I have a generic question regarding DSL lines with multiple leased IP addresses. We have a DSL line with 5 IP addresses leased. Every computer and the windows server is connected from the modem to a switch (no router) and has its own WAN IP address. The computers basically use a customized program and use the server's WAN IP address.

There is also an HP Laserjet printer connected with an external Jetdirect 300x print server. The computers print to the device directly to the IP via TCP/IP.

My question is, how is this possible? Can't any computer on the WAN (ie. Internet) print to this device. There is no firewall as far as I know. I have a feeling the answer is that they are connected since they are all on the same subnet. (I can't check since I won't be at the office any time soon). I know the IPs were sequential but didn't look at the subnet mask. If this guess is true, why can't any other external address on the WAN's subnet connect into this printer? Either way, I plan to make a reugular LAN behind a router for all the workstations and printers and keep the servers on their own WAN IPs. Would this be the recommended network architecture?

Thanks

Still too many unknowns. It could be that your printer is exposed to the wan.

A common way to use WAN IP's is to NAT/PAT them to private ip ranges. Block any and all traffic such as jetdirect from and to lan.

Contact the admin for more detailed topology and sofware.

I read it wrong and answer it wrong too. So get off my case you peanut.

Well I absolutely know for sure there are no private IPs in the network. No router, no additional network card on the servers, and every device has a public IP. Perhaps you mean this is the most common method, which I agree with.

I'm still looking for any answer to how this setup is working. Thanks.

"Every computer and the windows server is connected from the modem to a switch (no router) and has its own WAN IP address}

That is not a common setup and negates standard protections when exposed to the internet. No server should ever be directly exposed to the internet. This is why routers, firewalls and things like port forwarding exist.

If the printers ip is a wan ip then yes technially speaking ANYONE on the internet, who knew the printers ip could print to your printer.

Sure hope you password protected the 300x print server.

Concerning:
"The computers basically use a customized program and use the server's WAN IP address."

If you are speaking about the programs licensing was based on the wan ip address that was a mistake. You will need to talk to the software vendor about how to change the ip in the registration.

You do NOT want your servers on wan ips. You need a wan ip on a router with everything behind the router which would put them on the lan.

Otherwise you would need a router between the servers and the lan.

What is the point of protecting your workstations if you aren't protecting your servers?

What are you using now to protect your mail server from hackers/spam/virus's? And on the app server?

Are you ready for where Microsoft wants you to go today?

Well I ran a port scanner from outside the network and the ports are correctly blocked. Some ports are open for the services that are running. But I don't know where the firewall is. It is either in the DSL modem somehow (never heard of that) or the ISP does it somehow. I'll have to call the ISP to learn more.

You definately need to know where the firewall(s) is. Check on each individual server/PC connected to the WAN, are they running firewalls locally?

While not the normal arrangement, yours isn't unheard of. Where I work we have a block of class B IP's (XXX.XXX.0.0/16) which we use throughout our network. We do use some private IP's (for our "guest" wireless and DHCP for example) in our network, but all staff PC's, servers and switches are within our Class B range of IP's.

We have multiple firewalls in our topology to protect us and our network is subdivided with "rings" with ring 0 being the externally available resources in the DMZ and ring 4 the "inner sanctum" and the most protected (the server, firewall and management network).

Each ring (layer) of our network is divided by a router or routers. Needless to say, we have a lot of routers and one person who's specific job it is to manage them all (they're all OpenBSD based teamed servers).

This requires a lot of resources and manpower to setup, monitor and maintain and is not a setup I would recommend for a small operation. In that case, I would highly recommend creating an internal LAN on private IP's and only have outward facing resources (web server/email etc) on the WAN (non-private) IP's. This would allow you to have any/all printers on the LAN and available to all clients within the LAN and ease your management load. You would put all internal resources behind a single firewall (I'd wager now you have firewalls running on everything) and your external resources would be available in the DMZ.

Curt R - Thanks for a great response! That is exactly one of the network configuration I am thinking about in my mind, however I am concerned that the LAN will not talk to the two servers sitting directly on the WAN fluently. Windows file sharing, print sharing, etc. This is the safest way since I can guarantee the servers are setup identically to how they are now.

The other alternative is to stick the servers behind the router as well on a private IP and forward all ports and such through the router/firewall. The only downside of this is that I'm not 100% of the application and what ports need to be configured.

I would like to do the first configuration as you described. Do you know if the LAN and WAN will be able to communicate (ie. file sharing). I think I might need to define some static routes in the router which I am a little intimitated to do since I'm not too familiar with that.