Can an ISP provide two static IPs over a single cable?

Can an ISP provide my home or a business with two static IPs over a single cable connection so that they may be used simultaneously? If so, can someone point me in the right direction to understand how this works?

I understand that a router would be pivotal in directing traffic, but as a matter of security, how do I keep the two streams of data completely separate?

For example, how does a landlord provide a completely separate IP to a tenant?

Solution 1:

It's certainly possible, but it depends on the type of modem/router that they provide you. The modems that my ISP provides only allow one client, so only one WAN IP at a time and you must go buy your own router.

Many ISPs offer hardware and service that can support it.

Most ISPs only do multiple WAN IPs for businesses, but if you ask I'm sure they'll be glad to inform you whether or not they are available for consumers in your area.

Solution 2:

Can an ISP provide my home or a business with two static IPs over a single cable connection so that they may be used simultaneously?

Yep. This is substantially more likely with business accounts than residential accounts. You would need a modem that supports this, I'm not sure of specific hardware that does though ISP-provided hardware would always work.

I understand that a router would be pivotal in directing traffic, but as a matter of security, how do I keep the two streams of data completely separate?

Depends on what you mean by separate.

If you mean absolutely physically separate, you need a router that has 1 WAN interface and 2 LAN interfaces, and which will look at the destination IPs of your traffic and forward traffic to a different LAN interface depending on the destination IP.

This is completely possible if you have a PC with 3 network cards running Linux and iptables. I am unsure of Comcast or other third-party hardware that does this natively but I'm sure it's out there/they provide.

You can achieve much the same thing with a single physical LAN interface on the router if the LAN interface, as well as the rest of your network, supports VLANs.

For example, how does a landlord provide a completely separate IP to a tenant?

Wireless hardware (even consumer-level wireless hardware) typically has an "AP Isolation" mode that prevents clients from seeing each other on the network. With business-class switching hardware it's possible to do this - your typical 4-port or 8-port unmanaged switch won't have this capability. One solution is to assign each switch port to its own VLAN, thereby isolating it completely.

It's also possible the landlord doesn't know what they are doing and has actually placed all tenants on a private subnet, and that they can indeed reach each other.

Solution 3:

There are multiple solutions to this problem. The "most elegant" one is relatively wasteful, but very common, and uses 9 IP addresses to do it. This is the way most professional ISPs would handle it.

You get an IP address for your router (same as most regular accounts) - this IP address is associated with the WAN Interface of your router. [ You could use an RFC1918 IP here if agreed with your ISP, but this probably stuffs things up for their neat systems]

You then ask your ISP for a "/29". This means you are asking for a block of 8 IP addresses, (including the 2 unuseable ones associated with the routing protocol - Simplifying a bit - the first and last IP address of a block is considered to be "unuseable"). The ISP then routes these IP addresses down to your router as a single block. They like doing this because it simplifies their accounting and routing table, and is very standard.

You then further divide this block of 8 IP's into 2 blocks of 4 IP's. This gives you 2 blocks of 2 useable addresses. You bind 1 of the 2 usable addresses to each interface / vlan on your router and provide the other IP address to the client.

Thus you might have something which looks as follows:

ISP (1.1.2.254) -----> (1.1.2.253) router (1.1.1.1) ------ 1.1.1.2 (PC on network 1)
                                       |
                                       +-- (1.1.1.5) ----- 1.1.1.6 (PC on network 2)

In the example above, the ISP has assigned your router 1.1.2.253. Your router [ which needs 3 interfaces/virtual interfaces ] has the default network configured to point back to 1.1.2.254, so unknown traffic goes to your ISP.

On the router The first LAN port is configured as 1.1.1.1 with a netmask of 255.255.255.252 The second LAN port is configured as 1.1.1.5 with a netmask of 255.255.255.252

The first PC is configured with an ip of 1.1.1.2, a netmask of 255.255.255.252 and a default gateway of 1.1.1.1

The second PC is configured with an ip of 1.1.1.6, a netmask of 255.255.255.252 and a default gateway of 1.1.1.5

IP's 1.1.1.0 and 1.1.1.4 are called "Network" IP's and are not used for traffic. IP's 1.1.1.3 and 1.1.1.7 are called "Broadcast" IP's and are not used for traffic. The router requires 2 IP's on the LAN interface.

An alternative, similar but less elegant method would be to get your ISP to route a /30 across your connection - this requires a total of 5 IPs for your network, and 2 are wasted. You would need to use private IPs (like 192.168.1.x) for each of your LAN interfaces and then use NAT to translate these to real world providers.

FOR THOSE WHO WANT TO SHOOT ME DOWN FOR THE USE OF IPS - CHECK WITH YOUR NETWORK PROFESSIONAL FIRST - MOST "point to point" connections are configured using 4 IPs as I've made extensive use of above.