Hiya,

Are you saying that if I have a PC connected to a port, the PC decides which external IP address to use?
How does the PC decide? Can this be forced?

BR
David

Not necessarily a PC but something that understands IPv4 and allows you to specify the static IP address you want to use on that device. Essentially you are setting it manually by hand.

I'd recommend researching how to manually setup a static IP address on your devices before even playing with configuring the router. Otherwise you will end up locking yourself out

I'm sorry, I think you misunderstand my question.
I know how to set up internal static IP addresses. That is not what I want.

Let me give you an example. Lets say my external IP addresses are 100.100.100.1 to 100.100.100.4, obviously not my real external addresses but good enough for an example.

With a single external IP address, when a packet leaves my network the source address will be my external address.

I have four external IP addresses, I want to be able to decide which external IP address is used for each internal port.

Devices connected to port one have the external IP address 100.100.100.1
Devices connected to port two have the external IP address 100.100.100.2
Devices connected to port three have the external IP address 100.100.100.3
Devices connected to port four have the external IP address 100.100.100.4

I hope that makes sense.

BR
David

OK, an update. I found this:

Multiple public IP adresses

This looks like what I need.

I will keep you updated on progress, will be slow due to lack of time .

Thank you for your help.

BR
David

You need four routers since only one device can have 1 IP address, the routers would then use NAT to allow multiple devices to share the single IP address.

You are leaning well away from consumer grade kit and more into the self-built ubunto router or a Cisco device, and should read up on IP Routing and VLAN's from one of the many networking books.

Hiya

You are leaning well away from consumer grade kit and more into the self-built Ubunto router or a Cisco device.

I thought I might be.
I will still look into DD-WRT, as this appears to provide what I want.

Thank you for your time and help, much appreciated.

BR
David

What I think you're after is often referred to as 1:1 NAT but as MrSaffron says I'm not sure what sort of consumer kit you'd find this sort of capability on.

It's also important to note that you don't have a 4 port router, you have a NAT router with WAN and LAN sides, and a 5 port switch attached to the LAN side (one of the 'ports' is used internally to connect to the router chip so only 4 are available). The routing tables have no knowledge of this LAN switching as routers operate on the IP layer (layer 3) while switches operate on the MAC layer (layer 2) - the router just sees traffic arriving on the WAN and LAN sides regardless of what physical switch port it arrives on.

Also, just in case you come across this point down the line (but don't worry about it too much now), bear in mind that you have been assigned a few IPs from a much larger subnet, and not a whole subnet to yourself - this is sometimes an important consideration when it comes down to routing. This isn't a bad thing as a 4 address (/30) subnet is quite wasteful in terms of addresses - each of the interfaces (your router plus the ISP router) takes an address, which leaves one for each of the network and broadcast addresses. I.e. even though you'd get 4 dedicated addresses, you can only actually 'use' one.

If you have a spare computer with two NICs, you could play with something like Smallwall or pfSense as they support what you're after. Using 1:1 NAT, the PCs themselves don't actually get assigned the public-facing IP address but rather you effectively set up a 'DMZ' for each device you choose. Of course, be sure to set static internal IPs and ensure firewalls are enabled. Also, because you don't have an entire routed subnet (at least that's usually the case), you will probably need to use proxy ARP. This link explains it: http://doc.m0n0.ch/handbook/faq-ipalias.html

Edited by deleted (Sun 17-Apr-16 14:48:25)

Hiya,

Thank you.
I have played with IPCop a little, a smoothwall fork. I've also played a little with DD-WRT. I think that is the way for me to go.
I think this is going to be a long project, I'm not going "live" until I know a LOT more about the security implications.

I'm going to take a good look at m0n0wall, something I have seen in the past but never used.

Thank you for your reply.

BR
David

Edited by deleted (Mon 18-Apr-16 22:26:05)

The Draytel 2860 will do this (probably a few others models too).

You can setup each LAN port specifically to a VLAN and have one to one mapping. Each LAN can be setup with its own IP range too. The WAN aliases can be mapped to each VLAN/LAN port and this will achieve what you want.

http://scrn.at/jfQT4.png
http://scrn.at/SGehX.png

Matt

Hiya,

Thank you for your reply.
I think I'm going down the DD-wrt/m0n0wall route. But I need to to do lots more reading yet.

BR
David

Ahh yes, this is what I have done.

Zen give me 8 IPs (a /29), but I do not run a routed network for this. I still run NAT, but I have decided how each IP is NAT'd. For the end IP address of the 8 block delegated to me (which would normally be the broadcast address in routed IP setup), I have mapped that to be the public IP of my wireless "guest" network (everything behind this is VLAN'd with ID 1, with 192.168.1.0/24 being the private network being NAT'd). I then have other public IPs NAT'd appropriately as well (the default one being to route my "non-guest" 192.168.0.0/24 network).

So yes, you can do what you are describing - it's basically a more sophisticated NAT setup than what the average person will be running.

Edited by deleted (Mon 18-Apr-16 22:54:18)

I use OpenWrt because it has a large amount of features, the way it's laid out seems logical to me (OS X/*nix user) and it's open source (I customise and then compile it from the source code).

The only thing I could criticise it on is that the documentation is lacking if you compare it with something like Cisco's documentation, so you may struggle, as it's really meant for people who already have experience with networking technologies and want something that's low cost, yet feature-rich for their home.

I have a /28 (16 IPv4 addresses) and 2 networks as well as full 1500 byte MTU (FTTC) on my router. Here's how it's all laid out:

Network #1:
- Just like a standard home NAT setup, DHCP server hands out RFC 1918 addresses which are then masqueraded when they are leaving my network
- Bridged to it's own 2.4 and 5GHz wireless interfaces
- Part of the default VLAN (I think)
- IPv6 /64 from my /48

Network #2.
- DHCP server hands out proper IPv4 addresses (non-NAT addresses) for quick testing, but I also manually assign them to interfaces (not 1:1 NAT)
- Also bridged to it's own 2.4 and 5GHz wireless interfaces
- A second VLAN which allows me to connect to this network via physical ethernet
- Another IPv6 /64 from my /48

Note: As I don't have a web interface on it (just CLI access), I'm going of the top of my head.

So if you want to learn about networking and Linux at the same time I'd recommend getting a router that's compatible with OpenWrt. Personally, I have a Buffalo router, but have heard good things about the TP-Link routers. Had mine since 2011 or 2012 and I'm thinking about getting a Linksys WRT1900ACS next, but it's not quite there yet (software-wise) as there's been a bunch of issues that will be likely sorted in the future.

Look at some of the cheaper Cisco routers something like the SA520-K9 if you can get one on ebay.
You just need to create a rule, you would be able to create a rule that says lan device with IP of say 192.168.0.2 use public ip of 46.100.100.25 and another rule so lan ip 192.168.0.3 use public IP of 46.100.100.26
You can create another rule to make it two way so any data heading for IP 46.100.100.25 is directed to 192.168.0.2

In reply to a post by TrogLeDyte:

Thank you for your reply.
My service is ADSL.

What I want to do is have four internal networks, each with a different external IP address.
Why do I want to do this?
I'm playing with/experimenting with/learning about computer networking and I just wanted to try it.

BR
David

You have several choices.
Get a router that can do 1:1 NAT routing - then give each device a static IP on the internal range, and use the 1:1 feature to map an external IP to an internal IP.

Get a router that can present the Static IP range on both sides - then give some other devices each one of the additional static IP addresses from that range. They'll appear as whatever IP they're configured with.

Get a few "cable/dsl" routers (or basically a router that has a WAN port as Ethernet and some LAN ports), and a router for the ADSL side that can present the Static Range on both sides, assign one of the static IPs to each extra router WAN side, then have different LAN ranges (but note you can't easily get between those internal ranges from another).

...many other combinations exist.

The latter suggestion is closest and least technical in terms of ease to setup but requires several boxes.

All in one boxes exist to do this also via VLANs and so forth too - there are many ways to skin that cat.

Would having Fibre to the cab make much difference?
I have almost the same setup and this has been driving me crazy for over a week..

Hiya,

Question:

It's also important to note that you don't have a 4 port router, you have a NAT router with WAN and LAN sides, and a 5 port switch attached to the LAN side (one of the 'ports' is used internally to connect to the router chip so only 4 are available). The routing tables have no knowledge of this LAN switching as routers operate on the IP layer (layer 3) while switches operate on the MAC layer (layer 2) - the router just sees traffic arriving on the WAN and LAN sides regardless of what physical switch port it arrives on.

Does this actually mean a six port switch, one used internally to connect to the router, one for wlan and 4 for lan?


BR
David

Hiya,

Thank you all for taking the time to reply and providing information.

I will update as I progress.

Best regards
David

Not quite, the LAN and WAN sides of the router are separate, one either side of the router. A domestic router basically has one WAN port and one LAN port, internally. However to make it more of an all-in-one device, they add a switch to the LAN side to allow you to add more than one device without having to add any external equipment. In fact, as you say, it might have yet another port dedicated to the WiFi card.

Of course this may all be physically on one chip internally, we're just talking about how they're connected logically i.e. what you care about when configuring things. What is sold as a 'router' is usually a combination of a modem, router, a WiFi access point and an Ethernet switch.

As others have said, if you happen to get a router with a VLAN-capable switch you can put each physical port in its own VLAN i.e. so each port is treated like a separate LAN. To my knowledge the vast majority of off-the-shelf WiFi routers won't support features like this, but you can do something similar with your own hardware if you were to set up a router on a PC with VLAN-capable NICs, and do VLAN trunking (basically a way of sending traffic of multiple VLANs over one physical connection) to a managed switch, and from there set up a port-based VLAN.

And also as others have said, there are many ways to achieve what you want. Personally I reckon 1:1 NAT is probably the most straightforward way from a functional point of view (routing/VLANs will require some additional thought to avoid breaking LAN communication) but there's no reason not to give more a try for fun! Just try to ensure you have a way of getting back online or resetting your router if you happen to lock yourself out.

@wayne386: FTTC shouldn't make any difference at all - from an IP point of view the physical connection used is largely irrelevant. You'd just need to ensure you either get a combined modem/router capable of supporting all of what you need, or a plain modem (or router capable of operating as just a modem) to put in front of the router you'll actually use.

Hiya,

I've done some cursory reading on 1:1 NAT. From what I have read, you can bind one external IP to one internal IP. Do you know of a way of binding one external IP to one internal network?

BR
David

Do you mean by using NAT?

To do that you'd need a way of defining/separating the internal networks, whether it's through VLANs, using separate NAT routers for each network or even just having each psuedo-LAN on its own subnet on the same physical LAN (by assigning the LAN interface on the router secondary IP addresses).

However if you use the last way, you'd probably be best with static IPs otherwise you'd have to start doing more advanced stuff with the DHCP server (again, it would need a way of knowing what each LAN actually is) such as assigning IPs/subnets based on MAC addresses etc - something you'd have to set up manually anyway.

In reply to a post by TrogLeDyte:

Hiya,

I've done some cursory reading on 1:1 NAT. From what I have read, you can bind one external IP to one internal IP. Do you know of a way of binding one external IP to one internal network?

BR
David

Yes. I have a mix of routed subnets, 1:1 NAT and many:1 NAT through a single router (until recently a D-Link DIR-825). The key thing, as others have said, is a router which has a switch which supports VLANs. Many domestic routers do, but support for it isn't available in the OEM firmware. The other key factor, then is to reflash the router with a better firmware. I use OpenWRT, but any of the open Linux based router firmwares should have the flexibility to do it. Pfsense will probably also be OK, but if you are using PC hardware you'll want multiple physical network interfaces unless you also have a separate switch which supports VLANs.
Take a look through the OpenWRT Table of Hardware, the device descriptions usually indicate if a router contains a switch the supports VLANs.

-Steve.

In reply to a post by essdee:

The key thing, as others have said, is a router which has a switch which supports VLANs.

VLAN support is only required if you wish the map the external IP addresses to different LAN's internally. If you just want some external IP's to map to specific hosts on the internal network then VLAN's are unnecessary. Though to be honest by the time you are looking at this level of sophistication any hardware worth looking at supports VLAN's.