You can purchase additional IP addresses off SoYouStart (SYS) however they work a little differently to the norm. I think the best way to describe it is they use static ARP to associate a public IP with a MAC address, and drop any traffic from a public IP unless its originating from the same MAC that was statically mapped. Because of this, the gateway isn't in the same subnet as the public IP range.
Before being decommissioned I was using the server as a VM Host and to mimic a 'real' setup I wanted a virtualised router / firewall between the internet and the Virtual Machines. Those of you that follow my blog will know I am a Mikrotik fanboy, so I decided to use the Mikrotik CHR (Cloud Hosted Router) as it was cheap and flexible.
To get this working I purchased an additional /32 for the routers 'external' interface and a /28 for the routers 'internal' interface. It's also required to reconfigure the SYS server's network configuration to use a bridge rather than having its IP directly on the interface.
Disclaimer: This is not a full guide, and should be considered "inspiration"
ServerFirst of all edit the interfaces file:
And make sure it looks something like the example below. You should copy your configuration from eth0, only changing what's necessary. Be warned this is the riskiest part of the operation, messing it up could lock you out of the server.
Edit the iptables rules:
Add your rules, using the following for inspiration:
Edit the iptables rules for IPv6:
Add your rules, using the following inspiration. Note I'm dropping all IPv6 with the exception of ICMP, because I'm a terrible person that doesn't support IPv6:
RouterAdd the IP that was issue as the /32 onto the WAN interface of the router. This should be connected to br0 of the physical host. For RouterOS, this command looks like this:
Add the IPs issued as the /28 onto the DMZ interface of the router. This should be connected to br1 of the physical host. For RouterOS, this command looks like this: