I am wondering if it would be safe to setup my network with a single switch running both internal and external interfaces.
Currently I have a 255.255.255.240 block of IPs from the ISP and a 10.10.10.0/24 private network running from the router. The router has one WAN port and is setup with one of the external IPs as a static IP. All computers are currently off of the private network. The switch being used is a NETGEAR JGS516.
Basically the current setup is like this:
Computers ---- Switch ---- Router ---- ISP's Switch
What I would like to do is this (basically plugging both the WAN and LAN port of the router into the switch):
Router
/\
Computers ---- Switch ---- ISP's Switch
I have tried doing this and it seems to work. I can assign both public and private IPs to computers and they both function.
The reason I am wanting to make this change is so computers that are behind the switch can be assigned public IPs. I want some of them to only have public IPs, some only private IPs, and some to be assigned both private and public IPs using the single NIC in the computer.
What I want to know is:
What would be any downsides to this setup?
Would this compromize security on the network?
Could machines access computers that only have a private IP assigned to them?
Anything else I should know?
Congratulations. You've effectivley eliminated any security your router was providing for your internal network.
What you need to do is to put things back as they were and set up NAT on your router to NAT the appropriate public ip address to the appropriate private ip address.
Security. The machines to which you have assigned public IPs are now completely exposed to the Interwebs.
Yes. If your public machines get hacked you'll soon find you have problems on your not-so-private LAN.
I assume you mean from the public network? No, they wouldn't be routable directly. But see above.
Yes, go back to the original method. If it's a Cisco or HP variant you would setup NAT rules to map public IPs through to the internal servers, and then add specific access list controls to lock down the ports that are open, and control source networks if necessary.
It just means you can't also use the router as a firewall and you can't isolate machines that connect only to the public network from machines that connect only to the private network. Most typical home networks don't do either of these things anyway. So if you're building the typical home network, it won't make any difference.