Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Feb 23, 2012, 11:51 AM   #1
matt-w
macrumors newbie
 
Join Date: Jul 2010
Airport Extreme and Static IP

Alright so this morning i had a new internet connection installed with a block of 5 IPs i am trying to configure a couple devices with static IPs from the block but the rest share a single with NAT can i accomplish this within the router or do i need to get another router?


also i have a OSX server can i add another ethernet interface so i can communicate both within my local network and also external?
matt-w is offline   -1 Reply With Quote
Old Feb 23, 2012, 12:16 PM   #2
thankins
macrumors 6502
 
Join Date: Oct 2007
Quote:
Originally Posted by matt-w View Post
Alright so this morning i had a new internet connection installed with a block of 5 IPs i am trying to configure a couple devices with static IPs from the block but the rest share a single with NAT can i accomplish this within the router or do i need to get another router?


also i have a OSX server can i add another ethernet interface so i can communicate both within my local network and also external?
No you can't and not the safest method either. Your ISP modem is the gateway - lets say for example 171.122.1.122

Your 5 IPs are usually below that so they would be 171.122.1.116-121

you configure your router with on of those IPs and then all your machines internally are on a internal LAN subnet (192.168.1.X)

You configure your router with the Static IP and then add ports to pass through the services you need.

Don't give one of your machines a static and then plug it into the ISP modem. that is asking for travel.


No one needs 5 static IP unless they are running multiple mail servers on different domains. Also not sure why you think that your local machines need a static ip
thankins is offline   0 Reply With Quote
Old Feb 23, 2012, 01:25 PM   #3
matt-w
Thread Starter
macrumors newbie
 
Join Date: Jul 2010
Quote:
Originally Posted by thankins View Post
No you can't and not the safest method either. Your ISP modem is the gateway - lets say for example 171.122.1.122

Your 5 IPs are usually below that so they would be 171.122.1.116-121

you configure your router with on of those IPs and then all your machines internally are on a internal LAN subnet (192.168.1.X)

You configure your router with the Static IP and then add ports to pass through the services you need.

Don't give one of your machines a static and then plug it into the ISP modem. that is asking for travel.


No one needs 5 static IP unless they are running multiple mail servers on different domains. Also not sure why you think that your local machines need a static ip
Yes i'm aware of it however i am used to cisco equipment that can do Static NAT assignments, that is why i was asking but the main reason i am assigning local devices a static is so that i can assign my various DVR for security cameras, a OSX server, and a security system which all 4 use TCP port 80 so i cannot forward the port and still allow all devices to work externally. this is a small business and i dont have the budget to change it all out. i am thinking a small router to set as bridge and then use the airport as a secondary network off of it. so it would go Modem> Router1> Airport Extreme.

Any other thoughts?
matt-w is offline   0 Reply With Quote
Old Feb 23, 2012, 05:48 PM   #4
belvdr
macrumors 68040
 
Join Date: Aug 2005
Quote:
Originally Posted by thankins View Post
No you can't and not the safest method either. Your ISP modem is the gateway - lets say for example 171.122.1.122

Your 5 IPs are usually below that so they would be 171.122.1.116-121

you configure your router with on of those IPs and then all your machines internally are on a internal LAN subnet (192.168.1.X)

You configure your router with the Static IP and then add ports to pass through the services you need.

Don't give one of your machines a static and then plug it into the ISP modem. that is asking for travel.


No one needs 5 static IP unless they are running multiple mail servers on different domains. Also not sure why you think that your local machines need a static ip
Not necessarily. Cable modems are nothing more than a bridge and do no routing.

I can think of many uses of a block of IPs that don't require mail services.

Quote:
Originally Posted by matt-w View Post
Yes i'm aware of it however i am used to cisco equipment that can do Static NAT assignments, that is why i was asking but the main reason i am assigning local devices a static is so that i can assign my various DVR for security cameras, a OSX server, and a security system which all 4 use TCP port 80 so i cannot forward the port and still allow all devices to work externally. this is a small business and i dont have the budget to change it all out. i am thinking a small router to set as bridge and then use the airport as a secondary network off of it. so it would go Modem> Router1> Airport Extreme.

Any other thoughts?
There are a few of ways to do it:
  1. ARP the additional IPs on the firewall so all IPs come back to it.
  2. Have the ISP add a static route pointing at your firewall. Since you are paying for static IPs, I'm guessing they would work with you on this.

I'm not sure the AEBS would like either of those options, but a Cisco ASA or Check Point firewall would be okay with it. A Cisco ASA 5505 can be purchased for about $1,000. You can even get them with SSL VPN licenses so you don't need to manage a VPN client.

The third option is to use a different outside port for each of those services:

A. Port 8080 for DVR A
B. Port 8081 for DVR B
C. Port 80 for your web site (assuming this is sitting on the OS X server)
... and so forth.

Either way, it would be prefereable to have all devices behind a firewall that can detect malicious traffic, especially for a business. Exposing your security DVRs is quite a risk to take, as most security camera systems are not that hardened.

A fairly simple solution would be to put a firewall in and have the users who need access to restricted services connect via VPN.
belvdr is offline   0 Reply With Quote
Old Feb 27, 2012, 06:54 PM   #5
matt-w
Thread Starter
macrumors newbie
 
Join Date: Jul 2010
Quote:
Originally Posted by belvdr View Post
Not necessarily. Cable modems are nothing more than a bridge and do no routing.

I can think of many uses of a block of IPs that don't require mail services.



There are a few of ways to do it:
  1. ARP the additional IPs on the firewall so all IPs come back to it.
  2. Have the ISP add a static route pointing at your firewall. Since you are paying for static IPs, I'm guessing they would work with you on this.

I'm not sure the AEBS would like either of those options, but a Cisco ASA or Check Point firewall would be okay with it. A Cisco ASA 5505 can be purchased for about $1,000. You can even get them with SSL VPN licenses so you don't need to manage a VPN client.

The third option is to use a different outside port for each of those services:

A. Port 8080 for DVR A
B. Port 8081 for DVR B
C. Port 80 for your web site (assuming this is sitting on the OS X server)
... and so forth.

Either way, it would be prefereable to have all devices behind a firewall that can detect malicious traffic, especially for a business. Exposing your security DVRs is quite a risk to take, as most security camera systems are not that hardened.

A fairly simple solution would be to put a firewall in and have the users who need access to restricted services connect via VPN.

I agree its good to have everything protected behind a firewall or some kind the problem with port forward is the DVR and the webserver all use port 80 for a web page to display so i have to have the separate IP(think of it like 3 separate web servers)

i have a PIX 501 sitting in my basement i didnt think about but i will take that to the site and use it even though i know i cant use the VPN on it for IOS devices which sucks but not a big deal


Thanks for all the responses You all are always a great help!!
matt-w is offline   0 Reply With Quote
Old Feb 27, 2012, 08:32 PM   #6
jackrv
macrumors 6502
 
Join Date: Jul 2011
I've always been a fan of port-forwarding than static 1-to-1 NAT. Static NAT basically eats up the entire port range for an IP to one internal server. By using port forwarding, you can, on a single IP, send requests to port 80/443 to a web server, port 25 to a mail server, 1494 for Citrix, etc... You can make 5 static IPs cover many more services than 5 servers alone.

We do a similar thing at my work. We replaced a T1 with a /28 subnet (14 IPs) with multiple consumer services with static IP ranges (Cable, FiOS, and a cellular service) for redundancy. On each, we have 5 static IPs (except for cellular, which is only for communication backup), and we can serve all of our public servers (9 total) with those 5 IPs and port NATing.

And I agree with the above posters as well. Both 1-to-1 NAT and assigning public IPs to servers both in a way create a DMZ (or in the case of 1-to-1, what my old boss called a service net). 1-to-1 Natting is even worse since those servers are internal to your network. The burden then falls on you to secure all unnecessary ports via locking down the server and/or via the firewall. Port forwarding only exposes specific ports that you specify.
__________________
2010 iMac 27" i5 16Gb - iPhone 3GS - Samsung Galaxy Nexus (don't hate!) Airport Extreme Base Station Airport Express

Last edited by jackrv; Feb 27, 2012 at 08:47 PM.
jackrv is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Can I use an old graphite AirPort Extreme to extend a 2011 5th gen Airprort Extreme? tevion5 Mac Peripherals 7 Jun 27, 2013 08:45 PM
dual airport extreme setup question. new extreme involved chuffman15 Mac Peripherals 3 Jun 19, 2013 10:46 PM
Running multiple ISP Static IP's off Airport Extreme fxscreamer Mac OS X Server, Xserve, and Networking 1 Jan 14, 2013 05:08 PM
Airport Extreme A1143 dying - replace with Extreme or Express? eoren1 Mac Peripherals 1 Sep 23, 2012 11:13 PM
Replacing airport extreme with express. Can you run the extreme as a hub mellofello Mac Peripherals 1 Jun 26, 2012 10:06 AM

Forum Jump

All times are GMT -5. The time now is 11:01 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC