Buying public IP range

networking

I'm starting to host a few websites, and someone told me to buy a public IP range.

Is there any good reason to do this? I'm actually havinf 10 websites running behind my public IP with a reverse proxy, and it's working fine.

I'm also questioning myself about the "how does it works"? How can a few IP be binded to my router MAC address?


To host websites you need to have at least one public IP address, which doesn't change often. For about 20 years (since protocol HTTP/1.1, RFC2616 - 1999) there is no need for every virtual web server to have a separate IP address. The same applies for HTTPS (but only since SNI, RFC3546 - 2003, but the adoption server and client was much slower in the wild).

If you can't have a public address for your web server (is it what you mean by "buying a public IP range"?), there are at least two options:

  1. portforwarding of ports needed (usually only tcp/80 - HTTP and tcp/443 - HTTPS) from a public IP address of your router to your web server. Almost every router/firewall can do it well,

  2. reverse proxy for specific protocols (HTTP and HTTPS once again) on your router/firewall.

If you request a network/range of IP addresses from your ISP, there are also at least two options:

  1. The new network is "routed to" your existing public IP address (WAN of your router). You create another network on the other side of your router (some people call it DMZ, but it had a different meaning originally) - not your home network but the third one. You can then put more publicly available server there (if your network has enough of IP addresses available), it's your own piece of public Internet. That's the "proper way".

  2. The new addresses are just additional addresses on the same network as your router's WAN interface is. You can use them to port-forward ports needed (the only advantage is that you have a space for more than a few tens of thousands of connection shared with other traffic on your router), or you can make a "1:1 NAT" to your web server.


When you have a single IP address, that is normally assigned to the public interface of your router or firewall, which performs NAT for your network.

When you buy a range of IP addresses, there are two possible setups:

  • You keep using a single router/firewall, with multiple IP addresses bound to its public interface; you manage NAT and port forwarding and use them to publish your internal services.
  • Your ISP gives you a public subnet and a router which uses one of the address in the subnet; you can connect anything you want to that subnet (including servers or firewalls) and assign them public IP addresses in the subnet range; they will use the ISP's router as their default gateway.

Related

How can I test a SMTP server?
Can't create certificate for puppet agent
kubectl logs error: You must be logged in to the server (the server has asked for the client to provide credentials
Ubuntu iptables logs not going to any log file
Ansible - delete all partitions on a given list of disks
RAID 5 array not working after disk replacement?
Why am I seeing unicast packets from a machine on another VLAN?
Why OCSP stapling on NGINX for "buypass" DV certs fails without explicit root declaration?
CloudFormation: How to get a list of key pairs in a given region
Nginx Redirect regex
Traefik SSL for a service that runs on non-standard port
I have an internal PKI with a shared root CA, and multiple intermediate CAs, how do I make anything issued by any intermediate CA to trust everything?