By the way, as an option then - to put the bank clients on virtual machines, one for one piece. Give each virtual machine a white address. And the rest - only gray.

Prov gives /28 over the wire, all this is included in the switch and there you cut off the equipment to which you give white IP

RIPE, several external IPs....
About ripe
1) Allocate AS and addresses. network / 24 (255 addresses) - minimum.
2) now with ipv4 strained.
3) To register in RIPE, you need to pay a fee - not sickly (voluntarily forced).
You need to negotiate with your ISP so that he allocates a small subnet (size depending on your needs) from his external network and routes traffic to you.
For your part, you need a router and NAT setup (one-to-one, the external address is uniquely translated to the internal one).
Router - in finance, from mikrotik to cisco, juniper ....
Well, still figure out the settings.

SOHO router will not suit you, of course.
The cheapest is a Linux server with two network cards between which a bridge is raised, ipv4_frowarding is enabled, one network card sticks out, the second into the network (there may already be the most common switch on the network side). They will advise you to use iptables for traffic routing - drive such advisers in the neck. This is banal routing without NAT, without everything.
From the provider, you need to get a subnet for the required number of addresses - this is where the difficulties begin. However, if the provider gives out a subnet, then you don’t need to go to any RIPE (and it doesn’t give RIPE addresses to anyone now).

I've updated the question a bit for clarity. NAT, it turns out, is still needed for local resources. Or not? In general, so far it turns out like this: there is only one cable (I understood this), it has a subnet, and I have to organize this subnet in accordance with the needs, right?
About RIPE - this is an initiative of the provider: when I asked about several external addresses, he sent me an application to RIPE, I start from the assumption that without this the work will not go far.

In short, so that several Bank-Client software of different banks use each of its white IPs.

@YujiTFD
Judging by your questions, you have very little knowledge on this topic.
Do you understand that you want to give white ip-addresses(!) to machines with Windows(!) on which the Bank-Client(!) application will be installed? Pay attention to the three factors that I highlighted!
Even if you are implementing the scheme that you just announced. Then in the near future it is very likely that someone will use your banking application and your organization's money will not be yours.
IMHO, this approach is fundamentally wrong, so I did not give advice on your question.

It is unnecessary to give anything "external" to
virtual machines. All external IP addresses must belong to the router.
All computers on the network must have internal addresses.
We put computers that should have external addresses in the DMZ
. We assign the necessary external IP on the router to each of them.
Such a scheme is easily implemented if as a FreeBSD router and a PF firewall. I can even throw a piece of the rules, if necessary.
It will be more difficult if you need these computers to be accessible from the outside. But this is also solved through a redirect.
In no case do not hang anything other than the router outside. You risk losing data and picking up all sorts of evil spirits