Router for Port Forwarding Multiple Public IP Addresses

[cdysert]

We have a small family business. I'm currently making some hardware changes and need advice on networking equipment and best practices. We have Comcast Business Class internet with 5 Static IPs (Plus the Static IP assigned to the gateway). The modem/router they gave us is a SMCD3G and the configuration options are minimal. The hardware that sits behind the modem is as follows: 2-Gigabit Switches (8 Port), 2-Dell Poweredge 1900 Servers, FreeNAS box, and a couple of desktop computers. As far as other networking equipment I have available but not in use: Linksys E4200(Stock Firmware) & Linksys WRT160N (DD-WRT).


One of our Dell servers runs Windows Server 2008 handling all our critical services. I have started to separate different services we use onto the other Dell server using XenServer (Ubuntu Server 12.04 VMs) so that all our services (Web, FTP, Database, etc.) aren't sitting on one machine/OS. My question is what is the best way to use our 5 Static IPs with all of these new VMs? I would prefer not to waste an IP on each VM. I can use port forwarding on the SMCD3G, but that is only available for the IP assigned to the gateway. I have tried assigning a Static IP (1-to-1 NAT) to a router sitting behind the Comcast Modem and then port forward to each VM from that, but that seems wrong and only gives me port forwarding for one additional Static IP. Is there a router out there that can port forward for multiple Public IPs? I don't want to spend more than $200 to accomplish this. I am guessing that bypassing the Comcast modem's router features in favor of better hardware is ideal. I am willing to consider building a router using pfsense, smoothwall, DD-WRT, or something similar if that is the best option. Features that I need out of the setup: Firewall, VPN Capability, Wireless, and guest access separate from business network. Thanks for any advice!

 

[drebo]

Cisco ISR G1 or G2, a Cisco ASA, a Juniper SRX...take your pick.

 

[JackMDS]

Small family business!

Unless there are some special circumstances there is No point in using the 5 Static IPs. In most cases it is a deralic of yesterISP practices and does not provide any advantage.

The fact that Comcast gives them does not mean that without good reason you have to use them.

At max., I would use two with Dual WAN Router to have a fall back.

😎

 

[SecurityTheatre]

There is absolutely no need to use 5 public IPs unless you're hosting 5 types of external services that justify having unique IPs. You can "port forward" on most basic routers to a number of internal IPs, by just using different external ports. You are probably paying extra for those IPs, which you may not need.

That said, what you're looking for is more commonly called NAT (Network Address Translation) when using multiple IPs, especially in a business sense. Generally when referring to a single IP, you can call it "port forwarding", but it's more appropriate to call it dynamic or static NAT when using multiple IPs on a business-class system.

There are many scenarios of NAT including one-to-one, one-to-many, many-to-one and many-to-many NAT and a higher end router will support all of them in any combination. I believe DD-WRT will also support this, though with a somewhat more difficult to configure interface to do it. 🙂

You can always go with a router that's more high-end like a Palo Alto or Juniper device, where the smallest one they make will cost you about $2-3k, or you can go down and get one of a few other options (Barracuda, Fortinet) for under $1k.

It depends on what features you want, but those may be overkill.

Without knowing your intended use, it's hard to advise further.

 

[kevnich2]

Yep definitely have to go with everyone else here, no need to run multiple public IP's anymore. Even larger businesses are losing the need to as more services such as internal email servers are being pushed to the cloud.

 

[avos]

If you have a computer with 2 nics handy or a managed/smart switch pfsense is a cheap option to do this. As others have mentioned it would be NAT rules that you would want to create.

Despite the general tone of of the thread to only use 1 ip, I can definitely think of some reasons a small business would want more than one. That said, unless you have things that have to use the same port you can probably get away without more. And if it is webpages, installing a reverse proxy on pfsense is about 1 click these days. Though getting something like Outlook web access working with it is a little trickier.

Generally I've been using Sonicwalls for small businesses, but that is far past the $200 range usually and that is mostly for the ease of setting up sslvpn and content filters. And honestly I'm waiting to see how the Dell acquisition of them is going to shake out in the end. I will say that the knowledge base has been improved.

 

[cdysert]

Thanks for all of your input. Sorry it has taken me so long to respond. I have been taking in all of your suggestions and trying to decide on my next steps.

I inherited the current setup (5 Public IPs) when I took over IT from a company that we had outsourced to. I was never clear on why we needed so many and why none were in use. I think the reasoning was that it only cost $5 more a month compared to Comcast's single IP plan. I will probably just keep them for now.

I took a look at all the routers you recommended and some were out of my price range at the moment or seemed like overkill. I did find a router (Cisco RV082 V3) that had a bunch of features I needed and included dual wan capability. I ended up getting one off ebay for 1/3 the price so I figured it couldn't hurt to try it. I will write back once I test it out, but from everything I read about it I think it should work.

 

[JackMDS]

. I think the reasoning was that it only cost $5 more a month compared to Comcast's single IP plan.

Over-sizing in McD is inexpensive too, but not necessarily healthy. :biggrin: -


😎

 

[kevnich2]

I'd recommend something more along with peplink, sonicwall or the like. Cisco RV series IMO sucked. I used to have one that needed power cycling every few days. What price range and features are you looking for? If you only have one incoming ISP, you don't necessary need a dual wan router unless you plan on getting another incoming ISP feed later on. I know sonicwall will handle multiple public IP's from a WAN source and their very reliable.