External IPs an such....

Get advice from the Nerd Herd!
Post Reply
User avatar
K9EZ
Site Admin
Posts: 2986
Joined: Wed Nov 14, 2007 3:16 pm
Location: Raleigh, NC
Contact:

External IPs an such....

Post by K9EZ » Mon Jan 14, 2013 9:31 pm

Please... someone correct me... but one of the main reasons for an external IP address is so that people outside of the firewall can hit the server without having to go through hoops in the firewall. Or am I wrong??

Image
Kent Winrich
Owner, Consultant, Floor Sweeper and Official Thread Hijacker
Broadcast and Technology Blog http://sceotech.com/blog/
Raleigh, NC

User avatar
BroadcastDoc
Site Admin
Posts: 2731
Joined: Tue Nov 13, 2007 3:34 pm
Location: Milwaukee, WI
Contact:

Re: External IPs an such....

Post by BroadcastDoc » Mon Jan 14, 2013 11:10 pm

The main reason for an external IP address is so that people on the public internet can find you. Whether your machine is connected directly to the internet with a public IP, or behind a router with a private IP should be inconsequential. It's all about the firewall configuration - if that isn't right, your IP address won't matter at all.

Remember: A firewall's purpose in life if to stop "bad" traffic from passing while letting "good" traffic through. If you haven't programmed it to pass the traffic you want, you're going to have a bad day. :D
Christopher "Doc" Tarr CSRE, DRB, AMD, CBNE
Help support the Virtual Engineer, use our 1&1 Affiliate link if you need good, cheap hosting.
Virtual Engineer. The Broadcast Engineering discussion forum

User avatar
Deep Thought
Posts: 3178
Joined: Thu Mar 20, 2008 9:23 am
Location: La Grange, IL
Contact:

Re: External IPs an such....

Post by Deep Thought » Tue Jan 15, 2013 12:17 am

Dyn.com. Formerly dyndns.org. Just about every router or firewall appliance has a built-in DDNS client for them. If you have a lot of hosts you can pony up for their Dynamic DNS Pro service for $20/yr and run up to 32 different hostnames with unlimited updates. No need for a static IP address unless you require it for a VPN.
Mark Mueller • Mueller Broadcast Design • La Grange, IL • http://www.muellerbroadcastdesign.com

User avatar
BroadcastDoc
Site Admin
Posts: 2731
Joined: Tue Nov 13, 2007 3:34 pm
Location: Milwaukee, WI
Contact:

Re: External IPs an such....

Post by BroadcastDoc » Tue Jan 15, 2013 9:54 am

Dyn.com is fantastic. ZoneEdit has worked well for me in the past as well. If your router doesn't handle dynamic DNS updates (though most do) there are plenty of "update" clients out there that work well.
Christopher "Doc" Tarr CSRE, DRB, AMD, CBNE
Help support the Virtual Engineer, use our 1&1 Affiliate link if you need good, cheap hosting.
Virtual Engineer. The Broadcast Engineering discussion forum

User avatar
radiowave911
Posts: 133
Joined: Wed Mar 10, 2010 5:41 pm
Location: Middletown, PA
Contact:

Re: External IPs an such....

Post by radiowave911 » Tue Jan 15, 2013 5:30 pm

As someone who does networking for a large commercial manufacturing firm, this is right up my alley :)

Static, public, IP addresses serve many functions. You can hang a server off of one, however you are subjecting that server to whatever nasties happen to be on the internet. If it is a Windows server, good luck in keeping it from getting hacked.

Better is to use NAT, PAT or both, to relate that external IP address to an internal IP address. If you do a 1:1 NAT, then the external, public, IP address is related to an internal IP address. If you use one of the 'private' RFC1918 addresses (192.168.x.x and 10.x.x.x being the most commonly used ones), you cannot route traffic for those addresses over the internet, so translation (NAT is Network Address Translation, PAT is Port) is necessary, or your traffic goes nowhere fast. It is not uncommon to hear of the Linksys, Netgear, Dlink, etc. home 'routers' called a 'Plastic NAT-In-A-Box' - it has a basic firewall and does NAT - between your internal private addresses and your public IP. When you set up port forwarding, you are effectively setting up PAT - I.E. traffic coming in for port 80 goes to 192.168.1.10, traffic coming in for port 22 goes to 192.168.1.100, etc.

With out business class internet service at the school radio station I engineer, we have a block of 6 static IP addresses. All 6 are directed into the outside interface on our firewall, and are then translated to addresses inside the firewall. This allows for remote access and administration, among other things. Having the translation in place allows me to use private address space in the station while still maintaining accessibility. It also allows me to control what can connect to the internal servers and what the internal servers can connect out to.

Another function of a static IP is if you want to establish a VPN connection, either permanent or on demand. VPN goes a lot easier with a fixed, public, IP address. It can be done with dynamic addressing, but can get real ugly real quick.

For a firewall, I am partial to Smoothwall Express. It is Linux-based, has a real easy to use web GUI, has a number of vetted mods for it that enhance it's functionality, and is free. There is a fork of Smoothwall called Monowall that I have heard good things about, but have never tried. All you need is a PC and a CD. Download the ISO image, burn it to CD, and install it on the PC. The configuration is determined by how many network adapters you have int he PC. I have 4, giving me 4 firewall zones, which are color-coded. Red is the internet. Orange is a DMZ, no services and is where the servers live. Purple is the audio network - the Axia lives here. Green is the internal network. By default, green is allowd to talk to red. Nobody is allowed to talk to anybody else. You have to create specific rules for that. I have rules in place for logging to a server in the Orange zone, plus the streaming servers are in Orange. There are rules to allow me to administer the Axia components via their web interfaces (green to purple), rules for time server updates, security and surveillance, etc. I use a set of spreadsheets to keep track of rules so that I can reapply them in the event the firewall crashes and burns (happened once - total drive failure). I have it running on a 1U server that used to be a security appliance. I put a 4 port 10/100/1000 copper NIC in it, which gives me a total of 6 network interfaces (4 on the card, 2 on the motherboard). I am using 3 on the card and the one on the MB.
Meddle not in the affairs of dragons, for thou art crunchy and taste good with ketchup.

http://www.wmssfm.com
http://www.sbe41.org
http://halloweenhauntings.org

User avatar
K9EZ
Site Admin
Posts: 2986
Joined: Wed Nov 14, 2007 3:16 pm
Location: Raleigh, NC
Contact:

Re: External IPs an such....

Post by K9EZ » Sat Jan 19, 2013 12:42 pm

I have a Linux based (stripped down, command line) UDP media router that all clients need to be able to see, so the client puts it on an external IP as requested, but limits it to 3 IP addresses, which we could do even behind the firewall. We told them we need everyone to see and hit this box.
Kent Winrich
Owner, Consultant, Floor Sweeper and Official Thread Hijacker
Broadcast and Technology Blog http://sceotech.com/blog/
Raleigh, NC

Post Reply