Can only some machines on a network have a public IP addresses?

IPv6 has plenty of IPs and so everything will have a public IPv6 address, so I take it you are talking about IPv4. IPv4 allows a type of routing called Network Address Translation (NAT), which allows multiple private IP devices use the public internet with a single public IPv4 address on the router.

You don't need any fancy switches, a simple switch will be fine. The router is what is deciding which mac address to send packets to and if NAT routing needs to be performed.

If using public IP addresses on any of your servers. On one or both of your load balancing servers you need to have two IP addresses, the public one and the internal one, preferably on a separate nic each. It/they can run Squid in reverse proxy load balancing mode and they will talk with the actual web servers, which have private IP addresses, to obtain and serve content.

That being said, you don't even need to have public IP addresses on any of your servers, just your router, and it can decide which of your private IP addresses to send the packets to, and it can provide NAT routing for all of your internal IP address servers so they can use the internet.

Edit: every http/https request, and for that matter tcp packet, includes the source IP and source port of the request. Every http/https request includes the website name being requested as well. Based on that info the load balancer has in its config a list of IP addresses it can contact to fulfil the request. Based on the IP address of the machine it is trying to talk to, the OS routing table will determine which nic will be contacted.


Yes it's possible.

There are a few approaches.

  1. If your provider offers IPv6 make the Servers that need to be publically accesible dual stack and make the servers that don't need to be publically accessible IPv6 only. If the non-public servers need to access IPv4 only resources on the internet then you will need to use NAT64/DNS64 to provide access to the IPv4 internet, if your provider is especially forward looking they may provide this for you or you may have to run it yourself.

  2. Have a public subnet and a private subnet and have the existing gateway router for the network perform routing between the two subnets and NAT between the private subnet and the internet. This requires that the existing router has sufficiently flexible NAT support (Linux can do it, not sure about other implementations)

  3. Have a public subnet and a private subnet and use one of your own machines to provide NAT so the private machines can access the internet. Either set up routing so the public and private machines can see each other or give the public machines IPs on both subnets.


If you are running some publicly available website with some database backend, I would recommend at a minimum you use a dedicated firewall. The basic setup is where to start, and can be built upon as needed:

  • Setup firewall as only access point to the internet. Give it the first IP in your block of 12 IPs. Initial setup is similar to how a home router would be setup... All computers on the internal LAN can access the internet. If the go to whatismyip.com, the result is the firewall external IP. All internal machines are protected by the firewall.
  • Setup the loadbalancers with public IPs: Configure the load balancers with an IP address on your internal network. Use NAT feature in firewall to map loadbalancerA internal IP to your second public IP, and loadbalancerB internal IP to third public IP. (You will also have to set firewall rules to allow the incoming requests)

You would also need a switch to accomodate the physical connections of all the servers... Basically, plug Internet to Firewall External Interface. Firewall Internal Interface to Switch, then all servers to the switch.