atcomsystems.ca/forum Forums VOIP Phones & IP PBX Networking Utilizing 2 subnets on my network

One other comment. I'm using Watchguard System manager 8.2. Which does not allow me to add multiple subnets to one ethernet port on the firewall. I could try upgrading the Watchguard System Manager to the latest version which I think is 9.1 now. That updates the firmware on the Firewall and might allow adding multiple external subnets.

Not sure about the Watchguard, but most newer firewalls should support Port Address Translation. If yours does, you could assign different ports for RDP access on each system you wanted to manage. The tell the firewall to forward requests to different servers based on the port number, even though you're connecting to a single external IP address. Same with other services.

Yes, the Watchguard does Port Address Translation. I don't like having to change the RDP port numbers on the servers. Plus I have 32 public IP Addresses on the /27 subnet that are available to me.

this doesn't sound good using RDP across public web, unless you know the source IP you will always be coming from then you allow only that. Have you looked into a Browser based VPN like SSL Explorer for example. With this you go to a web site using port 443 and once you authenticate to it you can RDP to anything you want on your trusted segment.

You have lost me completely.

Why do you have two different ranges of IP addresses? Are these coming from different internet service providers?

It's the same service provider. The number of IP addresses on a /29 subnet is 8. So I can't be allocated anymore IP Addresses on that same network. When I requested more IP Addresses, the provider gave me a range on the /27 subnet which has 32 IP Address. This link explains everything: https://www.akadia.com/services/ip_routing_on_subnets.html

I know what the /29 means. It means your subnet mask equals 11111111111111111111111111111000 binary (29 ones) or FFFFFFF8 hex or 255.255.255.248 in standard ip notation. I just never heard of a situation like this where the internet service provider gives you two different ip address ranges on a single link.

So why don't you just use the /27 subnet which contains 32 ip addresses? Is there never enough?

While you have 8 ip addresses in a /29 subnet, you have only 6 that are assignable to an interface. The first address is the network address and the last address is the broadcast address.

So if you have 3 of those addresses already assigned to routers, you only have 8 minus 3 minus 2 left.

Why do you have three routers connected to one internet connection? Is this just for experimentation? Maybe you could draw us a diagram.

I agree that naked RDP across the public internet is a BAD idea.

I normally use a Unix box as a firewall, and tunnel RDP or VNC via SSH. You need a SSH client on the remote host, and some simple configuration.

You port forward one or more local ports to one or more remote ip:port pairs via the tunnel. You can setup multiple tunnels under a single ssh session, and not have to make any configuration changes within your network.

Yes, naked RDP is not secure. I have a static IP address at home and the firewall was only going to allow that IP address into the the RDP session. I am strictly setting this up to work on the servers remotely. If something was to happen outside of normal business hours and also to perform windows updates. If I was not at home, it would be nice to have a solution where I could access the servers from any computer that had internet access securely. I'm getting some good ideas here. Does anyone have any other options. So far we got RDP over SSH and browser based VPN.