Is it possible to use public IP block on the LAN side of ASUS router? Need some help.

[Karolinska]

Hi.
I'm an "IT guy" of a student organizatoin. Recently, I applied a /29 subnet (13*.***.***.96/29 with a dedicated router interconnection address 12*.**.*.212) from our campus IT service and I'm going to put them into use. There will be a tower server (hosting 2 Wordpress blogs, an IRC, an FTP and a Minecraft server, all public facing), a desktop workstation and several portable devices (our own laptops and mobiles, would put them behind NAT) in this network.

I got a switch, an ASUS RT-AC66U_B1 and an Apple AirPort Extreme, is it possible for us to fully use this /29 subnet? Is it possible to use public IP block on the LAN side of ASUS router? Would inbuilt Trend Micro firewall of RT-AC 66U_B1 still working in this situation? How should I configure the router?

 

[agilani]

Yes and no,
you'll need a routable ip on the wan side which you already have. If you decide to use routable ips on the lan side, you will need to disable nat and change the lan ip and dhcp scope. You'll also need to subnet the /29 block into smaller blocks.

The main problem will be to make sure that he devices that on the wan side have routes to the public block you have on the lan side. If you control the router on the wan side, you can do it. If its the ISP, they you will need to make sure they have advertised routes for those blocks with your wan address as the next hop.

Or you can just use your asus router as an access point for wireless, but it won't provide anything like aiprotection.

 

[Karolinska]

Yes and no,
you'll need a routable ip on the wan side which you already have. If you decide to use routable ips on the lan side, you will need to disable nat and change the lan ip and dhcp scope. You'll also need to subnet the /29 block into smaller blocks.

The main problem will be to make sure that he devices that on the wan side have routes to the public block you have on the lan side. If you control the router on the wan side, you can do it. If its the ISP, they you will need to make sure they have advertised routes for those blocks with your wan address as the next hop.

Or you can just use your asus router as an access point for wireless, but it won't provide anything like aiprotection.

Thanks. What I got is a single IP address (seems it's for router's WAN side), and a /29 block. I followed this way and it works.

What I'm worring about is the security issue. Are all the devices behind the router fully exposed to the Internet in this scenario? I mean, I have no experience on managing a public subnet. Will the things like router administraton page (if I turn off the remote manage from WAN) and local network file/printer sharing leak to the Internet? I think some of this things are based on ARP broadcasting and will not leak to the Internet but I'm not sure.

 

[agilani]

if you disable nat, then i would assume so. If you leave nat enabled, then there is no need to waste routable ips on the workstations and wireless devices. Everyone would nat hide behind the single wan ip.

 

[Karolinska]

Thanks. I'm wondering why my campus IT service assigned addresses in this way (the block must be routed through a interconnection address with my own router). Seems in some business plan, customers just need a switch or multi-WAN firewall box to use the block, the ISP would hold the routing stuff on their backbone and segregate different customers on their device. But in my scenario, I have to get a router, and 3 addresses are wasted (network ID, broadcasting, router's WAN IP). Are there any advantages to assign addresses in this way (for customer and ISP)?

 

[agilani]

Thanks. I'm wondering why my campus IT service assigned addresses in this way (the block must be routed through a interconnection address with my own router). Seems in some business plan, customers just need a switch or multi-WAN firewall box to use the block, the ISP would hold the routing stuff on their backbone and segregate different customers on their device. But in my scenario, I have to get a router, and 3 addresses are wasted (network ID, broadcasting, router's WAN IP). Are there any advantages to assign addresses in this way (for customer and ISP)?

During mergers and acquisitions, everyone using the same rfc1918 space ends up being a nightmare to fix. Also using nat to hide the source addresses of the clients makes it almost impossible for a security operations center to track down a malicious client.

 

[Karolinska]

During mergers and acquisitions, everyone using the same rfc1918 space ends up being a nightmare to fix. Also using nat to hide the source addresses of the clients makes it almost impossible for a security operations center to track down a malicious client.

This is not what I mean…Here I'm wondering why some ISP (like my school) divide their blocks into small blocks and let the users doing the routing stuff by themselves? Every assigned block would waste 3 addresses (network ID, broadcasting, router's WAN IP). If they've finished the routing stuff on their backbone, we would just need a switch or multi-WAN firewall to get the things done, and we'll save 2 addresses (network ID and broadcasting now can be used on client).

 

[agilani]

Sorry still not sure what the question is.

Having very large subnets wastes valuable ip space. Having them too small is a pain to manage once you run out of addresses. A large layer 2 network is prone to problems (ie broadcast storms) and is very difficult to troubleshoot. A layer 3 subnet and vlans provide a logical boundary and there are many more layer 3 tools for troubleshooting. That's why you almost always see wan connections with ip addresses. So for example if you look in the routing table, you see your route with the ip address of the next hop instead of an interface number. The smaller blocks are used on wan connections so you don't waste the ipv4 ip space when you only need two to three addresses on the subnet.

Internet providers also have to aggregate all of their routing before they can advertise it on the internet. Almost no major provider accepts routers smaller than /24.

If your questions is why did the isp provide you multiple addreses instead of just the one for your wan interface. Most people including me try to get as many addresses as possible. I can then dedicate the address to for specific purposes like vpn or web servers.

Another thing to consider, you could always use your asus router as an access point which basically turns it into a layer 2 wireless interconnection device. You'd then have to rely on other equipment to handle the layer 3 transport and features.