FIOS multi-ip router
May 5, 2006 12:56 PM
Our company is moving and getting Verizon FIOS with 5 IP's. They said all 5 IPs are coming in on one ethernet cable. How does this work? Bonus question: What's the best router to handle this job?
I'm the whole IT dept for my company, and we have 15ish computers in a small switched LAN with a windows2000 server running some internal apps. We ordered the FIOS with 5 IP addresses, and I'm confused as to what protocol those IP addresses come in as, and how the data is split between them. The verizon tech told me it comes in as one ethernet cable, but couldnt really provide further info.
As for the second question, what is the best router to get to handle all this? Verizon is offering an Adtran NetVantage 1224R (managed layer2 switch) or 2054, but I'm wondering if a different vendor, or possibly a software solution (Linux/iptables or something with a nice gui like smoothwall) would be a better choice.
I have pretty advanced computer hacking skills (so much so that i'm almost embarrased asking this) so feel free to use acronyms and such. Thanks for your help, hivemind!
I'm the whole IT dept for my company, and we have 15ish computers in a small switched LAN with a windows2000 server running some internal apps. We ordered the FIOS with 5 IP addresses, and I'm confused as to what protocol those IP addresses come in as, and how the data is split between them. The verizon tech told me it comes in as one ethernet cable, but couldnt really provide further info.
As for the second question, what is the best router to get to handle all this? Verizon is offering an Adtran NetVantage 1224R (managed layer2 switch) or 2054, but I'm wondering if a different vendor, or possibly a software solution (Linux/iptables or something with a nice gui like smoothwall) would be a better choice.
I have pretty advanced computer hacking skills (so much so that i'm almost embarrased asking this) so feel free to use acronyms and such. Thanks for your help, hivemind!
The protocol they're coming in on is plain old TCP/IP over Ethernet. The internet would simply not work if you needed one cable for every single IP you wanted to address. Any normal router (i.e., a real router, not a "home gateway" linksys box) or Linux box will work just fine. If you have a spare computer for Linux, it'd certainly be the most cost effective. All you'd need is a second NIC. With a few extra 'route' commands, and iptables for firewalling, you'd be in business. I guess Smoothwall does that stuff automatically.
posted by zsazsa at 1:07 PM on May 5, 2006
posted by zsazsa at 1:07 PM on May 5, 2006
Er, well, a cheapo Linksys box (one of the ones that run Linux) would actually work, if you flashed it with OpenWRT. It'd actually be more durable than some old computer with moving parts.
posted by zsazsa at 1:09 PM on May 5, 2006
posted by zsazsa at 1:09 PM on May 5, 2006
I'll address the "how is it split between them" question.
The answer is, "however you setup the software on your end." Packets don't come in to random addresses, they come in to whatever address was used to initiate the connection. It depends entirely on how the application is configured. If you setup a web server you can have it bind to one, all, or some IP addresses. The incoming traffic will depend on whatever address or addresses you advertise in DNS.
The same is true of client applications like web browsers. Whatever IP address you tell them to bind to, that's which one the traffic will be on. Most people don't configure client apps this way, and so in that case it will depend on which one you've designated as the default route in your PC's TCP/IP routing table.
There is zero uncertainty there, it is completely controlled by how you set things up. You can use one or all addresses, to the connection it's irrelevant -- it just moves packets.
posted by Rhomboid at 1:58 PM on May 5, 2006
The answer is, "however you setup the software on your end." Packets don't come in to random addresses, they come in to whatever address was used to initiate the connection. It depends entirely on how the application is configured. If you setup a web server you can have it bind to one, all, or some IP addresses. The incoming traffic will depend on whatever address or addresses you advertise in DNS.
The same is true of client applications like web browsers. Whatever IP address you tell them to bind to, that's which one the traffic will be on. Most people don't configure client apps this way, and so in that case it will depend on which one you've designated as the default route in your PC's TCP/IP routing table.
There is zero uncertainty there, it is completely controlled by how you set things up. You can use one or all addresses, to the connection it's irrelevant -- it just moves packets.
posted by Rhomboid at 1:58 PM on May 5, 2006
I guess I'm confused as to how to route the data from the internal LAN to one/many of the IP addresses. Currently we have just a DSL, and I'm locked out of the router, as the IT guy before me screwed up the configuration to the tune of a $300 repair bill (ridiculous, I know). I'm hoping to have one IP hardcore firewalled for all the net access for most of the computers, one for webserving attached to our domain, and the other ones, who knows.
posted by Mach5 at 2:11 PM on May 5, 2006
posted by Mach5 at 2:11 PM on May 5, 2006
you'll be using something called Network Address Translation.
I would actually recommend a consumer product here -- you certainly can use a crappy linksys right out of the box -- it's not going to be the most flexible thing in the world, but it'll make it easy for you to set up a LAN and they usually have a DMZ Server feature -- you can just point that to your services that'll be going to the outside world (if they're all on one box), and then software firewall that machine.
Now, this certainly isn't the *ideal* setup (far from it), but for the amount of money your company sounds like it wants to spend on infrastructure, it might work out for you.
posted by fishfucker at 2:49 PM on May 5, 2006
I would actually recommend a consumer product here -- you certainly can use a crappy linksys right out of the box -- it's not going to be the most flexible thing in the world, but it'll make it easy for you to set up a LAN and they usually have a DMZ Server feature -- you can just point that to your services that'll be going to the outside world (if they're all on one box), and then software firewall that machine.
Now, this certainly isn't the *ideal* setup (far from it), but for the amount of money your company sounds like it wants to spend on infrastructure, it might work out for you.
posted by fishfucker at 2:49 PM on May 5, 2006
First off - the short answer to the five IPs on one cable is that every packet is tagged with the source and destination IP address. A computer connected to that line can judge what packets belong to it based on the IP in the packet.
You have two choices for making use of your IPs. You can attach a single router to the line from Verizon, assigning all five IPs to it. That router would handle all the packet filtering, security, Internet access, and the like. The downside is that your router configuration becomes very elaborate, which is bad for both security and reliability.
I'd suggest, for the configuration you want, that you take the other route - use a network switch as a sort of "IP breakout box". (This doesn't have to be Verizon's managed switch - any one will do. I like HP Procurve myself.) Plug the line coming from Verizon into your switch, then plug other devices into the other switch ports and configure each with one of your five IPs. The switch will take care of passing out the packets to the right computers. I envision a setup like this:
- 10.0.0.2 Office firewall
- 10.0.0.3 Web server
- 10.0.0.4 Mail server
etc.
The best thing with this setup is that you can set up your hardcore firewall on your office gateway, without having to figure out how to make secure holes for your web/mail/etc. servers. You can offer public services from the other addresses (potentially protecting them with their own firewalls) without worrying about accidentally blocking those services out when you change the office around. You can also sleep easier at night, since if someone breaks into your Web server, they can't easily use it as a springboard to attack the rest of your LAN.
To think of this in standard firewalling terms, think of your 5-IP block as a DMZ, with your office firewall as the inner router of the DMZ. The only difference is that your outer router is provided by Verizon and as such doesn't give you any security for your publically-exposed hosts.
Hope that's clear - if you have specific questions please cc my profile e-mail.
posted by pocams at 3:02 PM on May 5, 2006
You have two choices for making use of your IPs. You can attach a single router to the line from Verizon, assigning all five IPs to it. That router would handle all the packet filtering, security, Internet access, and the like. The downside is that your router configuration becomes very elaborate, which is bad for both security and reliability.
I'd suggest, for the configuration you want, that you take the other route - use a network switch as a sort of "IP breakout box". (This doesn't have to be Verizon's managed switch - any one will do. I like HP Procurve myself.) Plug the line coming from Verizon into your switch, then plug other devices into the other switch ports and configure each with one of your five IPs. The switch will take care of passing out the packets to the right computers. I envision a setup like this:
- 10.0.0.2 Office firewall
- 10.0.0.3 Web server
- 10.0.0.4 Mail server
etc.
The best thing with this setup is that you can set up your hardcore firewall on your office gateway, without having to figure out how to make secure holes for your web/mail/etc. servers. You can offer public services from the other addresses (potentially protecting them with their own firewalls) without worrying about accidentally blocking those services out when you change the office around. You can also sleep easier at night, since if someone breaks into your Web server, they can't easily use it as a springboard to attack the rest of your LAN.
To think of this in standard firewalling terms, think of your 5-IP block as a DMZ, with your office firewall as the inner router of the DMZ. The only difference is that your outer router is provided by Verizon and as such doesn't give you any security for your publically-exposed hosts.
Hope that's clear - if you have specific questions please cc my profile e-mail.
posted by pocams at 3:02 PM on May 5, 2006
My problem was, i've built and administrated networks before (3 computers at home, my whole fraternity house, my uncles business, my current work) but they were never more complicated than internets -> router/firewall -> computers. if anyone has any more reccomendations other than a hacked linksys that'd be great. anyone have any experience with Adtran gear?
posted by Mach5 at 3:15 PM on May 5, 2006
posted by Mach5 at 3:15 PM on May 5, 2006
Check out these step-by-step direction. They're for the Linksys WRT54G flashed with a Linux firmware.
posted by exhilaration at 7:50 PM on May 5, 2006
posted by exhilaration at 7:50 PM on May 5, 2006
mach5, the main advantages of low end commercial products like the Adtran router you've been offered, and various Cisco products of the same type are:
Realistically, you are going to need help in quickly coming up with an effective network design, and setting up your router for proper security. Recognize this, and get someone local you can pay to help you with this, and who will explain/document what was done, so that you aren't left in the lurch when someone hacks you. Find out how to backup and restore your router configurations via tftp, and how to find, download and apply vendor security updates and OS upgrades for your router, before your rent-a-guru leaves your premises.
Put your router and any vendor network interface equipment on a good online UPS of its own, of sufficient capacity to hold their loads up for at least 30 minutes. These days, routers and network interfaces restart reliably and fairly quickly, but you have better security and far fewer operational problems if they don't have to do so frequently.
posted by paulsc at 12:05 AM on May 6, 2006
- They may have faster internal processors and more memory than SOHO units, which helps maintain throughput when many NAT connections are being maintained through sets of complicated firewall rules. If you had 100 client machines, and were trying to run servers for DNS, IRC, mail, Web, and ftp in a DMZ zone behind a firewall maintained by your router, while also providing telecommuters VPN access to the corporate network, and blocking porn sites to internal network users, this kind of machine could be needed. But you might also do these kinds of things with a front end network of seperate routers and firewall machines, for more granularity and ease of administration. Depends on your needs, and preferences.
- They may support more types of WAN interface than low end SOHO routers, and provide internal error logging for service level agreement management. Important if you will be getting a backup link, or have any plans for multi-homing your service (BGP routing or similar failover), which is important if you really do plan to run business class Web servers yourself.
- They may support various local management interfaces, which allow you to increase security, by restricting management and configuration to only locally attached management terminals.
- They may support stateful packet inspection types of firewalls, or advanced security services such as content filters, logging to external NAS or management stations, time of day service management, RADIUS authentication, VPN tunnels to remote branch office sites and traveling personnel, etc. Some of these features (like VPN) are fairly processor intensive, and or require more licensed software to be part of the package, at greater cost.
Realistically, you are going to need help in quickly coming up with an effective network design, and setting up your router for proper security. Recognize this, and get someone local you can pay to help you with this, and who will explain/document what was done, so that you aren't left in the lurch when someone hacks you. Find out how to backup and restore your router configurations via tftp, and how to find, download and apply vendor security updates and OS upgrades for your router, before your rent-a-guru leaves your premises.
Put your router and any vendor network interface equipment on a good online UPS of its own, of sufficient capacity to hold their loads up for at least 30 minutes. These days, routers and network interfaces restart reliably and fairly quickly, but you have better security and far fewer operational problems if they don't have to do so frequently.
posted by paulsc at 12:05 AM on May 6, 2006
Couple of other points I should have mentioned regarding network protection alternatives:
Personally, I prefer to let routers route, and do security/policy administration functions in dedicated appliances, generally behind the routers. The reason for this preference is simply that routers have limited amounts of memory, and should have simple, robust operating systems, so that they are bullet proof. Security and policy administration appliances are increasingly disk based devices, which need to do some fairly sophisticated processing and logging, even for relatively simple businesses.
Just providing the necessary filtering to support centralized Internet access services in a way that avoids creating a hostile workplace for sexual harassment issues is increasingly tough, and usually mandates a fairly powerful disk based box dedicated to the security and policy enforcement jobs. Most companies outsource this to third party companies that provide automatically updated whitelists and netblock functions for their security appliances, on an annual subscription basis. The cost of a few hundred dollars a year for such subscriptions is much less than a single harassment lawsuit response, and is a pretty standard solution.
In the same way, even corporate networks without much in the way of internal servers, or public servers in DMZ situations need anti-virus services, and will want the acceleration and convenience of having their own local network DNS service, perhaps a squid cache, and basic functions such as locally referenced net time, as these kinds of things make much more efficient use of shared bandwidth. Again, these are typical "add on" services for dedicated security and policy administration appliances for small business networks, as you describe.
A lot of companies make such boxes, and unless you are very experienced and willing to put in some work regularly yourself in analyzing traffic and keeping filters up to date in any "roll your own" solution you could build from freeware packages based on Linux or *BSD clones, you'd be far better off with a commercially supported solution.
posted by paulsc at 12:44 AM on May 6, 2006
Personally, I prefer to let routers route, and do security/policy administration functions in dedicated appliances, generally behind the routers. The reason for this preference is simply that routers have limited amounts of memory, and should have simple, robust operating systems, so that they are bullet proof. Security and policy administration appliances are increasingly disk based devices, which need to do some fairly sophisticated processing and logging, even for relatively simple businesses.
Just providing the necessary filtering to support centralized Internet access services in a way that avoids creating a hostile workplace for sexual harassment issues is increasingly tough, and usually mandates a fairly powerful disk based box dedicated to the security and policy enforcement jobs. Most companies outsource this to third party companies that provide automatically updated whitelists and netblock functions for their security appliances, on an annual subscription basis. The cost of a few hundred dollars a year for such subscriptions is much less than a single harassment lawsuit response, and is a pretty standard solution.
In the same way, even corporate networks without much in the way of internal servers, or public servers in DMZ situations need anti-virus services, and will want the acceleration and convenience of having their own local network DNS service, perhaps a squid cache, and basic functions such as locally referenced net time, as these kinds of things make much more efficient use of shared bandwidth. Again, these are typical "add on" services for dedicated security and policy administration appliances for small business networks, as you describe.
A lot of companies make such boxes, and unless you are very experienced and willing to put in some work regularly yourself in analyzing traffic and keeping filters up to date in any "roll your own" solution you could build from freeware packages based on Linux or *BSD clones, you'd be far better off with a commercially supported solution.
posted by paulsc at 12:44 AM on May 6, 2006
Echoing pocams, you just need a dumb ethernet hub/switch. Plug five things into it (servers or NAT routers). Give each one one of your IP addresses and the packets will be routed to the right one automatically.
posted by cillit bang at 8:20 AM on May 6, 2006
posted by cillit bang at 8:20 AM on May 6, 2006
fantastic answer paulsc.
posted by fishfucker at 6:27 PM on May 6, 2006
posted by fishfucker at 6:27 PM on May 6, 2006
This thread is closed to new comments.
posted by deadmessenger at 1:06 PM on May 5, 2006