Multiple IP on firewall?

[SAC]

Hello all

My apologies if this has been asked before but I can's see anything using a search.

We have just had our 1MB business service installed by NTL (35 days late!) and we have a Samsung cable modem. Our service includes 5 IP addresses which, very stragely, are not contigious.

The firewall has multiple IP addresses allocated to the network card and we will be putting public facing machines on the DMZ with private addresses and the relevant ports forwarded. The auto registration process will only allow us to allocate one of the IP addresses to the MAC of the firewall.

Does anyone know of a way round this please?

NTL help desk suggest putting a hub/switch on the cable modem and our other machines on this. What's the point of having a firewall if we do this or should we find a firewall that has 6 network cards?

Any help appreciated.

Andrew

[Mr.Moony]

Im...confused, or am I stupid? Your firewall....has a MAC address? Or am I missing this? Is it a hardware firewall?

EDIT : Hang on now is this a NAT router with ethernet ports, not network cards and a built in firewall ?

[br3ach]

Well

Your confused, what do you think we are after all of that :p

SAC, maybe try rewording it a little, as I dont get what you mean fully either TBH

I may be stupid, like Moony above, but you'll need to reword for us both to try again

[rdhw]

Quote:

Originally Posted by SAC

The firewall has multiple IP addresses allocated to the network card and we will be putting public facing machines on the DMZ with private addresses and the relevant ports forwarded. The auto registration process will only allow us to allocate one of the IP addresses to the MAC of the firewall.

That's a serious problem for you. Have you exhausted all possible negotiations with NTL to allow multiple IPs on your single external interface?

A completely different approach would be to have a different style of firewall: one which is transparent to IP, and works at Layer 2 by sniffing the passing traffic and diverting it as necessary. Then your five public machines could have their real NTL IP addresses.

[br3ach]

Or someone like Robin could look at this post and make me and Mr.Moony look stupid :p

lol

Over to you Mr Walker

[Mr.Moony]

I now see the word Business in the first sentance (hangs head in shame)

[br3ach]

Doh, I missed that too :/

(/Joins Moony in the dunce corner)

[threadbare]

i missed the business bit but the samsung modem was a dead giveaway!

[SAC]

The speed of the responses is impressive...thanks.

Yes, it's a hardware firewall (SmoothWall). I've installed these before on ADSL lines with multiple IP addresses without problems. Thinking about it, the ADSL lines have a router and a whole subnet which may explain things.

Employing a layer 2 device will be a pain as the firewall provides several features we use such as IPSEC VPN and QoS.

It's frustrating seeing the IP address and MAC table when I log onto the NTL Business Essentials site with no way of adding them manually.

I'm also wondering how to use these multiple IP addresses at all without having the machines directly connected to the cable modem...and therefore the Internet. Am I supposed to install ZoneAlarm on eveything?

Come on out of the dunces corner if you have any more ideas.

Cheers

[rdhw]

Quote:

Originally Posted by SAC

Come on out of the dunces corner if you have any more ideas.

It looks like 5 WAN interfaces in the Smoothwall would be the sledge-hammer fix: I think you can get cards with multiple RJ45s on board. Connect them all to the cable modem via a switch.

Alternatively, if the Smoothwall is a NAT box, do you really need 5 IP addresses?

[Stuartbe]

Quote:

Originally Posted by rdhw

It looks like 5 WAN interfaces in the Smoothwall would be the sledge-hammer fix: I think you can get cards with multiple RJ45s on board. Connect them all to the cable modem via a switch.

Alternatively, if the Smoothwall is a NAT box, do you really need 5 IP addresses?

RDHW...

Can he not just setup the nic to be multihomed/multi IP ???

[JonathanLH]

i use a hotbrick600 router, and that can be set to act as a transparent bridge, then you set your pc's on the dmz range to obtain an ip auto from ntl (you can do this with 4 machines, as you need an ip for the lan side), and your lan side is done on 192.168.x.x (or whatever you choose) on the remaining ip.
i am not sure if the smoothwall can do similar though.

[tkiely]

I think that 5 WAN IPs is the way to do it, shame on ntl for allocating non contigeous addresses though, why can't they get it right like other isps?

Of course, as Robin said, the Smoothwall can probably NAT just one of those IPs to your whole LAN. If it cant then you will need a whole load of rulesets/proxies for the 5 different addresses!

Do let us know how this pans out, I'm sure the info will be helpful to others, remember a little bit of practical experience passed on is worth pages of speculation by us armchair experts ;-)

Terry

[SOSAGES]

i have 5 IPs on my service

i have 2 servers hanging off this service each one needs its own external IP (for mail etc)

my options were:

get a dumb hub assign static ips to north facing nic and polug them both into hub

get a linux box with 3 nic's in it to deal with all the traffic

get 1 hub and 2 routers hanging off it one for each server

get an expensive hardware firewall that does multiple NAT or allows me to have more the 1 external IP such as a sonic wall etc..

no cable routers will allow you to do what you need adsl routers will

anyway i went for the cheap hub and 2 routers option as a i had an old hub and router to use already

[beardsley]

Using something like Bering/LEAF you can get your firewall to provide 1-to-1 NAT, ie. map each public IP address to a different private address. I had to do this at work when a group of machines was moved to an office on a different subnet, and it was not practicable to change their internal IP addresses.

Sorry if this misses the point of what you are trying to do, as I am not familiar with NTLs business offering.