Hi there
We have a /29 publicly addressable IP range provided by our ISP and I’m looking for some advice on the best way to setup one of our servers. For most of them we’ve been able to assign private IP addresses to them and use src/dst NAT’ing to make it work with a the public IP address we have assigned to the WAN port. We have one server that is running some software that isn’t playing nicely behind NAT so we want to set it up to use a public IP address but keep it behind the firewall. We have a CRS125 device.
To give some background…
Our ISP provides a layer 2 handoff with a /29 subnet – let’s say x.y.z.0/29
Within this range x.y.z.0 is the network address and x.y.z.7 is the broadcast address.
The ISP has set x.y.z.1 as the address of the gateway for this /29 subnet which is the address of the equipment at their end.
The connection from the ISP is plugged into ether1 which has been removed from the standard default config bridge. We have configured the ether1 port with an address of x.y.z.2 and established a static route for 0.0.0.0/0 with a gateway of x.y.z.1.
The remainder of our network uses various 192.168.x.x private addresses with masquerading for workstations and src/dst NAT’ing for servers and all works perfectly.
For the server that needs to have a public IP address assigned to it rather than using src/dst NAT’ing, let’s say we are assigning an address of x.y.z.3. I’ve tried setting up a separate bridge between ether1 and another ethernet port where the server with the public IP address is connected. The server has an IP address of x.y.z.3, with a gateway of x.y.z.1. This does work, but in this scenario the server is communicating directly with the ISP gateway and isn’t protected behind our firewall. I did experiment with turning on the use IP Firewall feature for the bridge, but it appears to apply to all bridges and effectively slows everything down as well as putting an additional load on the CPU.
I’d be interested in the thoughts of the various guru’s out there on the “best practice” way to allow a server to live inside the network, use a public IP address (in our case x.y.z.3) but remain protected behind our firewall.