cancel
Showing results for 
Search instead for 
Did you mean: 

Static IP block internet access capability

justanoob
Hooked
Posts: 6
Registered: ‎28-03-2018

Static IP block internet access capability

OK, so a simple Q which I would have thought would have come up many times but tech support are 'not trained on this' apparently. The advice given? Try here, so I am.

I am about to submit a RIPE form for an 8 IP block for my small network on which I have a number of servers.

To date, I have managed to get by with a single static IP address but a recent call to move the private video conferencing server from one which uses dedicated ports to a webRTC based one means I now need at least two different servers accessing the same ports (80 and 443), so I need to move to a static IP address 8-block.

I have just been mapping it all out and suddenly realised that I have no idea how the machines (desktop pcs mostly) will continue to have access to the internet. I have plans to set three address of the five usable addresses in a 1:1 relationship and keep at least two more as 'spares' for future role expansions, which means I have one address remaining. Does the rest of the LAN need to access that address to access the net or do they just use the main gateway address?

Thank you

11 REPLIES 11
justanoob
Hooked
Posts: 6
Registered: ‎28-03-2018

Re: Static IP block internet access capability

I am replying to my own question as I found the answer and it may help someone else in the future. Basically, you have to assign one of the usable IP addresses as a gateway for every other device to use to get out. This means that out of an 8 IP address block, three will be needed for things like address mask, broadcast address and carrier leaving five usable addresses, one of which will be needed as a gateway address for general LAN traffic. The remaining for can be assigned on a 1:1 basis to any specific servers.

MisterW
Superuser
Superuser
Posts: 14,580
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: Static IP block internet access capability

I believe you should actually have five usable ip's http://droptips.com/cidr-subnet-masks-and-usable-ip-addresses-quick-reference-guide-cheat-sheet once you've used one for wan access.

Then, of course, you're going to need a router that can be configured to handle it...and that excludes the PN supplied hub one!

 

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

justanoob
Hooked
Posts: 6
Registered: ‎28-03-2018

Re: Static IP block internet access capability

Thanks for the comment - and it will be relevant to anyone else possibly looking at this in the future

For me, I have never used the plusnet provided modem/router anyway. It is awful. I currently use a DrayTek modem (not a Modem/Router) connected to a pfSense firewall/router using bridge mode and both will handle an IP-block I believe - but still checking some specifics on how to set it up.

Not too sure if I will actually have four or five usable address in effect though, as I suspect I will need one for the pfSense box and I may need to replace the modem with a modem/Router that also takes an address. I am looking into that atm.

Thanks once again for the info.

RealAleMadrid
Aspiring Hero
Posts: 2,713
Thanks: 1,395
Fixes: 59
Registered: ‎07-07-2009

Re: Static IP block internet access capability

Have you checked that PlusNet still issue IPv4 address blocks to business customers, I seem to recall that they have stopped or are very reluctant to give then out. Might be worth confirming one way or the other.Smiley

Edit: I am assuming that you are a Plusnet customer!

justanoob
Hooked
Posts: 6
Registered: ‎28-03-2018

Re: Static IP block internet access capability

Yes, I have checked - you have to jump through some hoops to justify the requirement, apparently prescribed by RIPE, but they do do it. Its a pain though. They take every opportunity to reject an application, this will be my third attempt ... I gave up before, but I really have no option this time as I need several servers all to access ports 80 and 443 and they cannot be serviced from a single server (although the actual servers are VMs, so physically on one box, the requirements dictate independent installs due to conflicts). If I get rejected I will be moving my service in the next few weeks to another provider that I KNOW will help me instead of hinder me in getting the 8-IP block.

RealAleMadrid
Aspiring Hero
Posts: 2,713
Thanks: 1,395
Fixes: 59
Registered: ‎07-07-2009

Re: Static IP block internet access capability

Yes it seems they are keen to reject any requests but I admire your persistence, best of luck with your latest attempt.Smiley

MisterW
Superuser
Superuser
Posts: 14,580
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: Static IP block internet access capability

For me, I have never used the plusnet provided modem/router anyway. It is awful. I currently use a DrayTek modem (not a Modem/Router) connected to a pfSense firewall/router using bridge mode and both will handle an IP-block I believe - but still checking some specifics on how to set it up.

Glad to hear you're not using the PN routerSmiley

We have a similar setup to yours in the office, except that the firewall is Smoothwall rather than PFSense. We found it was easier to configure the router to make the PPPoE connection and handle multiple IP's i.e Public routed subnet. One IP is then assigned to the firewall, which handles NAT and VPN endpoints, and then other IP's to any servers that must be public facing. Only problem with this approach is that you're relying on the router and the servers for firewalling themselves. If you can configure PPPoE and Public Routed subnet on PFsense then you may have better firewall control of the servers.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

justanoob
Hooked
Posts: 6
Registered: ‎28-03-2018

Re: Static IP block internet access capability

Just re-read this and I think the pfSense might offer an option which you do not seem to have. I can assign a 1:1 NAT which uses the public IP as the inbound rule and then NAT it to a private IP with only the ports I want to open up being allowed through the firewall for that 1:1 connection. This gives quite granular control, so no ports are exposed to servers that do not need to be. The only problem is I have not yet worked out how to pass the full IP block to the firewall from the PPPoE modem connection. If I could do that, it would be a minor rejig of what I am doing now and just require some relatively minor routing table adjustments.

MisterW
Superuser
Superuser
Posts: 14,580
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: Static IP block internet access capability

The only problem is I have not yet worked out how to pass the full IP block to the firewall from the PPPoE modem connection

That was the problem we had with Smoothwall and a bridge mode modem.

I can assign a 1:1 NAT which uses the public IP as the inbound rule and then NAT it to a private IP with only the ports I want to open up being allowed through the firewall for that 1:1 connection. This gives quite granular control, so no ports are exposed to servers that do not need to be.

That should work if you can get the full IP block through the modem/router.

Our multiple statics are actually still on an ADSL connection and we use a BT Business hub ( aka 2700HGV ) in Public routed subnet mode in front of the Smoothwall. Our FTTC connection is only single static at the moment so we don't have the problem on that , although we're considering an 8 IP block for that so that we can move more services over to the faster connection. We're with Zen for that though, not PN. They supply a Technicolor TG589 for FTTC which we currently have in bridge mode but I believe they have a  routed subnet config for it to handle 8 IP's. https://support.zen.co.uk/kb/Knowledgebase/Technicolor-TG589vac-Routed-IP

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

justanoob
Hooked
Posts: 6
Registered: ‎28-03-2018

Re: Static IP block internet access capability

Funnily enough, I have an almost identical situation, but no block IPs yet - just an ADSL line (as a backup but used for email server) and this PN account - and it is ZEN I am considering moving too. I was going to move the ADSL line, but come contract renewal (last week) I got a very temping offer. 

MisterW
Superuser
Superuser
Posts: 14,580
Thanks: 5,411
Fixes: 385
Registered: ‎30-07-2007

Re: Static IP block internet access capability

We put the FTTC line in about 18 months ago. I changed the pbx from ISDN to a voip(SIP) system and obviously we needed something faster than the ADSL (originally Demon now Vodafone business) connection to support that.  Myself and a number of colleagues have PN connections at home and PN was considered for the FTTC but TBH the degrading support over the last few years ruled that out. Originally the plan was to go with ZEN on the basis that they could provide both the FTTC and the SIP trunks i.e single supplier. ZEN were excellent in providing the FTTC, good communication and everything to plan. I think I've called support only once or twice but they answered pretty quickly and were very knowledgeable and helpful .

Their pre sales voip support wasn't good though and so eventually we went with Andrews & Arnold for the SIP trunks. Their support is second to none, phones answered instantly and very knowledgeable staff. Surprisingly, for voip, A & A are quite cheap whereas their BB prices can be fairly high.

Like you, we still use the ADSL line for email, although it also has an FTP server, small web server and a VPN link to a client site on it. We're seeing more use of these other facilities on it and hence looking to move some of those over to the FTTC link but will need 8 static IP's to do that. I seem to recall that I filled in the ZEN online enquiry form a while ago for someone to contact me about more IP's!  Maybe it's time I prodded them...

 

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.