2 routers on same cable conn. 5 public IP's, how to map IP's to specific routers?

[KingGheedora]

We have a Time Warner business cable connection, with 5 public IP's. TWC rep over the phone said the cable modem comes in bridge mode by default.

For dumb reasons i won't get into in this post, we have to install two routers. We'd like one public IP to be used by the first router (a SonicWall), and the remaining four public IP's to be usable by the 2nd router.

How is mapping of public IP's to particular routers achieved? Is it done on the cable modem? (I assumed NO, since it's in bridge mode and thought all the admin functions would be unavailable in bridge mode). Or is it done manually on each router?

The 2nd router is a Juniper SSG5. Assuming I want to use 2 public IP's on the Juniper SSG5, how would that be done? Is there some kind of networking construct (e.g., "Zone" or VLAN) that needs to be set up for each public IP?


On a side note, when I set up my home internet, my router had a wizard, where I picked "Time Warner" from a drop down list, and it was able to configure itself. How exactly does that work, how does the router acquire the WAN IP address?

 

[drebo]

Ahhhh.... These are the kinds of questions where if you have to ask them, you're far better off letting someone else do the configuring.

You don't need to do anything other than set your IP addresses on each router. You don't need to subnet or "map" or do anything else. Your telco, by virtue of the fact that their router is in bridge mode, is already doing that for you. The modem/router that they provide you is your gateway out of your little /29 network. You don't need to do anything other than attach your devices to it.

 

[KingGheedora]

OK, I guess my question would be better phrased like this:

Hypothetically, on the Juniper I want to use IP address #1 for site-to-site VPN tunnels, and IP address #2 for VoIP, and address #3 for a web server or something, and address #4 for all other internet traffic.

And I want anything connected to the SonicWall to use IP address #5.

I guess mainly, how would I set that stuff up on the Juniper. I don't need instructions specifically on how to do it in the Juniper UI, I'm asking just in general networking terms how is that type of thing accomplished.

And how does it work that the incoming traffic for one of the five IP's arrives at the correct router? Is it because the cable modem acts as a dumb switch when in bridge mode? (Cable modem has four Ethernet ports going out).


I probably won't end up doing any of this myself but I'm curious about it now that I've become involved.

 

[imagoon]

OK, I guess my question would be better phrased like this:

Hypothetically, on the Juniper I want to use IP address #1 for site-to-site VPN tunnels, and IP address #2 for VoIP, and address #3 for a web server or something, and address #4 for all other internet traffic.

And I want anything connected to the SonicWall to use IP address #5.

I guess mainly, how would I set that stuff up on the Juniper. I don't need instructions specifically on how to do it in the Juniper UI, I'm asking just in general networking terms how is that type of thing accomplished.

And how does it work that the incoming traffic for one of the five IP's arrives at the correct router? Is it because the cable modem acts as a dumb switch when in bridge mode? (Cable modem has four Ethernet ports going out).


I probably won't end up doing any of this myself but I'm curious about it now that I've become involved.

In Juniper land you would use Mapped IPs (MIP) and then map your policies to those MIPs. Odds are that the Juniper would be able to handle the full load and leave you with no real reason to use the Sonic wall.

 

[drebo]

And how does it work that the incoming traffic for one of the five IP's arrives at the correct router? Is it because the cable modem acts as a dumb switch when in bridge mode? (Cable modem has four Ethernet ports going out).

No, the cable modem is a router. It routes from one network (the ISP) to another (the /29 subnet your ISP gave to you). There is nothing "dumb" about it. However, yes, it would have been identical had the modem had a single Ethernet jack and you attached your own switch.

When you configure your devices, they will listen on the IP addresses you tell them to. If your ISP gives you, for instance, 4.2.2.0/29 as your network and you tell the Juniper box to listen on 4.2.2.1, it will listen on 4.2.2.1. If you tell the SonicWall to listen on 4.2.2.5, it will listen on 4.2.2.5. Your gateway will be whatever the ISP has set as the IP address on the cable modem (could be 4.2.2.6 in the above example).

 

[spidey07]

/facepalm

We told you this was a bad idea from the get go.

 

[Emulex]

dude comcast business gives you an array of choices - they default to router - but you can login to them (google the brand) and change them to bridging mode (aka dumb modem).

put a friggen hub or switch between the bridged-mode cable router and plug your two firewalls in both using the same default gateway but different ip.

and be sure to get them to setup reverse dns on those two static's - and check that they aren't banned from the spamhaus blacklists - otherwise you want to move again.

cable modem (change config to bridge) -> switch or hub -> [both firewalls]

done.

 

[KingGheedora]

/facepalm

We told you this was a bad idea from the get go.

Dude, i told you guys myself it was a bad idea the first time I described it here. And I described why it was out of my hands already.

 

[KingGheedora]

dude comcast business gives you an array of choices - they default to router - but you can login to them (google the brand) and change them to bridging mode (aka dumb modem).

put a friggen hub or switch between the bridged-mode cable router and plug your two firewalls in both using the same default gateway but different ip.

and be sure to get them to setup reverse dns on those two static's - and check that they aren't banned from the spamhaus blacklists - otherwise you want to move again.

cable modem (change config to bridge) -> switch or hub -> [both firewalls]

done.

THanks, but what you said has nothing to do with what I asked in this particular post. This might have been useful in one of my other posts from this week.

I'm not asking how to arrange the network, I'm curious about how to use different IP's for different services/traffic.

 

[spidey07]

Modem(in bridge mode)---switch---2 routers

That's how you do it. Then from there you would assign the external IPs/NATs to the individual routers.

 

[Red Squirrel]

Just set them to DHCP, they will both pickup their own IP. If they gave you a static IP range, then you can just assign one of those IPs.

Just split off your connection using a basic switch and you'll be set.

If there's a reason for it, then it's not really a bad idea provided your ISP allows it. I've thought of doing the same but I have a double NAT setup instead which does what I want.

 

[Emulex]

static - that means you configure the ip.

you set it on each device plugged into the wan - simple as that. you don't want the IP of your inbound traffic routers/firewalls to move

ask them for the config info (ip range/gateway/dns/netmask) - they will give it to you.

assign the ip's to the device.

Many devices will not be happy with splitting up 5 ip's.

It would be more logical to assign all 5 ip's to a CAPABLE firewall and let it handle DMZ and internal services imo.

But give it a shot.

 

[mloiterman]

http://www.pfsense.com/

http://doc.pfsense.org/index.php/1:1_NAT