Possible to have multiple default gateways?

[dwright]

Yes, my ISP has offered me Public IP addresses that are not in a range, which should obviously prevent any suspicion.

Can you suggest any enterprise level routers that would be suitable? To start, a router that will enable 10 default gateways would suffice, but possibly in future I would like something that would be scalable and allow for more default gateways.

If I were buying 10 NIC's, what format would these come in? The only NIC's that I have experience of are the PCI cards that fit into the motherboard of a standard computer. With my VM's housed in a server, is it possible to buy a server case that would cater for 10 PCI cards, or do NIC's come in another more suitable physical format for this situation?

 

[PP Mguire]

Yes, my ISP has offered me Public IP addresses that are not in a range, which should obviously prevent any suspicion.

Can you suggest any enterprise level routers that would be suitable? To start, a router that will enable 10 default gateways would suffice, but possibly in future I would like something that would be scalable and allow for more default gateways.

You would be spending a good deal of money on a layer 2 or 3 switch.
Also, to inform you of what you want the correct terminology is subnets or in your case VPNs. VPN because you want each virtual machine to be in its own network not viewable to the others. AFAIK there are no cheaper consumer "routers" that would allow this. You would need a router to provide DHCP (or in this case act as a layer 3) to a layer 2 switch (because it's cheaper) and VPN each individual port.

There may be an easier way or cheaper way of doing this so wait to see if somebody will chime in but I'm 99% positive that is the way you have to do it without going into multiple routers which would all be on the same subnet anyways.

If I were buying 10 NIC's, what format would these come in? The only NIC's that I have experience of are the PCI cards that fit into the motherboard of a standard computer. With my VM's housed in a server, is it possible to buy a server case that would cater for 10 PCI cards, or do NIC's come in another more suitable physical format for this situation?

There are some boards that offer 4 or more NICs integrated and you can add the rest via the ports. There are also some PCI-E NICs that have 2 or more ports on a single card that can be used individually or bonded. These can be slightly pricey though.
The cheapest solution would be to use a standard motherboard/case setup and use dual NIC cards on PCI or PCI-E (whatever slots can be allocated).

 

[DistraughtSysop]

There may be an easier way or cheaper way of doing this so wait to see if somebody will chime in but I'm 99% positive that is the way you have to do it without going into multiple routers which would all be on the same subnet anyways.

Probably the best way of doing it would be VLANs through a managed switch into a router. Each VM connected to the switch would be assigned its own VLAN. The VLAN would serve as the default gateway for the VM and each VM will be on its own network. If the router doesn't have 10 inside interfaces then you could trunk all the VLANs through one port. Configure static NATs on the router and each VM will have its own public IP with no overlap between subnets - provided that everything is properly configured. This would be the kind of thing that I would advise getting a networking professional for. It's entirely possible to do it through internet tutorials and tech support boards, but it won't be fun.

As mentioned, the router and switch will not be cheap, even if you find some on ebay, or something. Any Cisco small business router and switch will work but even the cheap ones aren't cheap.

Can you suggest any enterprise level routers that would be suitable? To start, a router that will enable 10 default gateways would suffice, but possibly in future I would like something that would be scalable and allow for more default gateways.

I think your best bet is to get a managed switch and connect that to the router. Each switchport can be a default gateway and you can always stack switches if you need scalability. Cisco 1900 series routers and 300 series switches would have everything you need but that would probably run you over a grand. There are cheaper models but those are about to be end-of-sale so you won't be able to count on having any support for it for too long. Depending on your needs, that might be an option.

 

[Reckless]

It seems like the problem would be more related to the software. If you are using a public IP based on that VM, the software should not locate another VM as it would be the only one on that network.

If the ISP is providing you a business line with 10 different IPs in different subnets, they should be providing you a router capable of routing all that traffic.

Addition:
If I was trying to hack into your system and was able to access one VM, I am able to determine if I am on a VM or a physical PC but there is no direct way to locate or access the other VMs unless they are on the same network and having them on different IPs would cover the tracks.

 

[PP Mguire]

Probably the best way of doing it would be VLANs through a managed switch into a router. Each VM connected to the switch would be assigned its own VLAN. The VLAN would serve as the default gateway for the VM and each VM will be on its own network. If the router doesn't have 10 inside interfaces then you could trunk all the VLANs through one port. Configure static NATs on the router and each VM will have its own public IP with no overlap between subnets - provided that everything is properly configured. This would be the kind of thing that I would advise getting a networking professional for. It's entirely possible to do it through internet tutorials and tech support boards, but it won't be fun.

As mentioned, the router and switch will not be cheap, even if you find some on ebay, or something. Any Cisco small business router and switch will work but even the cheap ones aren't cheap.

I think your best bet is to get a managed switch and connect that to the router. Each switchport can be a default gateway and you can always stack switches if you need scalability. Cisco 1900 series routers and 300 series switches would have everything you need but that would probably run you over a grand. There are cheaper models but those are about to be end-of-sale so you won't be able to count on having any support for it for too long. Depending on your needs, that might be an option.

VLANs is exactly what I meant by VPN. VLAN totally didn't cross my mind.

It seems like the problem would be more related to the software. If you are using a public IP based on that VM, the software should not locate another VM as it would be the only one on that network.

If the ISP is providing you a business line with 10 different IPs in different subnets, they should be providing you a router capable of routing all that traffic.

Addition:
If I was trying to hack into your system and was able to access one VM, I am able to determine if I am on a VM or a physical PC but there is no direct way to locate or access the other VMs unless they are on the same network and having them on different IPs would cover the tracks.

What he is trying to avoid is them seeing each other in any possible way because they have to all go through the same end piece to reach the outside world.

To the OP, that's correct right? If so, just turn network discovery off lol.


To the OP, this is what you're looking at getting. This is my EOL 24 port Fastiron. You will need a smaller one obviously for cost reasons, but you're going to need a managed switch to do what you want.

 

[dwright]

PP Mguire, my fundamental requirement is:

-That for each VM, the outside world should be able to read the public IP address, ISP and all the usual info that can be understood about a computer, but it would not link them to any of the other VM's on my server. (If when network discovery is turned off, it prevents the outside world reading the public IP address etc of each VM, then that might cause problems. This would be best left visible).
-They need to appear as separate unrelated computers/virtual machines - not seen to be linked by physical location or network.

I've taken all your suggestions into account and contacted a few Cisco Partners to see if they can provide me with the hardware and set everything up for me. I've had a few negative responses so far, here is one:

CISCO PARTNER:
"Dan,

Thanks for the update.

Sorry if I was misleading and I do appreciate your design. It is a completely
reasonable and normal set-up. The virtual servers will all be allocated a static
IP which is publicly routable and therefore will appear as though they are
separate.

Unfortunately it is very, very difficult to prevent someone knowing they are
on the same LAN. The reason is that you have one broadband connection and
router. For obvious reasons this means that you can physically have only one
actual presence on the internet (inside your ISP). If I were to perform a
trace route to each of the virtual servers then each listing would show the
IP address of the router connected to your broadband as the last hop. The IP
addresses of the VMs will all appear in the same range as well."

ME:
"Have you read the forum thread that I started? In this thread people who appear to be very knowledgeable about networking are suggesting that it would be possible to achieve this. If you have a few minutes, could you have a look at the thread? The main solution suggestions are on the 2nd page of the thread. Thanks.

CISCO PARTNER:
Dan,

I am a little swamped at present, but will try and review it in more detail
later. Of course there may be better placed people than I to answer this
question as I do not have that level of arrogance yet.

In overview, even if the ISP allocates you public IPs that are actually separate
networks the solutions still cannot work. Effort can be placed on achieving the
default route and network segregation of VMs, but to what avail. This is not
a significant challenge, but the fundamentals do change. You are using one
connection to your ISP and the outside interface of that router is going to be
assigned an IP by the ISP no matter what it is. All other IP's (traffic) will be
routed via this IP otherwise they will not get to you. Anyone worth their salt
will be able to determine that that the routed IPs are on the other side of
this IP.

I have refrained from asking what your intent is, because to large extent it is
irrelevant. However, it might help to understand this and suggest alternate
designs.


He seems to be suggesting it can't be done with 1 router - can anyone give an opinion on his thoughts? Thanks.

Dan

 

[PP Mguire]

It can be done with the way we are suggesting. Network discovery doesn't hide any IPs, it hides the presence of other computers on the local network, as well as hides your presence to other computers on local networks.

Thing is, he's right in one regard which is what we were trying to say, but with making each individual setup a VLAN with their own unshared NICs they shouldn't be able to see each other through the local network. If the ISP somehow manages to route each VM their own external IP then the VMs shouldn't be able to see each other locally, or over a WAN unless you specifically set it up for them to be seen. I think the biggest issue at hand here is the fact that you want so many on such a small non-enterprise network.

Think of it this way, and you can relay this to your contact there. How else do several hosted servers communicate through the same large provided ISP pipe but yet can't see each other on the backend? Only the network admins can because they are on their own private local networks. Simple subnetting on the Quakecon (3000 large LAN party) makes it so people on different tables (switches) can't see each other. Just takes proper networking knowledge to do it and the equipment available.

 

[dwright]

I am still not 100% certain I am understanding things properly, so I have drawn up a diagram of my proposed server setup and router requirements to make sure we are talking about the same thing. (I've attached the diagram to this post). Note the Public IP's and gateway example/scenario that the router should be able to allocate to each VM.

You say that with regards to the VM's, "making each individual setup a VLAN with their own unshared NICs they shouldn't be able to see each other through the local network."

I am not too worried about my VM's seeing each other at the moment, the main problem to solve is preventing other computers on the internet (not belonging to me) seeing that my 10 VM's are behind the same router, or same phone line, or same building.

A bit more about the software I am running - I have 10 accounts with the company who own the software. Each account runs off 1 VM and has the software installed on it. The company, I assume are reading the following details about my VM's:
-Public IP Address (definately)
-Machine ID (definately)
-Default Gateway (probably)

and possibly any other defining details that can be read about a computer. This software won't run if being used by 2 or more accounts on the same Public IP Address even if they are on a different computer or VM. With my current setup of 1 Public IP Address and 1 gateway, I can only run one account at a time. The software is free, so it's not a licensing issue.

If I can allocate each of my VM's it's own Public IP Address and ideally, Default Gateway, and that this is the first thing the software vendor sees for each VM, rather than the Public IP Address and Default Gateway of the router, then my problem is solved.

Sorry in advance, if what you have suggested does solve my problem and I am just getting confused - I just wanted to clarify.

 

[PP Mguire]

Ironically your situation has nothing to do with the gateway now that you've explained it.

Take into consideration that most people using the software will either have a router giving off a 192.168.1.1 or 192.168.0.1 gateway. If all of your VMs have the same gateway, that's fine. I'm going to say with 99% certainty that the company in question here checks out the external IP (one of the 10 being given to you by your ISP) and to see if their software/VM is running on the same network. By creating a VLAN for each individual VM they won't see each other, nor will they appear to be on the same network. The only thing that matters here is if each individual VM has their own external IP. In other words, the address people use to connect to your residence all has to be different in order for the company in question to think they are all at separate addresses.

Also one more thing to worry about and it's something that can't really be solved. If that router has one MAC address then that same MAC will be seen by each VM regardless of how the network is setup on the front or back end. Sorry I didn't mention this before, I just thought of it.
A MAC address is a "serial number" or "NIC code" if you will for each individual piece of networking equipment. That goes for wireless/wired NICs, routers, modems, switches, LAN phones, or anything that has some form of network.

 

[DistraughtSysop]

The company, I assume are reading the following details about my VM's:
-Public IP Address (definately)
-Machine ID (definately)
-Default Gateway (probably)

It all depends on what the software is looking at. I couldn't tell you for sure without knowing more about it. As mentioned, it wouldn't be able to determine anything by looking at a default gateway that has a private ip. If it looks at routing information (which is what that email you posted was talking about) then that is a different story. If it is just looking at public ip addresses then all you need is to be able to assign static NAT.