Answer the question
In order to leave comments, you need to log in
Multiple external IPs for one or multiple PCs on the same LAN?
Hello.
The management voiced a practical question: you can add several external ("white") IPs to the local network and, depending on the need, distribute to several or assign all 10 to one client.
I have been notified about the need to apply to RIPE, the application form and description are there, our provider has no technical obstacles. But I have never done anything like this, and I have little idea of the implementation. Questions (sorry for possible stupidity) offhand the following:
- What equipment / software will be required from my side?
- Will it be one physical cable (something related to VLAN?), several, or is this a question only for the provider?
- Will it be necessary to assign specific external IPs to specific computers, or can (should?) be configured for this NAT?
- Is it possible to assign more than two IPs to a network interface? More precisely - to the network interface when working under Windows?
Now everything is set up corny: provider -> router -> clients on Win (XP/7). There will probably be more questions, I just don't know where to start.
Thanks in advance.
Answer the question
In order to leave comments, you need to log in
By the way, as an option then - to put the bank clients on virtual machines, one for one piece. Give each virtual machine a white address. And the rest - only gray.
Prov gives /28 over the wire, all this is included in the switch and there you cut off the equipment to which you give white IP
RIPE, several external IPs....
About ripe
1) Allocate AS and addresses. network / 24 (255 addresses) - minimum.
2) now with ipv4 strained.
3) To register in RIPE, you need to pay a fee - not sickly (voluntarily forced).
You need to negotiate with your ISP so that he allocates a small subnet (size depending on your needs) from his external network and routes traffic to you.
For your part, you need a router and NAT setup (one-to-one, the external address is uniquely translated to the internal one).
Router - in finance, from mikrotik to cisco, juniper ....
Well, still figure out the settings.
SOHO router will not suit you, of course.
The cheapest is a Linux server with two network cards between which a bridge is raised, ipv4_frowarding is enabled, one network card sticks out, the second into the network (there may already be the most common switch on the network side). They will advise you to use iptables for traffic routing - drive such advisers in the neck. This is banal routing without NAT, without everything.
From the provider, you need to get a subnet for the required number of addresses - this is where the difficulties begin. However, if the provider gives out a subnet, then you don’t need to go to any RIPE (and it doesn’t give RIPE addresses to anyone now).
I've updated the question a bit for clarity. NAT, it turns out, is still needed for local resources. Or not? In general, so far it turns out like this: there is only one cable (I understood this), it has a subnet, and I have to organize this subnet in accordance with the needs, right?
About RIPE - this is an initiative of the provider: when I asked about several external addresses, he sent me an application to RIPE, I start from the assumption that without this the work will not go far.
In short, so that several Bank-Client software of different banks use each of its white IPs.
@YujiTFD
Judging by your questions, you have very little knowledge on this topic.
Do you understand that you want to give white ip-addresses(!) to machines with Windows(!) on which the Bank-Client(!) application will be installed? Pay attention to the three factors that I highlighted!
Even if you are implementing the scheme that you just announced. Then in the near future it is very likely that someone will use your banking application and your organization's money will not be yours.
IMHO, this approach is fundamentally wrong, so I did not give advice on your question.
It is unnecessary to give anything "external" to
virtual machines. All external IP addresses must belong to the router.
All computers on the network must have internal addresses.
We put computers that should have external addresses in the DMZ
. We assign the necessary external IP on the router to each of them.
Such a scheme is easily implemented if as a FreeBSD router and a PF firewall. I can even throw a piece of the rules, if necessary.
It will be more difficult if you need these computers to be accessible from the outside. But this is also solved through a redirect.
In no case do not hang anything other than the router outside. You risk losing data and picking up all sorts of evil spirits
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question