We are providing a service to businesses whose customers are all running a firewall. The customers need to manually allow our services IP address in their firewall, which is something we want them to do only once upon onboarding. How can I get the most stable IP address for our reverse proxy that I will hopefully never have to give up?
As someone who recently did this: it's much easier (and cheaper) for IPv6.
All you need is a PI subnet (PI = Provider Independent). There are providers that give you for example up to 5 such subnets (each a /48) for free. I use route48.org (not affiliated) but there are others.
Next, you need an ASN. You can't get these as an individual directly, but only through a sponsoring LIR (Local Internet Registry). You can find LIRs through RIPEs homepage (e.g. https://www.ripe.net/participate/member-support/list-of-memb...), I simply checked them out one after another to find out how/when/if they would sell ASN registrations to individuals. I settled with a nonprofit (IN-BERLIN e.V) that I joined, and who offer ASN registrations for a flat 50€.
Then you need a peering, usually your LIR also offers that (ask them), but you'd probably need to host your hardware in their datacenter for that to work (additional costs/month). Then there are providers like the aforementioned route48.org who allow you to peer from anywhere through a WireGuard (or GRE) tunnel, which means you can host your BGP router at home if you want (mine runs on a RaspberryPi 1st gen and has the full BGP table, which, admittedly, is a bit smaller for IPv6 than it would be for IPv4)
So yes, it's doable even for an individual, but my suggestion is to use IPv6.
Could you provide more details about IN-BERLIN ? I've took a look at the website, it's confusing, and they ask registration via post/fax, explicitly saying they do not accept e-mail. Which form have you used? (probably my issue is with DE translation).
Is there any other sponsoring LIR recommended? Thank you.
IN BERLIN is probably best suited for people in Germany. It is a "Verein" ("registered association", something that I don't think exists in many other countries) which is run by dozens of volunteers (hence the "non-profit" part). So basically you join the "Verein" for a (small) monthly fee and are expected to participate in the activities of the Verein. This is probably also why they require you to join via mail (running a "Verein" is serious business in Germany, you have to have a charter, appoint a treasurer, hold regular meetings/votes for board members, have someone type a protocol of these meetings, etc.)...
If you want them to register anything with RIPE they will also require you to send them a scan/copy of a valid ID (although that can be done via E-Mail) but that is because of RIPE policies as I understand it.
Joining gives you (in this case) also access to some "old-school" things like webspace, shell access, nntp, ftp, ... (similar to what for example SDF.org offers). They were originally there to help people getting access to the internet and building a website (think 90's internet), but they also do housing for individuals nowadays, and help educate people (locally in Berlin) on how the internet works, etc.
I have checked some other LIRs but they often only provide RIPE registration to their "customers" (what that means depends on the LIR but usually you have to have some hosting with them or have an ongoing project that they do for you, or something like that), so for individuals, I think non-profits or "Vereine" are probably the easiest to join
PS: yes, the website was a bit confusing for me too, basically you choose the cheapest offering ("IN BERLIN S" for 5€/month) and use the "Antrag für IN-Berlin S/M/L" from https://in-berlin.de/provider/antrag.html...
However, as I understand it, they also require you to provide a "SEPA mandate" so that they can collect the fees directly from your bank account, and I think if you don't live in Germany that might prove difficult.
The minimum announcable IP space is a /24. So you could either rent or buy a /24. Renting a /24 is currently at around $100-200/month while buying is around $10-15k. You can take that subnet to a provider with a "BYOIP" service.
Adding to this for completeness sake, this /24 or bigger must remain in the same country. Take U.S. allocated space to E.U. and ARIN will start sending emails threatening to pull the allocation. Same with RIPE and others.
If you only need a single IP from that /24, you can always sub-lease the other 252 usable addresses to other people in the same position as you.
For example, you could set up a company to hold the actual /24 and then have 253 shares in the company, and each shareholder gets traffic forwarded for one IP address.
So you'd basically be running a static IP VPN service, where users would have to pay upfront for the IP, and then pay a monthly fee.
How is this going to be competetive? You can get a Elastic IP from AWS for $3.50 per month when not in use, $0 when in use, and the cheapest EC2 instance is $3/month. And there'd be no $50 upfront cost per IP.
If you route the addresses as /32s, you can use all 256. But you should probably give a discount to the .0 and .255 customers because there's some dumb devices out there that will drop traffic to addresses with last byte of zero or all ones (a misguided attempt to stop smurfing)
The more secure solution is to become a LIR ("internet provider") yourself and use one of your own adresses (which is yours as long as you pay the fee to the RIR (registry)).
But that is a very expensive solution. Think thousands of dollars up front and thousands of dollars a year.
In practice the best possible way is likely to get a stable IP somewhere (local provider VPS or cloud "elastic ip" ) and host a vpn-router there yourself, that forwards traffic to the real server (this does not work very well if you service is high bandwidth).
It's still wrong. The regular RIPE fee is 1.400 EUR per year. They redistribute excess earnings though, so the invoices for me were never above 1.000 EUR per year.
And, I for one does not expect the generous redistributions to continue due to both general price increases of ~10% per annum and a stop in the explosive growth of LIRs (i.e. the oversized budget contribution of signup fees)) due to the new /24 rules...
(Not to sound harsh, but why comment if you didn't know and couldn't be bothered to look up the correct answer? It's literally the first hit for [arin fees]. The HN guidelines discourage "low effort" comments.)
I usually pay less than 1.000 € / year for my RIPE membership and associated /22. RIPE actually gives back money they don't need to members, so in some years I get back a significant part of my base fee. And I get two free tickets to the RIPE conference, which is an excellent event and alone worth the price of membership.
Yes, you can get provider independent IP adresses, and then use one a 'Bring Your Own IP'-type service at your infrastructure provider. Most cloud providers support this:
It's definitely not going to be as simple, fleible and cheap as getting a domain name though.
Using hard coded IP addresses for this kind of use case is almost certainly going to be giving you unexpected issues in the long run. Is there any chance you can use a hostname instead of an IP address to provide to your customers?
Using a hostname will be an improvement, but not perfect. It's going to depend on the firewall implementation whether it resolves the hostname to IP address one time and remembers it forever, or periodically refreshes the mapping. I've been particularly burned recently where the firewalls were on the other side of the country and geolocation came into play. The client machines resolved a hostname to A.A.A.A, but the firewalls resolved it to B.B.B.B, thus it looked right at first glance but still blocked the traffic.
I worked for a company that provided (private) hosted contact centre solutions and ended up getting into providing MS Teams Calling.
One DC in Melbourne AU, one DC in Sydney AU.
We needed to be able to fail over between Melbourne and Sydney and handle traffic on multiple ISPs and on IXs (IXs are small communities that ISPs create amongst themselves to send traffic between each other at little/no cost).
We created an account with APNIC, requested a /24 IP block (you can get less than 255 IPv4 addresses - a /24 block), paid about $1,500AUD and got setup (they gave us an ASN and an IPv6 block too)
That cost is each year.
You then go to an ISP and tell them to use your IP addresses and ASN.
You might need to peer (as others are saying), or they might just send the whole IP range to your firewall and you do whatever you want with it.
One thing to be aware of: if you start using more than one ISP in different locations, you may receive traffic from ISP1 and return it back via ISP2.. Be aware of this when dealing with firewalls (either your firewalls or your customers)
Short answer, is nope.. About 20 years ago, I had a /24, but no ISP I've ever had would let me use it.. Even if I paid the insane price for "public static ip" they'd not let me use addresses from my own block.
That is what I found, you have to get your isp to bgp peer with you, and they usually want around a thousand dollars a month for that sort of connection.
To be able to port around an IP address, you need to be able to change the Autonomous System (AS) which advertises it. The minimum IPv4 range which can be advertised is a /24 (256 IPs), so you will need one of those for full portability.
You can purchase a /24 IP range from a broker [1]. It used to be possible to get a "free" /24 from RIPE, but the waiting list is very long these days [2]. RIPE also run a listing service, but it is unwieldy and you would need to manage the escrow yourself, which might be a bit risky given that you'll be paying ~13k Euros for the block.
To complete the purchase you either need to be a RIPE Local Internet Registry (LIR) yourself [3], or you need to find a local LIR [4] to sponsor your resource. (They will likely charge you a fee for this, but it will cost less than becoming an LIR.)
To use the IP block, you can get your own AS Number from RIPE (again via your own LIR or a sponsoring LIR) and advertise it from your own router via a provider who speaks BGP [5] or by plugging in to an Internet Exchange Point (IXP). This probably also means co-locating your equipment in a datacenter where peers are already present.
Alternatively, you can find a provider who will let you advertise your IP block from their AS. There are several providers who will do this including the large players like AWS [6] and smaller operations like Vultr [7]. If you started off by using your IP range with someone else's AS, there should be no reason you couldn't move it to your own AS later.
Thank you so much for the detailed answer! I will propose this as a possible solution, but seeing the costs and effort I assume a different solution than actually owning any IP addresses will be chosen.
No worries: it took me far too long to work the process out on my own, so I'm pleased to write it down in one place for others.
If you're looking for a more cost effective solution and are willing to accept a little bit of dependency risk, then "get a reserved IP address on AWS EC2 and don't ever change it" is probably a decent answer.
you have to get an AS number. then you can buy an ip block, go for ip6 here as ip4 is getting a bit expensive. iana fees will be about 500 dollars a year.
Now for the hard part, you have to convince your isp to bgp peer with you. A lot of times this is known as a direct internet connection. it is relatively easy to find in a data center but usually will cost you a couple thousand bucks a month if you want it on your doorstep, but hey at least it usually comes with a service level agreement.
Consider whether routing everything across HTTPS / websockets would fix this problem.
In my experience, you only have to prostrate yourself before the firewall bureaucracy if you want to use something other than port 443. And if they do restrict port 443 they'll use some form of proxy or SNI whitelisting, granting access by domain name instead of IP address.
We do have a solution like this for chinese customers, using stunnel and tinyproxy. However, it adds quite a bit of complexity to the customer side config which I would like to circumvent if possible.
Also, this is in an industrial setting, so a random machine in a factory would also not be allowed to use port 443 normally.
Yes. You can become a LIR and got yourself assigned an IPv6 block. As a LIR you have the right to create an Autonomous System which almost does what you want if you run BGP. You can still do manual peering though, and learning BGP is whole another level of pain and patient. I'm on my way to becoming such operator to fiddle around Calico with IPv6
We are already a customer at hetzner.com, so this might be one way to go. I am wondering what product will give me a more stable IP though, a floating IP or a dedicated server which I exclusively use as a reverse proxy.
Another solution you can consider I think is to create a proxy server in a hosting/cloud provider. All your customer will point to the IP of the proxy and then your proxy finds your original server by host name (DNS).
Depending on what you want to do it's not applicable. You can only easily guess the domain from HTTP connections and maybe from other tcp stuff if you have TLS + SNI in front.
For example, you can't guess the target domain for an ssh connection.
But some routers will let you set a rule on a domain name. They will then resolve that domain name to an IP and use that internally, and do periodic lookups to refresh the IP they're referring to.
All you need is a PI subnet (PI = Provider Independent). There are providers that give you for example up to 5 such subnets (each a /48) for free. I use route48.org (not affiliated) but there are others.
Next, you need an ASN. You can't get these as an individual directly, but only through a sponsoring LIR (Local Internet Registry). You can find LIRs through RIPEs homepage (e.g. https://www.ripe.net/participate/member-support/list-of-memb...), I simply checked them out one after another to find out how/when/if they would sell ASN registrations to individuals. I settled with a nonprofit (IN-BERLIN e.V) that I joined, and who offer ASN registrations for a flat 50€.
Then you need a peering, usually your LIR also offers that (ask them), but you'd probably need to host your hardware in their datacenter for that to work (additional costs/month). Then there are providers like the aforementioned route48.org who allow you to peer from anywhere through a WireGuard (or GRE) tunnel, which means you can host your BGP router at home if you want (mine runs on a RaspberryPi 1st gen and has the full BGP table, which, admittedly, is a bit smaller for IPv6 than it would be for IPv4)
So yes, it's doable even for an individual, but my suggestion is to use IPv6.