You cannot use STATIC. You must use RESERVED. There’s a huge difference. STATIC is assigned ON THE DEVICE that has the IP address.
RESERVED is where you set it on the DHCP server.
If your router can’t allow you to configure reserved or persistent IP addresses then you can’t assign Tablo a specific address.
To be clear - static is assigned on the endpoint, not the router. Static is where you configure the device itself to declare the address it’s going to use. With static you can get into IP address conflicts if you assign the same address on multiple devices.
With persistent, which is what folks are really talking about here, this can’t happen because the DHCP server still assigns the address but it assigns it based on or according to MAC addresses.
I live this daily at work and if you talk static then you have to assign that address within the computing device. You can’t assign static in a router, only persistent or reserved addresses.
Now with DNS you can set up static mapping. You say this is the device name, this is a static address and then if something uses DNS to find a device the DNS server responds with the static address and no other device can spoof that device or poison your DNS since the device has a static address mapped in DNS.
Most of us don’t worry about a DNS server at home as we use web-based DNS services or servers. But at work I go into our DNS servers and configure our server addresses as static. That way no other device can say “this is MY address” and map that same address to its name instead. DNS will not allow it.
So ideally you have a router where you can go in and either choose a MAC address already in the DHCP table and assign it an IP address, or you can type in a MAC and assign that MAC an IP address (and most decent routers allow this, but some more simple or cheaper ones do not)
I’m not sure what protocols are used by Tablo but keep in mind that not all protocols are routable in the Internet sense. Some can’t cross subnet boundaries. We have some scanners that must be configured by a PC on the same subnet as the protocols used won’t cross subnets, they can’t be routed directly.
By the way - I followed what a lot of security folks are now doing on port forwarding. Juniper even has big documents on using that for the same purposes I am using it for. You restrict the ports, restrict where the traffic can go to, you firewall all else, drop any other packets. You also do packet inspection to ensure it’s not traffic you don’t want regardless of port or protocol. There’s a whole lot of this going on now and it’s very accepted. There’s a lot of stuff happening that’s not in a DMZ if all you want is very specific traffic and to a very specific address. Further, the server that’s receiving said traffic also inspects the traffic and will access calls only from very specific devices. I can restrict by MAC as well.
I can play “what-if” with the Cisco ASAs and traffic that’s not wanted simply disappears. We have IPS at the boundary as well as on each server so traffic is inspected using packet inspection. I’ve also written some custom IPS rules. I can block by pattern or key words or strings inside of packets. We’re safe, we’ve been tested, been at this game a lot of years. I’m working with a pretty well-know and respected German company on this project and they are fine with it.
The Europeans take security more seriously than Americans ever will, I’m afraid.
I also have the Juniper core switches setup for security and they will pass traffic that meets only specific criteria based on LAN, switch port, etc. - the config in the Junipers here gets rather complex I’m afraid. I had Juniper support help with that, at least in testing it, I had the basics set up already.
So, if they get into a Tablo, what will they be able to do?
If it’s in a REAL DMZ how will you access it?
If your Tablo is in a TRUE DMZ then even YOU can’t get into it unless you go out to the web and back in!
DMZ means that it’s isolated from your LAN. That means that you can’t get to it from any device on your LAN. That’s DMZ - isolation from anything that is on your lan even though it’s “on your lan” You can’t ping it, you can’t detect it, you can’t connect to it.
Port forwarding exists in the best Juniper and Cisco gear because it’s ok to use. It’s safe if done correctly and with the proper precautions. We’re fine. It was security pros who suggested the very setup I am using. I work with the best companies.