Beginner questions

[goose]

Hi! I'm hosting a few machines in local co-location and have a few questions regarding how to set things up correctly.
-I have a /29 block IPv4 addresses, I want to provide 1 IP address per machine.
-The machines should get an address via DHCP from the router but still be behind the firewall.
-The user of the machine should not be able to connect with a static IP and mess with the settings.

I was thinking the easiest would be to set NAT 1 to 1 on physical interfaces of the router. There aren't enough ports on my router though so the alternative would be to use VLANs and tie the external addresses with the VLANs.

I've got very limited experience setting up routers and firewalls so my question is; does this make sense? Any details which I might forget regarding setup/security would be highly appreciated.

[bartjsmit]

If the users are unable to access the switch (i.e. plugging their machines in a different port) then VLAN separation provides good security.

Set a reservation for each machine in the DHCP for their VLAN and configure a 1:1 NAT to the reserved IP address.

Bart...

[goose]

Hi Bart,

Thanks for the confirmation!

I'm assuming VPS providers do this the same way and set the needed configuration via router & switch API's?
I've rented machines where the IP was obtained via DHCP, others have the IP set statically.

I don't understand how it would be safe to set the (external) IPv4 statically on the machine, couldn't the user set another IP when renting a bare metal instance? If necessary by spoofing the MAC address?

[bartjsmit]

VLAN separation prevents that since the network choice is made by the switch at layer 2. Clients can do what they like but they cannot escape their broadcast domain. Spoofing MAC or IP address will not change their location on the network.

You're right in saying that SDN can automate all this stuff and many cloud implementations do exactly that (e.g. OpenStack)

Bart...