Newbie
Hello.
My ISP has given us several (5) public IP addresses, which we need to provide several services at our office.
I would like not to configure those IPs directly on our servers' network interfaces, and I also don't like the idea of using a hardware firewall for each public IP address (in order to protect our servers behind them).
I would like to install one single hardware firewall, and manage all our public IP address from that single device, behind which our servers (configured with private IPs) should live. Ideally, that single firewall device should redirect requests to port 80 of public-IP-address-one to port 80 at the private address 192.168.0.10, and also redirect requests to port 80 of public-IP-address-two to port 80 at the private address 192.168.0.11, and so on...
Does that make sense at all? Which hardware device should I get to accomplish this?
Thank you.
Senior Member
Just exactly what kind of hardware you get depends upon numerous factors starting with budget. You could go as simple as a hardware firewall to a full server and configure it as a firewall. That kind of network configuration is a bit beyond the scope of our services here. I suggest that you at least hire a network consultant if not a network admin.
Newbie
Well, I know how to do this task using a linux server with 2 NICs and using IP aliasing in its WAN interface together with several Iptables rules. But I want to avoid this solution, where the hard disk could fail, the power supply could fail, etc.; also, I want to avoid that solution because it is "noisy" and power-hungry. That's why I would prefer to user a hardware firewall, but I don't know which one would fit well with my requirements.Originally Posted by townsbg
I've been researching the "Zyxel ZyWall 2+" hardware firewall, but I've found that it cannot manage several public IP addresses with an independent rule-set applied to each one of them...
Therefor, I ask for recommendation of hardware firewalls... the smaller and cheaper, the better, provided it can do what I need it to do.
Senior Member
Again, this is beyond the scope of the help that we usually provide.
UK site moderator
Hi Pepe,
If you are still looking for a suitable hardware firewall, you might want to check out the SonicWall TZ100. We've got one of those running for a client with multiple public IP addresses. They have public IP addresses 1 and 2 going to Server1 for email and other services and public IP address 3 going to Server2 for terminal services. It should also handle forwarding the same port (service) from different public IP addresses to different servers.
The SonicWall firewall routers are designed to be expandable to offer all kinds of services by purchasing a subscription and entering an 'unlock' key to enable each service. For example, my client's SonicWall TZ100 is wireless-ready but they haven't purchased the key to unlock the wireless feature. However, they have purchased the gateway anti-virus / anti-spyware subscription, which enforces AV / AS security at the point of entry to the network and then (optionally) enforces and deploys client AV / AS software installation on the PCs too. The SonicWall firewall routers are significantly more expensive than single IP firewalls but they are very smart.
Another option to consider is a used enterprise firewall. Another one of my clients had a Juniper Networks Netscreen-25 firewall device that could handle multiple public IP addresses. When their requirements changed and they didn't need it any more, I wiped their settings and sold it for them. It was about £1700 ($2600 USD) when it was new but I was only able to get about £100 ($160 USD) for it on Ebay!
Hope that helps :-)
Newbie
Hello, DJNafey.
Your contribution is undoubtedly very helpful.
To contribute here the solution I finally went with, just in case it may be helpful to anyone in a situation similar to mine, I solved my problem using the "Cisco-Linksys WRT54GL Wireless-G Broadband Router". It's cheap, and it has wireless as a bonus (although I'm not using the Wifi so I disabled that).
I flashed it with the DD-WRT version 24 firmware, which basically puts a ARM-based Linux into the device, and it is working fine: I am managing right now 5 public IP address and forwarding ports 80, 110, 22, 25 to several internal machines, etc. You can do with this device whatever you could do with IPtables in a regular Linux box acting as a firewall.
Amazon.com: Cisco-Linksys WRT54GL Wireless-G Broadband Router (Compatible with Linux): Electronics
Linksys WRT54G series - Wikipedia, the free encyclopedia
www.dd-wrt.com | Unleash Your Router
UK site moderator
Thanks for the update - that's a great money-saving tip :-)
