On Sunday, 24 February 2019 16:00:39 ACDT Marc Chamberlin wrote:
[...] I know that with YaST I can assign all these new static IP addresses to the NIC card that I use to connect me to the fiber optics cable, what I don't know/understand is how to connect/route/forward (whatever the terminology is) these static IP addresses and assign them to different computers on my network, while at the same time maintaining the topology of my private LAN. Do I need separate cabling or can I do this over my existing cables? Without getting Martian errors? Can I assign both an internal DHCP assigned IP address and one of these static IP addresses to the same NIC card? And can any and all port connection requests, made on one of these static IP addresses, be routed to the appropriate "internal" machine by default? (yeah I will run a firewall on it also since it will become directly exposed to the internet if this is possible.)
This is new territory for me, never had to do anything like this before! So appreciate any and all kind words of advice... Marc...
(who mission is - ...To boldly go where no Marc has gone before!...)
Putting my network hat back on (I usually leave it at work, unless I'm on call), the way I would approach this is to use the firewall in transparent mode, connect the "inside" (trusted) ethernet NIC to an ethernet switch and plug each host into the switch. Configure the IP public IP addresses directly on each host, and make sure you have the appropriate firewall rules setup to ONLY allow incoming traffic to each host that you want to be publically accessible, on the appropriate (desired) ports, and drop all other incoming traffic. You'll need a management address on the inside interface of your firewall, but it does not even need to have an IP address assigned to its outside interface. If it does, it definitely should not accept connections to its own IP address on the outside interface. If you need to manage it remotely, connect to a host inside your network using an encrypted connection and then connect back to the firewall's inside connection. You could use a L2 switch on the inside network, since all hosts are in the same subnet, and all will have the same default gateway (provided by your ISP) - the inside address of your firewall will also be in the same subnet. Of course, you *could* use a L3 switch, and create a separate routed subnet for the non-publicly accessible hosts within your network, but that would be more work (and L3 switches are more expensive than L2 switches). Regards, Rodney. -- ============================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au CCNA #CSCO12880208 ==============================================================