Setting up a network for a small business, using multiple fixed, public IP adress and Hyper V

[Filip_Berghamar]

I am setting up a some servers for work. Usually i develop software, so hardware and networking is a bit new to me.

We need to create several servers, that are accessible (RDP, CTS, FTP etc.. services) to our business clients from a public IP. We intend (for obvious reasons) to use Virtualization, since servercreation becomes faster (and a lot cheaper).

We have one ISP access, using a normal ISP supplied Modem/Router.
If anyone with experience with network architecture, could approve of my setup, it would be greatly appreciated. Maybe I am missing something?
Is this setup, that I have sketched up here, correct.

1. The ISP would essentially become a switch to the internet, correct?
2. The VM-servers could get a public IP, although they all use the same Virtual switch, correct?
3. By using this model, we can get as many fixed IP from our ISP, that we might need, correct?
4. Thanks a lot for taking your time to read this.

 

[bill001g]

In general it will work but the details are what is going to cause the issue.

First you do not want to use any consumer or small business routers. Almost all are better called gateways because they do pretty much convert 1 wan ip to 1 lan subnet. Most have no ability to do any actual routing with multiple networks.

So first problem is how the ISP actually delivers you multiple IP address. In a enterprise type install they would assign a IP to the router at the location and then route a subnet like a /29 to that IP. That router would then be responsible for dividing the IP between the devices. This tends to be the easiest and most flexible way to run a internet connection.

There are other ways to do this but they are very unique to the ISP and some are a huge pain to make something like you have work. ATT Uverse I almost pull my hair out trying to get anything complex setup because you must use their router and it is limited in ability.

Next if the office PC want to go to this server farm you may have issues depending on how the ISP device works.

The more standard solution is to place your firewall in as the main router. You will likely need some device from the ISP to deliver the connection but hopefully it can operate just as modem and all the routing be done on the firewall. Unless you really need a router for the office PC I would run everything on the firewall. The firewall should be able to do all the functions you need. Even very inexpensive firewalls have many more abilitys that a consumer router.

 

[Filip_Berghamar]

Hi Bill.
Thanks. I must look into how our ISP delivers those IP.
If i understand you correctly, you would recommend i do not use the ISP modem as a switch, instead use it as a "mainrouter"?
If i use a "main router", instead of my "dual-network" setup, (lets say we purchase a big "professional" router), is it easier to assign public IP's to the connected devices? In my setup, the Servers are directly connected to the internet, without any DHCP server in between - this, i thought would make it easier to add servers.

In general it will work but the details are what is going to cause the issue.

First you do not want to use any consumer or small business routers. Almost all are better called gateways because they do pretty much convert 1 wan ip to 1 lan subnet. Most have no ability to do any actual routing with multiple networks.

So first problem is how the ISP actually delivers you multiple IP address. In a enterprise type install they would assign a IP to the router at the location and then route a subnet like a /29 to that IP. That router would then be responsible for dividing the IP between the devices. This tends to be the easiest and most flexible way to run a internet connection.

There are other ways to do this but they are very unique to the ISP and some are a huge pain to make something like you have work. ATT Uverse I almost pull my hair out trying to get anything complex setup because you must use their router and it is limited in ability.

Next if the office PC want to go to this server farm you may have issues depending on how the ISP device works.

The more standard solution is to place your firewall in as the main router. You will likely need some device from the ISP to deliver the connection but hopefully it can operate just as modem and all the routing be done on the firewall. Unless you really need a router for the office PC I would run everything on the firewall. The firewall should be able to do all the functions you need. Even very inexpensive firewalls have many more abilitys that a consumer router.

 

[bill001g]

A router/firewall can do all the functions in one box. It can have nat on some port/networks and directly route on others.

A large part of the problem is the ISP may not deliver the service so it appears as a switch.....cable modem sorta work that way

You may want to consider a hosted option for your servers, it is getting to the point it is almost cheaper to net network connections in a hosting center than trying to run it yourself. Especially when you run servers the way you are suppose to with things like protected power etc.

 

[marko55]

You do NOT want to put your servers directly on the internet with a public IP. Its a huge security risk.

Ideally you'll simply get a block of static IPs from your ISP and NAT those public IPs to the private IPs of your VMs. Since those VMs will be accessed from the public internet, security best practices would have them in a DMZ and not IP'd on your trusted LAN, which your diagram sort of shows already. You'll want some kind of business-class firewall to act as your gateway like Bill mentioned, and that will hold one of the static IPs given by your ISP (doesn't actually matter which one in most cases). If your ISP is cable, ask them to give you just a docsys III device which is simply a bridge from coax to ethernet so all IP/routing happens on your firewall, again like Bill mentioned.

The firewall will allow you to restrict inbound access to the server only on the necessary ports so its not sitting out there on the web to be probed at will. The firewall will also allow you to protect your internal LAN in the event one of those DMZ servers were to get hacked.

All this being said, I'd probably seek some professional help to do this right.

 

[Filip_Berghamar]

Hi Marko.
Thanks four your reply.
Yes, Using NAT was my initial setup. But can this work with Virtualization?
And how can i have 2 different subnets on the same router? Is it my ISP's modem/router that doesn't allow this? I can't find anything on that router, that allows me to setup 2 DHCPs. Maybe I need to buy a better router/modem.

 

[Filip_Berghamar]

Thanks for your help. I have now tested it, and it works nicely, using the ISP and NAT.

 

[ozknott]

Thanks for your help. I have now tested it, and it works nicely, using the ISP and NAT.

Dear SIr,
Did you keep your VMs and workstations on same IP?
What router/firewall did you use?

Thanks,

Joe