Multiple Public IP addresses

daveginorge · 12-06-2008, 01:08 AM

Hi all

My gateway box has a public IP address

On my gateway box I use my IP tables to redirect different public IP addresses to different machines on my lan with local addresses.

What if I wanted to have a second gateway box using another public IP address can I just connect the 2 gateway boxes to the bridging modem using a switch?

Code:

          |--|    |--|
--wan-->--|  |->--|  |---->---------------------|--|
          |--|    |  |-->---|--|                |  |
          Bridge  |--|      |  |->-10.0.0.0     |  |->- 192.168.1.0
          modem   Switch    |  |                |--|
                            |--|                Gateway
                            Gateway             Box 2
                            Box 1               IP 88.88.88.81
                            IP 88.88.88.80

Is this the correct approach.

Thanks in advance for your responses.

Dave

IBall · 12-06-2008, 05:17 AM

It could work, but which gateway is doing the authenticating? You may have problems as only one gateway will have a PPPoE session.

Perhaps a better way would be to configure the 2 public IP addresses on the one gateway?

--Ian

jschiwal · 12-06-2008, 05:29 AM

What is the reason for a second gateway. Are the two networks physically separated? You could add a second interface to the one gateway you have to route traffic between the two LANs and the Internet. Are you using one-to-one IP mapping or one-to-many? If one-to-many you aren't required to get a second IP address because you have to LAN network addresses, however for security or performance reasons it might make sense. E.G. an air-gap beyond the Internet switch. If for example, you have one IP for your business and are serving the other to clients in other suites, this may be desirable.

The ip_forwarding function of the firewall functions is a router, so having a second IP address doesn't necessitate having another gateway machine. If you have a range of IPs on the same subnet, then you don't need a switch or second WAN side nic card either. Think of your gateway machine as a router, which is what it is, and configure it as such. Configure routes between the three networks and masquerading rules for NATing the IP addresses for sharing the Internet connection. If you allow the two lan network addresses to communicate, use forwarding.

As an aside note: Technically a gateway device operates at a lower level (MAC addresses) to join network segments on the same subnet. The term gateway used here is fine however as far as I'm concerned. I just don't want you to read about a real (classic) gateway and become confused. A classic gateway was used when switches were too expensive to fragment the traffic load between network segments. A switch is actually a gateway device and may switches can have full gateway functionality. Also a router will have a switch output on LAN side so it is a combination of a gateway and router.

daveginorge · 12-07-2008, 06:18 AM

Thanks for the responses.

Just for the record.
There is no authentication with my isp. It's a high speed fibre link

You are correct with the business client scenario jschiwal. I want to keep the local business and the public served services totally independent of each other.

I will soon be having 13 allocated public addresses (part of a package) we have 3 different domains. I want the business domain to be separate from the 2 public services domains.