achim87 -> RE: Configure Cable Modem with Multiple IP address block (1.Aug.2014 2:51:46 PM)
This is a pretty simple routing scenario actually, what you need is a border router.
I am posting this for the benefits of others in the future because many people seem confused about how a traditional or "real router" works, which is 100% different than what your Linksys or Dlnks does, those are more of "translators" than "routers".
This can be done using free software, or in Windows Server RRAS or a hardware Cisco Router. Cisco routers are pretty cheap nowadays, you can probably pick a decent one up for under $150 on Ebay. The 1800 series would be a good fit for your needs.
What you will need to do is to configure two interfaces, they both would be public and will NOT USE NAT/PAT!
[ISP]-----[Modem]--S1--[Cisco Router]--S2--[Customer IP Block]---[ISA Server/Firewall]--S3--[NAT/PAT PRIVATE Addresses]
S1 (Segment 1) is the network where single static IP assigned to you from your ISP will go. Lets call this interface "eth0"
S2 (Segment 2) is the network of your additional IP BLock
S3 (Segment 3) is the internal network behind your TMG/ISA Firewall with Private RFC1918 Addresses, ALL Natting / PATting will be between Segments 2 and 3, the border router only does "real routing", 100% public addresses no NAT/PAT at all.
***This is where the confusion comes in because home user/consumer routers are not really routers, they are merely nat/pat "translators"***
Configuration of the Border Router would be something like this:
eth0: 184.108.40.206 255.255.255.0 (which is a /24)
eth1: 220.127.116.11 255.255.255.248 (which is a /29)
ip route 0.0.0.0 0.0.0.0 18.104.22.168 (which is a static route pointing to the default gateway of the ISP on Segment 1 or eth0)
(The ISP will have a static route on their router pointing to you, so on THEIR end they will have this statement pointing to the IP Address on your Segment1 eth0 interface IP: ip route 22.214.171.124 255.255.255.248 126.96.36.199)
Now on your firewall or any other device you will assign the external interface to anything in the range of: 188.8.131.52 - 184.108.40.206, in our example:
Gw: 220.127.116.11 (Yes! We are hosting our OWN external default gateway, most consumers would assume the first hop will be the ISP, but not in this case!)
You may then add 18.104.22.168 to 22.214.171.124 to a 1:1 NAT IP Pool or assign other devices to those IPs as necessary. You may even run your own DHCP Server on eth1 assigning out public routable addresses, as if you are running your own ISP!
Here is what a traceroute from a client BEHIND/INSIDE your Firewall would look like:
1. 10.0.0.254 <<--- ISA Server [Segment 3]
2. 126.96.36.199 <<--- Your Border Router [Segment 2] **Your cable modem sits between hops 2 and 3**
3. 188.8.131.52 <<--- Your ISP's Gateway [Segment 1]
4. <Whatever Path to your destination>
A Traceroute from the internet to your routed subnet:
x. <ISP and Internet Cloud> **Your cable modem sits between hops x and 2**
2. 184.108.40.206 <<--- Your Border Router [Segment 1]
3. 220.127.116.11 <<--- A device on your routed subnet i.e. Firewall [Segment 2]
4. 10.0.0.123 <<--- A host/server on your internal network behind your FW [Segment 3]
A routed subnet allows flexibility of porting IP Addresses. In fact as in the example above, you can even set private addresses on additional routers (although not recommended by regularly practiced by many ISPs due to shortfall of IPv4 Addresses anyways) between hops 2 and 3, perhaps a VPN tunnel, which will allow your IPs to be ported to and used at another location, even as far as in another country half way around the world!
Hope this clears things up!!