1 computer, 2 NICs, 2 public static IP adresses












1















My home desktop computer has two NICs. I use one for my personal internet needs, and plan to use the other one somewhat unconventionally. I'm going to create a SOCKS/VPN server on a virtual machine, use it exclusively with the spare network NIC, and give it its own public static IP address. I currently have one gateway "router" and one modem as discrete components.



There are two areas of this plan that are still a mystery to me.




  1. I can isolate the VM traffic to one of the NICs, but how do I isolate the host machine's traffic to the other one?


  2. What's the safest and cheapest way to set this up?



As I understand it, I could get a router that is flashable with dd-wrt or OpenWrt, which would allow me to use 1:1 NAT and expose both IPs publicly. I could then put my existing gateway between the host machine's NIC and the router for an additional layer of security. As the VM is used more seriously it will likely require a hardware security layer inside the router as well.



Alternately, I could get a switch and another gateway. I haven't bought a switch before and I'm not sure what to look for in this context.



Am I missing other possibilities?










share|improve this question























  • Do you even have multiple public (as in Internet-routable) IPs?

    – Daniel B
    Dec 14 '18 at 12:34











  • Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.

    – Asanak
    Dec 14 '18 at 12:53













  • Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.

    – Twisty Impersonator
    Dec 15 '18 at 2:55











  • Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.

    – Asanak
    Dec 16 '18 at 7:44


















1















My home desktop computer has two NICs. I use one for my personal internet needs, and plan to use the other one somewhat unconventionally. I'm going to create a SOCKS/VPN server on a virtual machine, use it exclusively with the spare network NIC, and give it its own public static IP address. I currently have one gateway "router" and one modem as discrete components.



There are two areas of this plan that are still a mystery to me.




  1. I can isolate the VM traffic to one of the NICs, but how do I isolate the host machine's traffic to the other one?


  2. What's the safest and cheapest way to set this up?



As I understand it, I could get a router that is flashable with dd-wrt or OpenWrt, which would allow me to use 1:1 NAT and expose both IPs publicly. I could then put my existing gateway between the host machine's NIC and the router for an additional layer of security. As the VM is used more seriously it will likely require a hardware security layer inside the router as well.



Alternately, I could get a switch and another gateway. I haven't bought a switch before and I'm not sure what to look for in this context.



Am I missing other possibilities?










share|improve this question























  • Do you even have multiple public (as in Internet-routable) IPs?

    – Daniel B
    Dec 14 '18 at 12:34











  • Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.

    – Asanak
    Dec 14 '18 at 12:53













  • Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.

    – Twisty Impersonator
    Dec 15 '18 at 2:55











  • Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.

    – Asanak
    Dec 16 '18 at 7:44
















1












1








1








My home desktop computer has two NICs. I use one for my personal internet needs, and plan to use the other one somewhat unconventionally. I'm going to create a SOCKS/VPN server on a virtual machine, use it exclusively with the spare network NIC, and give it its own public static IP address. I currently have one gateway "router" and one modem as discrete components.



There are two areas of this plan that are still a mystery to me.




  1. I can isolate the VM traffic to one of the NICs, but how do I isolate the host machine's traffic to the other one?


  2. What's the safest and cheapest way to set this up?



As I understand it, I could get a router that is flashable with dd-wrt or OpenWrt, which would allow me to use 1:1 NAT and expose both IPs publicly. I could then put my existing gateway between the host machine's NIC and the router for an additional layer of security. As the VM is used more seriously it will likely require a hardware security layer inside the router as well.



Alternately, I could get a switch and another gateway. I haven't bought a switch before and I'm not sure what to look for in this context.



Am I missing other possibilities?










share|improve this question














My home desktop computer has two NICs. I use one for my personal internet needs, and plan to use the other one somewhat unconventionally. I'm going to create a SOCKS/VPN server on a virtual machine, use it exclusively with the spare network NIC, and give it its own public static IP address. I currently have one gateway "router" and one modem as discrete components.



There are two areas of this plan that are still a mystery to me.




  1. I can isolate the VM traffic to one of the NICs, but how do I isolate the host machine's traffic to the other one?


  2. What's the safest and cheapest way to set this up?



As I understand it, I could get a router that is flashable with dd-wrt or OpenWrt, which would allow me to use 1:1 NAT and expose both IPs publicly. I could then put my existing gateway between the host machine's NIC and the router for an additional layer of security. As the VM is used more seriously it will likely require a hardware security layer inside the router as well.



Alternately, I could get a switch and another gateway. I haven't bought a switch before and I'm not sure what to look for in this context.



Am I missing other possibilities?







networking router ip dd-wrt






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 14 '18 at 12:30









AsanakAsanak

61




61













  • Do you even have multiple public (as in Internet-routable) IPs?

    – Daniel B
    Dec 14 '18 at 12:34











  • Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.

    – Asanak
    Dec 14 '18 at 12:53













  • Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.

    – Twisty Impersonator
    Dec 15 '18 at 2:55











  • Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.

    – Asanak
    Dec 16 '18 at 7:44





















  • Do you even have multiple public (as in Internet-routable) IPs?

    – Daniel B
    Dec 14 '18 at 12:34











  • Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.

    – Asanak
    Dec 14 '18 at 12:53













  • Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.

    – Twisty Impersonator
    Dec 15 '18 at 2:55











  • Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.

    – Asanak
    Dec 16 '18 at 7:44



















Do you even have multiple public (as in Internet-routable) IPs?

– Daniel B
Dec 14 '18 at 12:34





Do you even have multiple public (as in Internet-routable) IPs?

– Daniel B
Dec 14 '18 at 12:34













Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.

– Asanak
Dec 14 '18 at 12:53







Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.

– Asanak
Dec 14 '18 at 12:53















Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.

– Twisty Impersonator
Dec 15 '18 at 2:55





Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.

– Twisty Impersonator
Dec 15 '18 at 2:55













Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.

– Asanak
Dec 16 '18 at 7:44







Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.

– Asanak
Dec 16 '18 at 7:44












2 Answers
2






active

oldest

votes


















0














You could isolate roothost simply by not enabling/configuring L3 on the roothost interface for that NIC (assuming the hypervisor provides network to VM via bridged L2 interface). This will provide traffic separation and basic security (ie. not exposing roothost to VM).



As for tougher security, what are your real requirements/worries here?



From roothost to VM, this will always be sketchy thing.



Between VM and network, you don't really need more hardware. You could deploy another VM with OpenWrt or, well, any other security-enabled router and then pass traffic through it. Then connect the external, bridged L2 to router VM and connect target VM to router VM via separate virtual switch.



But why even to consider external firewall, when you may use internal one, at the OS in target VM?



Security-wise, I wouldn't really use a 1:1 NAT, but only expose/forward the required ports. Gives you more control and provides an additional layer of security/complication against attacker.






share|improve this answer
























  • I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.

    – Asanak
    Dec 14 '18 at 13:19











  • But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie. nat match dest ip public1 port 80,443 target ip roothostand nat match dest ip public2 port 80,443,1194 target ip vm

    – Michał Sacharewicz
    Dec 15 '18 at 1:28













  • Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.

    – Asanak
    Dec 16 '18 at 7:56













  • What environment are we talking about? (roothost OS and virtualization)

    – Michał Sacharewicz
    Dec 16 '18 at 12:22











  • The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.

    – Asanak
    Dec 17 '18 at 4:25



















0














If the ISP configures the 2nd address to be 'routed' to your main IP address (or if your Internet uplink from the router is some point-to-point technology like PPPoE):




  • You can assign the IP address to the router, and perform DNAT to the server's internal address.


  • If the router supports custom static routes, 1:1 NAT is useless – you can add a static route for the 2nd IP address either to the server's LAN address or to the LAN interface itself, then assign that address (as a /32) to the server directly.



If your Internet uplink from the router is standard Ethernet (and not PPPoE) and if the ISP configures the 2nd address as 'on-link':




  • You can place a generic switch in front of the router's WAN port and connect the server to it. An unmanaged switch will do. In this case you would need to use the server's own firewall, being very careful about not accidentally exposing e.g. iLO/iDRAC to the Internet.


  • You can assign the IP address to the router, and perform DNAT to the server's internal address, same as above.


  • You can assign the IP address directly to the server, then enable proxy-ARP and add a static route for that address on the router (same as above except for the proxy-ARP thing).



In any case, port whitelisting can be done through the firewall either on the router or on the server, independent of NAT or routing modes.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1383572%2f1-computer-2-nics-2-public-static-ip-adresses%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    You could isolate roothost simply by not enabling/configuring L3 on the roothost interface for that NIC (assuming the hypervisor provides network to VM via bridged L2 interface). This will provide traffic separation and basic security (ie. not exposing roothost to VM).



    As for tougher security, what are your real requirements/worries here?



    From roothost to VM, this will always be sketchy thing.



    Between VM and network, you don't really need more hardware. You could deploy another VM with OpenWrt or, well, any other security-enabled router and then pass traffic through it. Then connect the external, bridged L2 to router VM and connect target VM to router VM via separate virtual switch.



    But why even to consider external firewall, when you may use internal one, at the OS in target VM?



    Security-wise, I wouldn't really use a 1:1 NAT, but only expose/forward the required ports. Gives you more control and provides an additional layer of security/complication against attacker.






    share|improve this answer
























    • I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.

      – Asanak
      Dec 14 '18 at 13:19











    • But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie. nat match dest ip public1 port 80,443 target ip roothostand nat match dest ip public2 port 80,443,1194 target ip vm

      – Michał Sacharewicz
      Dec 15 '18 at 1:28













    • Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.

      – Asanak
      Dec 16 '18 at 7:56













    • What environment are we talking about? (roothost OS and virtualization)

      – Michał Sacharewicz
      Dec 16 '18 at 12:22











    • The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.

      – Asanak
      Dec 17 '18 at 4:25
















    0














    You could isolate roothost simply by not enabling/configuring L3 on the roothost interface for that NIC (assuming the hypervisor provides network to VM via bridged L2 interface). This will provide traffic separation and basic security (ie. not exposing roothost to VM).



    As for tougher security, what are your real requirements/worries here?



    From roothost to VM, this will always be sketchy thing.



    Between VM and network, you don't really need more hardware. You could deploy another VM with OpenWrt or, well, any other security-enabled router and then pass traffic through it. Then connect the external, bridged L2 to router VM and connect target VM to router VM via separate virtual switch.



    But why even to consider external firewall, when you may use internal one, at the OS in target VM?



    Security-wise, I wouldn't really use a 1:1 NAT, but only expose/forward the required ports. Gives you more control and provides an additional layer of security/complication against attacker.






    share|improve this answer
























    • I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.

      – Asanak
      Dec 14 '18 at 13:19











    • But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie. nat match dest ip public1 port 80,443 target ip roothostand nat match dest ip public2 port 80,443,1194 target ip vm

      – Michał Sacharewicz
      Dec 15 '18 at 1:28













    • Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.

      – Asanak
      Dec 16 '18 at 7:56













    • What environment are we talking about? (roothost OS and virtualization)

      – Michał Sacharewicz
      Dec 16 '18 at 12:22











    • The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.

      – Asanak
      Dec 17 '18 at 4:25














    0












    0








    0







    You could isolate roothost simply by not enabling/configuring L3 on the roothost interface for that NIC (assuming the hypervisor provides network to VM via bridged L2 interface). This will provide traffic separation and basic security (ie. not exposing roothost to VM).



    As for tougher security, what are your real requirements/worries here?



    From roothost to VM, this will always be sketchy thing.



    Between VM and network, you don't really need more hardware. You could deploy another VM with OpenWrt or, well, any other security-enabled router and then pass traffic through it. Then connect the external, bridged L2 to router VM and connect target VM to router VM via separate virtual switch.



    But why even to consider external firewall, when you may use internal one, at the OS in target VM?



    Security-wise, I wouldn't really use a 1:1 NAT, but only expose/forward the required ports. Gives you more control and provides an additional layer of security/complication against attacker.






    share|improve this answer













    You could isolate roothost simply by not enabling/configuring L3 on the roothost interface for that NIC (assuming the hypervisor provides network to VM via bridged L2 interface). This will provide traffic separation and basic security (ie. not exposing roothost to VM).



    As for tougher security, what are your real requirements/worries here?



    From roothost to VM, this will always be sketchy thing.



    Between VM and network, you don't really need more hardware. You could deploy another VM with OpenWrt or, well, any other security-enabled router and then pass traffic through it. Then connect the external, bridged L2 to router VM and connect target VM to router VM via separate virtual switch.



    But why even to consider external firewall, when you may use internal one, at the OS in target VM?



    Security-wise, I wouldn't really use a 1:1 NAT, but only expose/forward the required ports. Gives you more control and provides an additional layer of security/complication against attacker.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Dec 14 '18 at 12:59









    Michał SacharewiczMichał Sacharewicz

    1,6451117




    1,6451117













    • I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.

      – Asanak
      Dec 14 '18 at 13:19











    • But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie. nat match dest ip public1 port 80,443 target ip roothostand nat match dest ip public2 port 80,443,1194 target ip vm

      – Michał Sacharewicz
      Dec 15 '18 at 1:28













    • Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.

      – Asanak
      Dec 16 '18 at 7:56













    • What environment are we talking about? (roothost OS and virtualization)

      – Michał Sacharewicz
      Dec 16 '18 at 12:22











    • The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.

      – Asanak
      Dec 17 '18 at 4:25



















    • I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.

      – Asanak
      Dec 14 '18 at 13:19











    • But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie. nat match dest ip public1 port 80,443 target ip roothostand nat match dest ip public2 port 80,443,1194 target ip vm

      – Michał Sacharewicz
      Dec 15 '18 at 1:28













    • Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.

      – Asanak
      Dec 16 '18 at 7:56













    • What environment are we talking about? (roothost OS and virtualization)

      – Michał Sacharewicz
      Dec 16 '18 at 12:22











    • The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.

      – Asanak
      Dec 17 '18 at 4:25

















    I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.

    – Asanak
    Dec 14 '18 at 13:19





    I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.

    – Asanak
    Dec 14 '18 at 13:19













    But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie. nat match dest ip public1 port 80,443 target ip roothostand nat match dest ip public2 port 80,443,1194 target ip vm

    – Michał Sacharewicz
    Dec 15 '18 at 1:28







    But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie. nat match dest ip public1 port 80,443 target ip roothostand nat match dest ip public2 port 80,443,1194 target ip vm

    – Michał Sacharewicz
    Dec 15 '18 at 1:28















    Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.

    – Asanak
    Dec 16 '18 at 7:56







    Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.

    – Asanak
    Dec 16 '18 at 7:56















    What environment are we talking about? (roothost OS and virtualization)

    – Michał Sacharewicz
    Dec 16 '18 at 12:22





    What environment are we talking about? (roothost OS and virtualization)

    – Michał Sacharewicz
    Dec 16 '18 at 12:22













    The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.

    – Asanak
    Dec 17 '18 at 4:25





    The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.

    – Asanak
    Dec 17 '18 at 4:25













    0














    If the ISP configures the 2nd address to be 'routed' to your main IP address (or if your Internet uplink from the router is some point-to-point technology like PPPoE):




    • You can assign the IP address to the router, and perform DNAT to the server's internal address.


    • If the router supports custom static routes, 1:1 NAT is useless – you can add a static route for the 2nd IP address either to the server's LAN address or to the LAN interface itself, then assign that address (as a /32) to the server directly.



    If your Internet uplink from the router is standard Ethernet (and not PPPoE) and if the ISP configures the 2nd address as 'on-link':




    • You can place a generic switch in front of the router's WAN port and connect the server to it. An unmanaged switch will do. In this case you would need to use the server's own firewall, being very careful about not accidentally exposing e.g. iLO/iDRAC to the Internet.


    • You can assign the IP address to the router, and perform DNAT to the server's internal address, same as above.


    • You can assign the IP address directly to the server, then enable proxy-ARP and add a static route for that address on the router (same as above except for the proxy-ARP thing).



    In any case, port whitelisting can be done through the firewall either on the router or on the server, independent of NAT or routing modes.






    share|improve this answer




























      0














      If the ISP configures the 2nd address to be 'routed' to your main IP address (or if your Internet uplink from the router is some point-to-point technology like PPPoE):




      • You can assign the IP address to the router, and perform DNAT to the server's internal address.


      • If the router supports custom static routes, 1:1 NAT is useless – you can add a static route for the 2nd IP address either to the server's LAN address or to the LAN interface itself, then assign that address (as a /32) to the server directly.



      If your Internet uplink from the router is standard Ethernet (and not PPPoE) and if the ISP configures the 2nd address as 'on-link':




      • You can place a generic switch in front of the router's WAN port and connect the server to it. An unmanaged switch will do. In this case you would need to use the server's own firewall, being very careful about not accidentally exposing e.g. iLO/iDRAC to the Internet.


      • You can assign the IP address to the router, and perform DNAT to the server's internal address, same as above.


      • You can assign the IP address directly to the server, then enable proxy-ARP and add a static route for that address on the router (same as above except for the proxy-ARP thing).



      In any case, port whitelisting can be done through the firewall either on the router or on the server, independent of NAT or routing modes.






      share|improve this answer


























        0












        0








        0







        If the ISP configures the 2nd address to be 'routed' to your main IP address (or if your Internet uplink from the router is some point-to-point technology like PPPoE):




        • You can assign the IP address to the router, and perform DNAT to the server's internal address.


        • If the router supports custom static routes, 1:1 NAT is useless – you can add a static route for the 2nd IP address either to the server's LAN address or to the LAN interface itself, then assign that address (as a /32) to the server directly.



        If your Internet uplink from the router is standard Ethernet (and not PPPoE) and if the ISP configures the 2nd address as 'on-link':




        • You can place a generic switch in front of the router's WAN port and connect the server to it. An unmanaged switch will do. In this case you would need to use the server's own firewall, being very careful about not accidentally exposing e.g. iLO/iDRAC to the Internet.


        • You can assign the IP address to the router, and perform DNAT to the server's internal address, same as above.


        • You can assign the IP address directly to the server, then enable proxy-ARP and add a static route for that address on the router (same as above except for the proxy-ARP thing).



        In any case, port whitelisting can be done through the firewall either on the router or on the server, independent of NAT or routing modes.






        share|improve this answer













        If the ISP configures the 2nd address to be 'routed' to your main IP address (or if your Internet uplink from the router is some point-to-point technology like PPPoE):




        • You can assign the IP address to the router, and perform DNAT to the server's internal address.


        • If the router supports custom static routes, 1:1 NAT is useless – you can add a static route for the 2nd IP address either to the server's LAN address or to the LAN interface itself, then assign that address (as a /32) to the server directly.



        If your Internet uplink from the router is standard Ethernet (and not PPPoE) and if the ISP configures the 2nd address as 'on-link':




        • You can place a generic switch in front of the router's WAN port and connect the server to it. An unmanaged switch will do. In this case you would need to use the server's own firewall, being very careful about not accidentally exposing e.g. iLO/iDRAC to the Internet.


        • You can assign the IP address to the router, and perform DNAT to the server's internal address, same as above.


        • You can assign the IP address directly to the server, then enable proxy-ARP and add a static route for that address on the router (same as above except for the proxy-ARP thing).



        In any case, port whitelisting can be done through the firewall either on the router or on the server, independent of NAT or routing modes.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 14 '18 at 13:50









        grawitygrawity

        233k36494549




        233k36494549






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1383572%2f1-computer-2-nics-2-public-static-ip-adresses%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Сан-Квентин

            8-я гвардейская общевойсковая армия

            Алькесар