05-20-2018 09:02 AM
I have five static public IPv4 addresses (a 255.255.255.248 subnet) that will be used for a server site. The connection to the internet is via a gigabit ethernet copper cable.
Currently I run iptables on the servers and only allow ssl, hhtp, https, and smtp through, but I would like to do at least some of this firewalling in hardware, if possible without "losing" any of the public IP addresses. There will be no clients on the "inside" and no need for NAT or VPN.
I bought an EdgeRouter 6P but I haven't unpacked it as I am still trying to figure out if it is the right type of product for my needs. If I understand correctly, I will have to use one of the public IPs for the "external" router physical port and a second for the "internal" port, leaving only three public addresses for servers.
Please help set me on the right track.
Thanks in advance.
05-20-2018 10:38 AM
1. Ask the ISP to route the block to you over your WAN IP and you configure the block’s gateway in your LAN interface.
2. Use internal addresses and 1 to 1 NAT.
3. Use transparent firewalling:
I would suggest option 1 or 2. Option 3 may get a little more complex and would require you to take a performance hit with bridging.
Once you decide how you want to handle the public addressing, the rest is just figuring out what services you want to allow inbound through your firewall.
05-20-2018 11:34 AM
Thanks a bunch to you both.
So, bridging is done by software and hence comes with a performance penalty compared to hardware-based routing.
However, doesn't firewall stateful packet inspection mean that most or all of the data processing is done by software anyway?
In other words - how big is the difference between firewall routing and firewall bridging?
05-20-2018 12:02 PM