New Member
Posts: 2
Registered: ‎05-12-2018

Newbie product/design selection question

Hello,

 

I have five static public IPv4 addresses (a 255.255.255.248 subnet) that will be used for a server site. The connection to the internet is via a gigabit ethernet copper cable.

 

Currently I run iptables on the servers and only allow ssl, hhtp, https, and smtp through, but I would like to do at least some of this firewalling in hardware, if possible without "losing" any of the public IP addresses. There will be no clients on the "inside" and no need for NAT or VPN.

 

I bought an EdgeRouter 6P but I haven't unpacked it as I am still trying to figure out if it is the right type of product for my needs. If I understand correctly, I will have to use one of the public IPs for the "external" router physical port and a second for the "internal" port, leaving only three public addresses for servers.

 

Please help set me on the right track.

 

Thanks in advance.

 

/Nic

 

 

SuperUser
Posts: 8,489
Registered: ‎01-05-2012
Kudos: 2239
Solutions: 1132

Re: Newbie product/design selection question

Take a look at this article.

Cheers,

jonatha

Established Member
Posts: 993
Registered: ‎07-23-2015
Kudos: 536
Solutions: 55

Re: Newbie product/design selection question

You have three options:

1. Ask the ISP to route the block to you over your WAN IP and you configure the block’s gateway in your LAN interface.

2. Use internal addresses and 1 to 1 NAT.

3. Use transparent firewalling:
https://community.ubnt.com/t5/EdgeRouter/can-i-configure-an-EdgeRouter-Lite-into-a-transparent-firew...

I would suggest option 1 or 2. Option 3 may get a little more complex and would require you to take a performance hit with bridging.

Once you decide how you want to handle the public addressing, the rest is just figuring out what services you want to allow inbound through your firewall.
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
Add DAI/IP Source Guard to Edgeswitches
New Member
Posts: 2
Registered: ‎05-12-2018

Re: Newbie product/design selection question

Thanks a bunch to you both.

 

So, bridging is done by software and hence comes with a performance penalty compared to hardware-based routing.

 

However, doesn't firewall stateful packet inspection mean that most or all of the data processing is done by software anyway?

 

In other words - how big is the difference between firewall routing and firewall bridging?

 

BR /Nic

Highlighted
Established Member
Posts: 993
Registered: ‎07-23-2015
Kudos: 536
Solutions: 55

Re: Newbie product/design selection question

I take that back, bridge interfaces in the ER-X platform are indeed offloaded to the hardware ASIC:

https://help.ubnt.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading-Explained
Please don't forget to kudo helpful posts and mark accepted solutions accordingly!
jcm.me - Personal Site | Joyn.Tech - Consulting Site

Add Auto-Provisioning Support to UNMS
Add DAI/IP Source Guard to Edgeswitches