We help IT Professionals succeed at work.

how to use a block of public IP addresses

I need a little help understanding a network/internet configuration...

Over a decade ago our company setup a DSL connection with a certain Australian telco.   At the same time, we purchased a block of IPv4 addresses (eg. 203.190.xxx.yyy/27) from the same telco for use by public facing servers and services.

We have a Juniper firewall which has 4 ethernet ports for various zones.
Currently it is configured in such a way that port 1 is unused, port 2 is an "Untrusted" zone (the DSL connection with a static IP), port 3 is a "DMZ" zone (TCP/UDP restricted public IPv4 addresses) and lastly port 4 is the "Trusted" zone which is our internal IP range (192.168.0.0/24).

Obviously all traffic for the restricted public IPv4 addresses is via the DSL connection and is controlled by rules in the Juniper, but is this limited to the DSL connection with this telco?

Because I just installed a basic Fibre connection with a different telco and it has significantly better up/down speeds and more data...  If I use the free port (#1) on the Juniper as another "Untrusted" zone, can I have the "DMZ" and "Trusted" traffic run through the fibre instead of the DSL?   Even though the public IPv4 addresses in the "DMZ" zone are provided by another ISP?...
Comment
Watch Question

Fred MarshallPrincipal
BRONZE EXPERT

Commented:
I'm not completely sure what your "problem" is but I can explain how I'm doing it.  Perhaps this will spur further discussion that will be more helpful to you.

First, I'm not sure what you intend to use all those public addresses for and it's not clear how many public addresses come on the Fibre connection.

So, here is what I'd do:

Set up a switch that I will call the "Internet Switch".  
Connect both of the ISP connections to this switch.  Or, alternately, for reasons that are beyond me right now, use two such switches: one for each ISP.  If the Fibre ISP connection has but one public IP address then you don't need a switch here.

Then, connect each device that will have a public IP address to the switch and assign them their respective public addresses.  

Firewalls, etc. can all be behind the public addresses.

But, yes, you could set up the Juniper with another Untrust Zone.
Presumably you have:
- a public IP assigned to Port 2 Untrust.
- a private LAN assigned to Port 4 Trust
- a public IP assigned to Port 3 which must also be a type of Untrust zone?
(so it appears there MUST BE a switch or a multiport router out front because somehow you have to present the public addresses to the ISP).
Now you want to add:
- a public IP assigned to Port 1 Untrust2.
So it appears that you are making use of but 2 of the "block" of addresses you get from the ADSL ISP.

I see no reason why all of this would not be reasonable but it raises all sorts of questions about what you do beyond that.

The source of the public IP addresses should not matter.  That's why I would probably let them all run through the same switch.  But I've not done exactly this and there may be reasons why the connections should be separated.  But just running the Fibre connection public IP address on Port #1 should be fine.  You will have a task in setting up the policies and routing of course.
IT Business Systems Analyst / Software Developer
SILVER EXPERT
Top Expert 2015
Commented:
Basically no, you can't do what you want. The block of IP addresses that you bought from the telco provider are managed by that provider and the routing rules out in the internet only know how to route packets to your block of IP addresses by going via the telco you bought them off.

Another way to think about it... If someone on the other side of the world wants to connect to your server at 203.190.1.1, how does their initial connection request packet get routed? There are already rules out there in the internet that for example, routes all packets for 203.xxx.yyy.zzz to your original telco, and then the routing rules at that telco then know to route all 203.109.yyy.zzz addresses to your DSL connection. There is nothing you can do, with the local configuration of routers, at least, that could change that fundamental way that the internet will route its packets.
Fred MarshallPrincipal
BRONZE EXPERT

Commented:
How you use your public IP addresses is up to you.  How the internet routes them is immaterial.
Dave BaldwinFixer of Problems
SILVER EXPERT
Most Valuable Expert 2014
Commented:
No, it's not.  IP addresses are owned by the ISPs.  You can not get traffic for a given IP address over a network owned by a different ISP.  While you can do what you want on your servers, the traffic will only come from the ISP that owns the IP addresses.
Fred MarshallPrincipal
BRONZE EXPERT
Commented:
I agree with Dave Baldwin.  But I don't see anything that conflicts with it in how it might be set up.  That is, as much as we know so far about how it might be set up.  means is this:  you can't set up a device with a public IP address and then NOT connect it to anything but the ISP that assigns it to you.  I thought that much was clear.  So, if it wasn't, here it is.
Dave BaldwinFixer of Problems
SILVER EXPERT
Most Valuable Expert 2014

Commented:
And now I agree with you and mccarl.  But I think the asker wanted to know if he could use the IP addresses on a different ISP network and the answer to that is no.  Inside his network he can configure however he wants.
ReeceICT Consultant
BRONZE EXPERT

Author

Commented:
@Fred - In your initial comment of how you'd configure the Juniper, that's what I tested out but couldn't figure out how to make the 203.x.y.z block of public IPs use the Fiber internet connection and it's 180.x.y.z public IP rather than the DSL internet connection's 165.x.y.z public IP  (noting that 203 and 165 IP's are both leased by the same Telco - and when I called them they said there is no reason I couldn't run the 203's from the internet connection of another provider, but didn't know how to do so).  
So without actually taking the DSL internet connection out of the equation by disconnecting it from the Juniper (and maybe using its Untrust Port 3 for the Fibre) and seeing if I can use the 203's, I still haven't determined whether the problem lies with my network config or a limitation by the ISP(s).  Many technical, much confused!
And yes I agree with you that how we use our Public IPs is entirely up to us.  Thanks for sticking up for me there - haha!

Dave Baldwin's last comment is correct - that is what I asked.
Thank you to you all for helping me understand how the Public IPs are capable of being used...  Looks like I might need to get some public IP's from the Fibre ISP and maybe another multi-zoned firewall router and then bridge the two networks if I need to.

That said - if I do figure out a way to use the DSL telco's Public IP block on the Fibre connection, I will report back and let you know how.

Thanks again

Explore More ContentExplore courses, solutions, and other research materials related to this topic.