On Oct 20, 2017, at 14:39, Bill Hurne <email@example.com> wrote:
> We are considering switching our office/studio ISP from 6 DSL lines to Bonded T1 service. 6 DSL lines are currently needed to provide the necessary bandwidth. It would be nice to have fiber service, but this isn’t available at our location. We tried a couple wireless services that didn’t work out well, too many dropouts, etc.
> With our current 6 DSL lines, we have 6 static IPs and 6 modem/routers. If we change to Bonded T1 service, would it be desirable to continue several static IPs, or setup a large number of ports on a single static IP?
> We have multiple outgoing audio streams for online listening as well several streams for Back-up audio to remote transmitter sites.
Responding in reverse order:
Outgoing streams should be pushed to the servers, not pulled from your location. Sure, it's possible to set up a pull in some cases, but why bother opening up any ports? The safer way is to originate the streams inside and push them out the door with no inbound ports open.
Unless you're running servers that listen for inbound connections (e.g. web server, local mail server for your domain name, etc.) there's usually very little need for inbound ports to be opened. The fewer inbound ports that are open, the better and more secure your facility will be, and these days that is something very important to consider.
If you really *do* need inbound access for remote control/monitoring (e.g. for engineering diagnostic/control purposes when the engineer is offsite and something happens) it's far better to only open up a single port for a VPN server. Then, a remote VPN client connects to the server, authenticates (ideally using a multi-factor combination of authentication mechanisms (i.e. *NOT* just a password)), and then the client has access to internal resources (whatever the VPN server and Network infrastructure allows that specific VPN client) without the open vulnerabilities of insecure IoT devices, etc.
Now, to respond to your "single IP/multiple ports" vs. "multiple IPs/single port per IP" question:
Generally, if you actually *do* need inbound services at your facility, you should be able to do most of what you need behind a single IP by using inbound Network Address Translation (NAT) to remap services as needed. There are reasons for multiple IP addresses (such as having a reserve IP address in case one public IP gets blacklisted by an infected PC on your LAN that's spewing out bogus emails, resulting in your normal public IP getting blacklisted as a "known spammer"), but they're usually the edge cases. Most public-facing services can be virtualized and/or combined behind appropriate DNS entries and other helps/tricks to avoid burning up a bunch of public IPV4 addresses.
Drop me a private message if you need further help talking or working through this.