Colocation Networking

[altano]

I’m moving a bunch of homelab hardware into a colocation rack. Some of it will be exposed to the public internet but most of it (storage server, ipmi interfaces, etc) will be private. My understanding is that the colo gives you an ip public prefix and you bring your own networking equipment, and they have a web control panel for doing firewall configuration, but I’m having trouble understanding the specifics and how to set things up.

For starters, should I try to replicate my home setup by having a router at the perimeter instead of just a switch, to keep things private by default and then open things up as needed? And if I do that, how do I passthrough the public IP addresses I’m given to select public devices, eg Proxmox VMs, that should be on the public internet ?

Or should I be relying on the colo’s firewall to create my private network somehow?

 

[zunder1990]

Yes setup your own firewall, request a /30 ip to be used on the wan interface of your firewall, then request a /29 or /28 to be routed to your wan ip. This range will be used behind your firewall. Do the same thing for v6.

 

[altano]

Thanks for replying.

At home I have a router which creates a private network with RFC 1918 addresses. It handles NAT, dhcp, firewall, etc. You’re saying I only need a firewall and not a full router.

So I’d give everything a public IP but have a firewall at the perimeter. And only if I needed more addresses than I have allocated would I need a router and NAT.

And for private devices that need to be on a separate internal network, eg ipmi NICs, I would use VLANs to secure those from even other internal devices.

Is that all correct?

 

[zunder1990]

In this case the router and firewall are the same device. Behind the firewall you would have a vlan for your public ips and then other vlans for rfc1918 ips.