All internal LAN nodes are internet facing, how?


My school has it setup so that all connected devices have an internet facing IP address. That is, they appear to own a subnet: (If I recall correctly) where any device can be accessed via that IP address from anywhere.

However, they also have a firewall that blocks certain ports, that all traffic is routed through.

How, in general, is this setup? What kind of hardware, internet service, and software would one use? Is it just something similar to iptables/dnsmasq setup without NAT, using the assigned block as the address space? Is this feasible for a residential connection (ignoring the part where you have to pay fees to ICANN (or whoever) for the IP block)?


Posted 2012-07-28T19:30:57.973

Reputation: 568



I believe the simplest answer would be that they treat these Internet facing addresses as normal. If you do a traceroute in to one of these IP addresses, you would see (provided ICMP isn't blocked) the school's switch before reaching the destination. From the switch, routing takes place as normal, only using public IP addresses instead of private.

So if you happened to own a swath of public IP addresses, you could theoretically duplicate this setup fairly easily. The logistics of routing traffic appropriately to your switch would probably depend upon the service provider for your IP addresses.

Tanner Faulkner

Posted 2012-07-28T19:30:57.973

Reputation: 11 948


This is how the Internet was supposed to work, and will work again when IPv6 is widely deployed.

Your question appears to arise because you believed that NAT was necessary to implement a network. It was not and is not. NAT was only necessary to implement a network if no public IPv4 addresses were available to assign to the devices on the network.

Unfortunately NAT causes a lot of problems, such as end-to-end programs having to resort to bizarre workarounds to talk to each other (think VoIP), people taking advantage of NAT's inherent properties for security instead of implementing proper firewalls, etc. Fortunately NAT will soon be a thing of the past for most people. (And the sooner the better.)

Michael Hampton

Posted 2012-07-28T19:30:57.973

Reputation: 11 744


This could be a very simple setup.

School network <-> Firewall <-> Modem <-> Internet

Where the modem could be several devices. No masquerading/NAT is needed. (Or in fact desired. Using NAT is just an emergency workaround which is best avoided.)


Posted 2012-07-28T19:30:57.973

Reputation: 60 739