1 computer, 2 NICs, 2 public static IP adresses
My home desktop computer has two NICs. I use one for my personal internet needs, and plan to use the other one somewhat unconventionally. I'm going to create a SOCKS/VPN server on a virtual machine, use it exclusively with the spare network NIC, and give it its own public static IP address. I currently have one gateway "router" and one modem as discrete components.
There are two areas of this plan that are still a mystery to me.
I can isolate the VM traffic to one of the NICs, but how do I isolate the host machine's traffic to the other one?
What's the safest and cheapest way to set this up?
As I understand it, I could get a router that is flashable with dd-wrt or OpenWrt, which would allow me to use 1:1 NAT and expose both IPs publicly. I could then put my existing gateway between the host machine's NIC and the router for an additional layer of security. As the VM is used more seriously it will likely require a hardware security layer inside the router as well.
Alternately, I could get a switch and another gateway. I haven't bought a switch before and I'm not sure what to look for in this context.
Am I missing other possibilities?
networking router ip dd-wrt
asked Dec 14 '18 at 12:30
AsanakAsanak
61
add a comment |
My home desktop computer has two NICs. I use one for my personal internet needs, and plan to use the other one somewhat unconventionally. I'm going to create a SOCKS/VPN server on a virtual machine, use it exclusively with the spare network NIC, and give it its own public static IP address. I currently have one gateway "router" and one modem as discrete components.
There are two areas of this plan that are still a mystery to me.
I can isolate the VM traffic to one of the NICs, but how do I isolate the host machine's traffic to the other one?
What's the safest and cheapest way to set this up?
As I understand it, I could get a router that is flashable with dd-wrt or OpenWrt, which would allow me to use 1:1 NAT and expose both IPs publicly. I could then put my existing gateway between the host machine's NIC and the router for an additional layer of security. As the VM is used more seriously it will likely require a hardware security layer inside the router as well.
Alternately, I could get a switch and another gateway. I haven't bought a switch before and I'm not sure what to look for in this context.
Am I missing other possibilities?
networking router ip dd-wrt
asked Dec 14 '18 at 12:30
AsanakAsanak
61
Do you even have multiple public (as in Internet-routable) IPs?
– Daniel B
Dec 14 '18 at 12:34
Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.
– Asanak
Dec 14 '18 at 12:53
Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.
– Twisty Impersonator
Dec 15 '18 at 2:55
Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.
– Asanak
Dec 16 '18 at 7:44
add a comment |
My home desktop computer has two NICs. I use one for my personal internet needs, and plan to use the other one somewhat unconventionally. I'm going to create a SOCKS/VPN server on a virtual machine, use it exclusively with the spare network NIC, and give it its own public static IP address. I currently have one gateway "router" and one modem as discrete components.
There are two areas of this plan that are still a mystery to me.
I can isolate the VM traffic to one of the NICs, but how do I isolate the host machine's traffic to the other one?
What's the safest and cheapest way to set this up?
As I understand it, I could get a router that is flashable with dd-wrt or OpenWrt, which would allow me to use 1:1 NAT and expose both IPs publicly. I could then put my existing gateway between the host machine's NIC and the router for an additional layer of security. As the VM is used more seriously it will likely require a hardware security layer inside the router as well.
Alternately, I could get a switch and another gateway. I haven't bought a switch before and I'm not sure what to look for in this context.
Am I missing other possibilities?
networking router ip dd-wrt
asked Dec 14 '18 at 12:30
AsanakAsanak
61
My home desktop computer has two NICs. I use one for my personal internet needs, and plan to use the other one somewhat unconventionally. I'm going to create a SOCKS/VPN server on a virtual machine, use it exclusively with the spare network NIC, and give it its own public static IP address. I currently have one gateway "router" and one modem as discrete components.
There are two areas of this plan that are still a mystery to me.
I can isolate the VM traffic to one of the NICs, but how do I isolate the host machine's traffic to the other one?
What's the safest and cheapest way to set this up?
As I understand it, I could get a router that is flashable with dd-wrt or OpenWrt, which would allow me to use 1:1 NAT and expose both IPs publicly. I could then put my existing gateway between the host machine's NIC and the router for an additional layer of security. As the VM is used more seriously it will likely require a hardware security layer inside the router as well.
Alternately, I could get a switch and another gateway. I haven't bought a switch before and I'm not sure what to look for in this context.
Am I missing other possibilities?
networking router ip dd-wrt
networking router ip dd-wrt
asked Dec 14 '18 at 12:30
AsanakAsanak
61
asked Dec 14 '18 at 12:30
AsanakAsanak
61
asked Dec 14 '18 at 12:30
AsanakAsanak
61
asked Dec 14 '18 at 12:30
AsanakAsanak
61
asked Dec 14 '18 at 12:30
AsanakAsanak
61
61
Do you even have multiple public (as in Internet-routable) IPs?
– Daniel B
Dec 14 '18 at 12:34
Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.
– Asanak
Dec 14 '18 at 12:53
Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.
– Twisty Impersonator
Dec 15 '18 at 2:55
Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.
– Asanak
Dec 16 '18 at 7:44
add a comment |
Do you even have multiple public (as in Internet-routable) IPs?
– Daniel B
Dec 14 '18 at 12:34
Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.
– Asanak
Dec 14 '18 at 12:53
Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.
– Twisty Impersonator
Dec 15 '18 at 2:55
Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.
– Asanak
Dec 16 '18 at 7:44
Do you even have multiple public (as in Internet-routable) IPs?
– Daniel B
Dec 14 '18 at 12:34
Do you even have multiple public (as in Internet-routable) IPs?
– Daniel B
Dec 14 '18 at 12:34
Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.
– Asanak
Dec 14 '18 at 12:53
Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.
– Asanak
Dec 14 '18 at 12:53
Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.
– Twisty Impersonator
Dec 15 '18 at 2:55
Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.
– Twisty Impersonator
Dec 15 '18 at 2:55
Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.
– Asanak
Dec 16 '18 at 7:44
Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.
– Asanak
Dec 16 '18 at 7:44
add a comment |
2 Answers
2
active
oldest
votes
You could isolate roothost simply by not enabling/configuring L3 on the roothost interface for that NIC (assuming the hypervisor provides network to VM via bridged L2 interface). This will provide traffic separation and basic security (ie. not exposing roothost to VM).
As for tougher security, what are your real requirements/worries here?
From roothost to VM, this will always be sketchy thing.
Between VM and network, you don't really need more hardware. You could deploy another VM with OpenWrt or, well, any other security-enabled router and then pass traffic through it. Then connect the external, bridged L2 to router VM and connect target VM to router VM via separate virtual switch.
But why even to consider external firewall, when you may use internal one, at the OS in target VM?
Security-wise, I wouldn't really use a 1:1 NAT, but only expose/forward the required ports. Gives you more control and provides an additional layer of security/complication against attacker.
answered Dec 14 '18 at 12:59
Michał SacharewiczMichał Sacharewicz
1,6451117
I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.
– Asanak
Dec 14 '18 at 13:19
But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie.nat match dest ip public1 port 80,443 target ip roothostandnat match dest ip public2 port 80,443,1194 target ip vm
– Michał Sacharewicz
Dec 15 '18 at 1:28
Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.
– Asanak
Dec 16 '18 at 7:56
What environment are we talking about? (roothost OS and virtualization)
– Michał Sacharewicz
Dec 16 '18 at 12:22
The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.
– Asanak
Dec 17 '18 at 4:25
|
show 1 more comment
If the ISP configures the 2nd address to be 'routed' to your main IP address (or if your Internet uplink from the router is some point-to-point technology like PPPoE):
You can assign the IP address to the router, and perform DNAT to the server's internal address.
If the router supports custom static routes, 1:1 NAT is useless – you can add a static route for the 2nd IP address either to the server's LAN address or to the LAN interface itself, then assign that address (as a /32) to the server directly.
If your Internet uplink from the router is standard Ethernet (and not PPPoE) and if the ISP configures the 2nd address as 'on-link':
You can place a generic switch in front of the router's WAN port and connect the server to it. An unmanaged switch will do. In this case you would need to use the server's own firewall, being very careful about not accidentally exposing e.g. iLO/iDRAC to the Internet.
You can assign the IP address to the router, and perform DNAT to the server's internal address, same as above.
You can assign the IP address directly to the server, then enable proxy-ARP and add a static route for that address on the router (same as above except for the proxy-ARP thing).
In any case, port whitelisting can be done through the firewall either on the router or on the server, independent of NAT or routing modes.
answered Dec 14 '18 at 13:50
grawitygrawity
233k36494549
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1383572%2f1-computer-2-nics-2-public-static-ip-adresses%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You could isolate roothost simply by not enabling/configuring L3 on the roothost interface for that NIC (assuming the hypervisor provides network to VM via bridged L2 interface). This will provide traffic separation and basic security (ie. not exposing roothost to VM).
As for tougher security, what are your real requirements/worries here?
From roothost to VM, this will always be sketchy thing.
Between VM and network, you don't really need more hardware. You could deploy another VM with OpenWrt or, well, any other security-enabled router and then pass traffic through it. Then connect the external, bridged L2 to router VM and connect target VM to router VM via separate virtual switch.
But why even to consider external firewall, when you may use internal one, at the OS in target VM?
Security-wise, I wouldn't really use a 1:1 NAT, but only expose/forward the required ports. Gives you more control and provides an additional layer of security/complication against attacker.
answered Dec 14 '18 at 12:59
Michał SacharewiczMichał Sacharewicz
1,6451117
I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.
– Asanak
Dec 14 '18 at 13:19
But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie.nat match dest ip public1 port 80,443 target ip roothostandnat match dest ip public2 port 80,443,1194 target ip vm
– Michał Sacharewicz
Dec 15 '18 at 1:28
Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.
– Asanak
Dec 16 '18 at 7:56
What environment are we talking about? (roothost OS and virtualization)
– Michał Sacharewicz
Dec 16 '18 at 12:22
The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.
– Asanak
Dec 17 '18 at 4:25
|
show 1 more comment
You could isolate roothost simply by not enabling/configuring L3 on the roothost interface for that NIC (assuming the hypervisor provides network to VM via bridged L2 interface). This will provide traffic separation and basic security (ie. not exposing roothost to VM).
As for tougher security, what are your real requirements/worries here?
From roothost to VM, this will always be sketchy thing.
Between VM and network, you don't really need more hardware. You could deploy another VM with OpenWrt or, well, any other security-enabled router and then pass traffic through it. Then connect the external, bridged L2 to router VM and connect target VM to router VM via separate virtual switch.
But why even to consider external firewall, when you may use internal one, at the OS in target VM?
Security-wise, I wouldn't really use a 1:1 NAT, but only expose/forward the required ports. Gives you more control and provides an additional layer of security/complication against attacker.
answered Dec 14 '18 at 12:59
Michał SacharewiczMichał Sacharewicz
1,6451117
I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.
– Asanak
Dec 14 '18 at 13:19
But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie.nat match dest ip public1 port 80,443 target ip roothostandnat match dest ip public2 port 80,443,1194 target ip vm
– Michał Sacharewicz
Dec 15 '18 at 1:28
Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.
– Asanak
Dec 16 '18 at 7:56
What environment are we talking about? (roothost OS and virtualization)
– Michał Sacharewicz
Dec 16 '18 at 12:22
The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.
– Asanak
Dec 17 '18 at 4:25
|
show 1 more comment
You could isolate roothost simply by not enabling/configuring L3 on the roothost interface for that NIC (assuming the hypervisor provides network to VM via bridged L2 interface). This will provide traffic separation and basic security (ie. not exposing roothost to VM).
As for tougher security, what are your real requirements/worries here?
From roothost to VM, this will always be sketchy thing.
Between VM and network, you don't really need more hardware. You could deploy another VM with OpenWrt or, well, any other security-enabled router and then pass traffic through it. Then connect the external, bridged L2 to router VM and connect target VM to router VM via separate virtual switch.
But why even to consider external firewall, when you may use internal one, at the OS in target VM?
Security-wise, I wouldn't really use a 1:1 NAT, but only expose/forward the required ports. Gives you more control and provides an additional layer of security/complication against attacker.
answered Dec 14 '18 at 12:59
Michał SacharewiczMichał Sacharewicz
1,6451117
You could isolate roothost simply by not enabling/configuring L3 on the roothost interface for that NIC (assuming the hypervisor provides network to VM via bridged L2 interface). This will provide traffic separation and basic security (ie. not exposing roothost to VM).
As for tougher security, what are your real requirements/worries here?
From roothost to VM, this will always be sketchy thing.
Between VM and network, you don't really need more hardware. You could deploy another VM with OpenWrt or, well, any other security-enabled router and then pass traffic through it. Then connect the external, bridged L2 to router VM and connect target VM to router VM via separate virtual switch.
But why even to consider external firewall, when you may use internal one, at the OS in target VM?
Security-wise, I wouldn't really use a 1:1 NAT, but only expose/forward the required ports. Gives you more control and provides an additional layer of security/complication against attacker.
answered Dec 14 '18 at 12:59
Michał SacharewiczMichał Sacharewicz
1,6451117
answered Dec 14 '18 at 12:59
Michał SacharewiczMichał Sacharewicz
1,6451117
answered Dec 14 '18 at 12:59
Michał SacharewiczMichał Sacharewicz
1,6451117
answered Dec 14 '18 at 12:59
Michał SacharewiczMichał Sacharewicz
1,6451117
1,6451117
I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.
– Asanak
Dec 14 '18 at 13:19
But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie.nat match dest ip public1 port 80,443 target ip roothostandnat match dest ip public2 port 80,443,1194 target ip vm
– Michał Sacharewicz
Dec 15 '18 at 1:28
Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.
– Asanak
Dec 16 '18 at 7:56
What environment are we talking about? (roothost OS and virtualization)
– Michał Sacharewicz
Dec 16 '18 at 12:22
The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.
– Asanak
Dec 17 '18 at 4:25
|
show 1 more comment
I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.
– Asanak
Dec 14 '18 at 13:19
But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie.nat match dest ip public1 port 80,443 target ip roothostandnat match dest ip public2 port 80,443,1194 target ip vm
– Michał Sacharewicz
Dec 15 '18 at 1:28
Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.
– Asanak
Dec 16 '18 at 7:56
What environment are we talking about? (roothost OS and virtualization)
– Michał Sacharewicz
Dec 16 '18 at 12:22
The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.
– Asanak
Dec 17 '18 at 4:25
I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.
– Asanak
Dec 14 '18 at 13:19
I'll look into the L2/L3 interface issue - that's new information for me, and thank you. I may be going overboard on my imagined security needs. I realize that forwarding ports would be more secure, but I do want more than one IP; that's not an aspect of the plan I'm looking to change.
– Asanak
Dec 14 '18 at 13:19
But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie.
nat match dest ip public1 port 80,443 target ip roothostand nat match dest ip public2 port 80,443,1194 target ip vm– Michał Sacharewicz
Dec 15 '18 at 1:28
But selective forwarding does not stop you from using two IP addresses. I have assumed, that (a) since youre talking aboth NAT at all, then both IP addresses would be assigned to router and (b) since you're able to perform 1:1 NAT from single public IP to single local IP, then your router supports NAT translation rules that depend on destination address. If that's correct, then you could define separate selective NAT rules for both public addresses, ie.
nat match dest ip public1 port 80,443 target ip roothostand nat match dest ip public2 port 80,443,1194 target ip vm– Michał Sacharewicz
Dec 15 '18 at 1:28
Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.
– Asanak
Dec 16 '18 at 7:56
Okay, yes, I see that the port-forwarding issue is still relevant with a second public IP. I'm not talking about a web proxy, though. I'm not sure that I want to limit the ports usable by the VM's server. In any case I can tackle this later, once I settle on the hardware necessary. It looks like a single router that I can flash with third-party software will be sufficient. It also looks like trying to do something with the L3 interface is going to be beyond my abilities. Isolating the two NICs on the host is looking like an insuperable problem, so I'll have to shift to using a second computer.
– Asanak
Dec 16 '18 at 7:56
What environment are we talking about? (roothost OS and virtualization)
– Michał Sacharewicz
Dec 16 '18 at 12:22
What environment are we talking about? (roothost OS and virtualization)
– Michał Sacharewicz
Dec 16 '18 at 12:22
The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.
– Asanak
Dec 17 '18 at 4:25
The environment is Windows. The VM is undetermined. If I didn't need any special capabilities, I was just going to use VirtualPC for Windows and its Windows XP Mode, because these would be free for me. But I was flexible on VM.
– Asanak
Dec 17 '18 at 4:25
|
show 1 more comment
If the ISP configures the 2nd address to be 'routed' to your main IP address (or if your Internet uplink from the router is some point-to-point technology like PPPoE):
You can assign the IP address to the router, and perform DNAT to the server's internal address.
If the router supports custom static routes, 1:1 NAT is useless – you can add a static route for the 2nd IP address either to the server's LAN address or to the LAN interface itself, then assign that address (as a /32) to the server directly.
If your Internet uplink from the router is standard Ethernet (and not PPPoE) and if the ISP configures the 2nd address as 'on-link':
You can place a generic switch in front of the router's WAN port and connect the server to it. An unmanaged switch will do. In this case you would need to use the server's own firewall, being very careful about not accidentally exposing e.g. iLO/iDRAC to the Internet.
You can assign the IP address to the router, and perform DNAT to the server's internal address, same as above.
You can assign the IP address directly to the server, then enable proxy-ARP and add a static route for that address on the router (same as above except for the proxy-ARP thing).
In any case, port whitelisting can be done through the firewall either on the router or on the server, independent of NAT or routing modes.
answered Dec 14 '18 at 13:50
grawitygrawity
233k36494549
add a comment |
If the ISP configures the 2nd address to be 'routed' to your main IP address (or if your Internet uplink from the router is some point-to-point technology like PPPoE):
You can assign the IP address to the router, and perform DNAT to the server's internal address.
If the router supports custom static routes, 1:1 NAT is useless – you can add a static route for the 2nd IP address either to the server's LAN address or to the LAN interface itself, then assign that address (as a /32) to the server directly.
If your Internet uplink from the router is standard Ethernet (and not PPPoE) and if the ISP configures the 2nd address as 'on-link':
You can place a generic switch in front of the router's WAN port and connect the server to it. An unmanaged switch will do. In this case you would need to use the server's own firewall, being very careful about not accidentally exposing e.g. iLO/iDRAC to the Internet.
You can assign the IP address to the router, and perform DNAT to the server's internal address, same as above.
You can assign the IP address directly to the server, then enable proxy-ARP and add a static route for that address on the router (same as above except for the proxy-ARP thing).
In any case, port whitelisting can be done through the firewall either on the router or on the server, independent of NAT or routing modes.
answered Dec 14 '18 at 13:50
grawitygrawity
233k36494549
add a comment |
If the ISP configures the 2nd address to be 'routed' to your main IP address (or if your Internet uplink from the router is some point-to-point technology like PPPoE):
You can assign the IP address to the router, and perform DNAT to the server's internal address.
If the router supports custom static routes, 1:1 NAT is useless – you can add a static route for the 2nd IP address either to the server's LAN address or to the LAN interface itself, then assign that address (as a /32) to the server directly.
If your Internet uplink from the router is standard Ethernet (and not PPPoE) and if the ISP configures the 2nd address as 'on-link':
You can place a generic switch in front of the router's WAN port and connect the server to it. An unmanaged switch will do. In this case you would need to use the server's own firewall, being very careful about not accidentally exposing e.g. iLO/iDRAC to the Internet.
You can assign the IP address to the router, and perform DNAT to the server's internal address, same as above.
You can assign the IP address directly to the server, then enable proxy-ARP and add a static route for that address on the router (same as above except for the proxy-ARP thing).
In any case, port whitelisting can be done through the firewall either on the router or on the server, independent of NAT or routing modes.
answered Dec 14 '18 at 13:50
grawitygrawity
233k36494549
If the ISP configures the 2nd address to be 'routed' to your main IP address (or if your Internet uplink from the router is some point-to-point technology like PPPoE):
You can assign the IP address to the router, and perform DNAT to the server's internal address.
If the router supports custom static routes, 1:1 NAT is useless – you can add a static route for the 2nd IP address either to the server's LAN address or to the LAN interface itself, then assign that address (as a /32) to the server directly.
If your Internet uplink from the router is standard Ethernet (and not PPPoE) and if the ISP configures the 2nd address as 'on-link':
You can place a generic switch in front of the router's WAN port and connect the server to it. An unmanaged switch will do. In this case you would need to use the server's own firewall, being very careful about not accidentally exposing e.g. iLO/iDRAC to the Internet.
You can assign the IP address to the router, and perform DNAT to the server's internal address, same as above.
You can assign the IP address directly to the server, then enable proxy-ARP and add a static route for that address on the router (same as above except for the proxy-ARP thing).
In any case, port whitelisting can be done through the firewall either on the router or on the server, independent of NAT or routing modes.
answered Dec 14 '18 at 13:50
grawitygrawity
233k36494549
answered Dec 14 '18 at 13:50
grawitygrawity
233k36494549
answered Dec 14 '18 at 13:50
grawitygrawity
233k36494549
answered Dec 14 '18 at 13:50
grawitygrawity
233k36494549
233k36494549
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1383572%2f1-computer-2-nics-2-public-static-ip-adresses%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Do you even have multiple public (as in Internet-routable) IPs?
– Daniel B
Dec 14 '18 at 12:34
Not at the moment, but my ISP offers them. I could have them with a 5 minute phone call. I'm really looking for help with my questions. I'm not in any doubt about the elements of my post that I didn't ask about. Someone is bound to suggest I don't need two public IP's. Let me head that off, too.
– Asanak
Dec 14 '18 at 12:53
Welcome. Asking What's the safest and cheapest way invites opinions which are off-topic. Further, it would help if you explain what you intend to do with the VM.
– Twisty Impersonator
Dec 15 '18 at 2:55
Which part is off topic? Security in networking, or cost of networking components? I want to host a SOCKS/VPN server on the VM, with an IP that publicly available and distinct from the IP I use for my personal internetting. That's all in the original post, and I do not see that more detail is needed to address my questions. If I am in error on this, please show me how. More detail might help others address things I'm not asking about, but that's not relevant for me.
– Asanak
Dec 16 '18 at 7:44