I am looking for recommendations to replace a set of consumer grade (Linksys, Netgear, Belkin) routers with something that can handle more traffic while routing more than one static public IP into the same LAN address space.
We have a block of static public IPs, 5 usable, with Comcast Business. Currently four of them are in use for:
- General office access
- Web server
- Mail and DNS servers
- Download and backup web server for separate business
All systems (a mixture of physical and virtual) are in the same LAN address space (10.x.y.0/24) to enable easy access between them inside the office. There are 30 or more systems in use depending on which virtual machines are currently active. We have a mixture of Windows, Linux, FreeBSD, and Solaris.
Currently a separate consumer grade router is used for each of the four static addresses, with its WAN address set to the specific static address and a different gateway address for each:
- uses 10.x.y.1 - various ports are forwarded to various LAN IPs on systems with gateway 10.x.y.1
- uses 10.x.y.254 - port 80 is forwarded to a server with gateway 10.x.y.254
- uses 10.x.y.253 - ports for mail and dns are forwarded to a server with gateway 10.x.y.253
- uses 10.x.y.252 - ports as needed are forwarded to server with gateway 10.x.y.252
Only router 1. is allowed to serve DHCP and address reservation based on the MAC is used for most of the internal "server" IP addresses so they are at fixed values. [Some are set static due to limitations in the address reservation capabilities of router 1.]
And, yes, this really does work! But... I am looking for:
- better DHCP with more capable address reservation
- higher capacity so I don't have to periodically power cycle the routers
One obvious improvement would be to have a real DHCP server and not use a consumer grade router for that purpose.
I am torn between buying a "professional" router such as Cisco or Juniper or Sonic Wall verus learning to configure some spare hardware to perform this function.
The price goes up extremely rapidly with capabilities for commercial routers! Worse, some routers require licensing based on the number of clients - a disaster in our environment with so many virtual machines.
Sorry for such a long posting but I am getting tired of having to power cycle routers and deal with shifting IP addresses afterwards!
you can get a DrayTek 2950 router, supports multiple public IP addresses amongst other features. supports vpn tunnels (200) without purchasing extra licenses.
http://www.draytek.co.uk/products/vigor2950.html
You can search for a draytek dealer in your area.
Draytek will do all port forwarding, you can connect multiple WAN connections, can run them in either failover or load-balance mode, you can assign WAN IP Aliases (Public IP Addresses). You can even assign Public static IP to your servers and input the correct subnet and subnet mask in your router so it routes your public IP subnet too.
Hope that helps
I'd recommend pfSense or Vyatta on hardware of your choice. Depending on how large your state table is and/or how much traffic you're pushing through, you could get away with an ALIX device for ~$200 or upgrade to a 1U entry-level server from Dell, HP, or a white box etc. with a dual NIC. I'm using a Hamakua from Netgate.com ($600USD) right now for a larger client that pushing alot of data with a lot of workstations (large state table) and servers and the thing barely budges, CPU/memory wise. Build quality is excellent; passively-cooled, low power consumption.
Check out the Cisco ASA's, 5505's are reasonable. We use both 5505's and a 5510. the 5510 is excellent for utilizing multiple public IP's, firewalling, routing, DMZ, Vlan's, etc.
Any of the better routers that will run DD-WRT, OpenWRT or similar firmware should be able handle this. I have seen reports that some of the newer routers are distributed with DD-WRT.
Any small computer that can run Linux with two or three good ethernet interfaces (buy and add good cards if needed).
I would run Shorerwall as the firewall on either. The OpenWRT solution would require Shorewall-lite with a separate system to compile the firewall rules.
You should be considering setting up a DMZ for the Internet accessible servers.
$employer used to have a similar sort of setup (except without the multiple routers - that sounds crazy to me!). We replaced them with a Cisco 1801 and haven't looked back. It took a little while to define the firewall rules, and learn the way the Cisco applies them (zone pairs and policy maps are great, but I've not come across them before), but I think the benefits of having a simple setup will pay dividends in the long run.