Splitting and connecting a small subnet

It's been a while since I built out a network so bear with me as I've lost some of the nomenclature.

Given "5" usable static IP addresses from our ISP is it possible to use 3 of them for globally accessible "servers" while then using the remaining 2 addresses to create two additional and independent LANs?

LAN_A would need access to the servers and would perhaps appear on the same 'subnet' with the servers as users on this subnet are relying on some of the servers for filesharing, etc.

LAN_B will be entirely independent and would have no more access to said servers than, say, anyone else on the global internet.

Possible? If so how? I know I could split a 6 ("5" usable) into two distinct 3's (2 usable) but that won't meet our requirements as we need min of 3 for one entity's servers.

The other option would be to get "13" usable static addresses from our ISP.

Point being we have two distinct entities sharing the same physical space and ISP. One has servers that it needs access to (and said servers need globally accessible static IP addresses) and the other entity just needs basic internet access for 10 or so users.

Hope this makes sense. Please let me know if I can provide more information to make this clearer.

Edit:

confirmed: what we have is a /29 subnet (so 5 static IP addresses)

also, added a diagram of how i think it might look when done:

What I'm having trouble identifying is the 'switch' in the diagram below. Is it a single smart switch (capable of VLAN)? Or, is it 2 switches? Or pehaps a router + switch?

Any help greatly appreciated!

Edit2:

updated network diagram by putting a router between switch and LAN A. Does this make sense?

enter image description here

Meltemi

Posted 2013-04-07T19:31:34.477

Reputation: 5 707

Buy a couple routers?

– Ƭᴇcʜιᴇ007 – 2013-04-07T19:36:53.327

well, yeah. but I'm concerned about the 'visibility' between the networks. I'm not familiar with how services like Bonjour, iTunes sharing, and all these other 'auto-discoverable' services work across routers. We want to keep LAN_A isolated from the LAN_B. But there's also this static IP requirement for some servers related to LAN_A. – Meltemi – 2013-04-07T19:40:45.677

1Routers help route traffic, Firewalls help block traffic. Network setups are built from these, that's what they're for. :) Many current, quality firewalls and routers do both. – Ƭᴇcʜιᴇ007 – 2013-04-07T19:43:08.947

so, that's your answer: "buy a couple routers". thanks! anyone else? – Meltemi – 2013-04-07T19:57:44.567

1Create the two private LANs, multihome your servers. Each server would have one NIC on the appropriate private LAN, and the other with the public IP. – Fred – 2013-04-07T20:24:31.417

Answers

The 2 public IP addresses you want to "create LANs for" would need to be part of a NAT/PAT gateway with a designated private address subnet "behind" it. That's the only to have a single IP address function as a gateway for numerous hosts behind it.

Assuming two subnets:

LAN A + servers
LAN B

There are many ways to set it up and they heavily depend on what equipment you have and what it is capable of.

Generally, though your Internet gateway (which may be one device or several) needs to

act as a NAT gateway for traffic coming into the IP that's for LAN A
act as a NAT gateway for traffic coming into the IP that's for LAN B
forward traffic coming in off of each remaining public IP to its respective server

You also want to make sure LAN A and LAN B are on separate switches or VLANs, and that should serve to completely isolate them from one another.

Any computer in subnet A will be able to reach the servers, and vice versa, by virtue of being in the same subnet.

Any computer in subnet B has to go through the default gateway (your Internet router) in order to reach anything in subnet A.

The router must be smart enough to support not having to put all hosts behind a NAT - your servers need not to participate in the NAT. I do believe most commercial grade equipment is capable of this.

Further details require intimate knowledge of your setup and equipment. If you don't know what to get you should consult a networking professional.

UPDATE (after your diagram):

First, the router 'within' LAN A is unecessary if you are OK with any machine on LAN A being able to talk to any server in LAN A. Second, unless your cable modem has routing capability (most don't), you need a router right after the cable modem.

Standard unmanaged switches simply allow any host connected to talk to any other host. Managed switches have VLANs which let you group ports into an isolated 'VLAN' that functions as a separate 'sub-switch'.

As you have it above, the switch needs to support VLANs if you don't want LAN A to talk to LAN B over that switch.

Your router, though, also needs to support and know what's going on. You have a central problem where traffic that is destined for two separate subnets is coming in over one gateway, your cable modem.

Conceptually your router needs the ability to tag traffic coming in on specific IPs with one VLAN and tag traffic coming in on other specific IPs with another VLAN. I don't have a lot of experience with this type of hardware so I'm unable to point you to the name of a specific device.

LawrenceC

Posted 2013-04-07T19:31:34.477

Reputation: 63 487

Appreciate your insight. I've taken what you've said and worked it into a simple network diagram, to the best of my understanding. Trying to identify what's required of that 'switch' (maybe it's a router...or something else?). Again, LAN A is one big happy family. LAN B should have no more access to LAN A than they would any other machine from the 'cloud'. – Meltemi – 2013-04-11T16:24:00.370

If that's an actual Airport base station, it's a router: hosts behind it will be isolated, and will belong to a different RFC1918 network, and broadcast traffic made by WiFi clients will not be propagated. Then, depending on how the MSO is going to route the /29 to you:

A) you can perhaps eliminate the switch, since you'll need the router to accept traffic and act as a gateway for the /29 which you'll configure on its LAN interface (and the MSO shall have a static route to send the /29 to your router's WAN interface, which necessarily not be part of the /29)

B) the MSO will have the gateway for your /29 configured either on your cable modem, or on its cable router, and as such, all devices in the /29 would have to be connected to the cable modem without a router in between.

In either case, however, you're probably paying a premium for this service, which must include the time of a network administrator or engineer to set that /29 up, and to handle ongoing support of your network. So it might be rather counterproductive to consult with us instead of them: We're just guessing. They must know in order to provide connectivity to you.

Nevin Williams

Posted 2013-04-07T19:31:34.477

Reputation: 3 725