mick wrote:
Mark - OK - there are a bunch of issues here so I'll address them in-line.
Huge thanks for the detailed answer, it has really been helpful.
[..BIG SNIP..] Of course if they are only running one public service thay could do that via NAT/PAT on the router and the extra addresses are unnecessary.
I agree, and have currently got them set up this way in order to get things working - I think I'll leave them this way!
Better still, they could rent a VPS, or some other external service with loads of bandwidth and save the ADSL for local outbound access only. ADSL lines are not best suited for inbound traffic.
Again, agreed. In this case their website links to a back-office system which gives a reason to host the site internally, although I wouldn't necessarily say I think it a compelling reason. At this point my goal was to get things working, I can look at better solutions in the future.
You could (and should) configure the router to refuse all direct connections to /its/ addresses. Inbound connections should then only be permitted to whatever device it is that they think they need a public address for (or, as you say, the inner firewall which then folds the connection through to some internal network).
Is this configuration (substantially) more secure than having a single IP and using NAT and port forwarding as appropriate?
But all this sounds horribly complicated for what should be a simple setup. Maybe you should just forget about the slash 30 and configure the ADSL router with an internal RFC1918 address and NAT through for whatever service the customer wishes (or needs) to offer publicly.
After messing around for a couple of days trying to get it working I gave up and went this route, and had everything working within about an hour. Most of that hour was spent undoing things that had been done to get the original config workking....
Looking at the system now, I'm >90% sure that they previously had a block of 8 IP addresses. The customer can only tell me that they had 5 addresses - well that could be the 1 static + 4 routed they have now, or it could be a reference to a block of 8 after the network, broadcast and router addresses have been discounted. Looking at what they have inside the network the latter case looks far more likely. Therefore if they want to replicate the old configuration then they need to change what they have and if I managed to make use of the /30 now it would break when if they needed a larger block later. So I'm happy with the way it's been left now and will suggest they return the /30 to the pool.