Single static public IP from any WAN source

I’m sorry if this has been asked and answered when asked in another fashion but is it possible to someone get a static public IP address, regardless as to the WAN connection? I have a MAX BR1 that connects via either Verizon or AT&T’s cellular network, a satellite modem, or any WiFi hotspot I can connect. I need to create a sub-network that will have extremely tight security (for law enforcement purposes) whereas the primary network will have rather lax security, similar to many home networks. This will be in a mobile vehicle. The secured network router will reside under the primary LAN created by the MAX BR1, but in order to set up a secured VPN, we must have a static IP address to reach the primary secured network, the VPN software does not allow for a “roadwarrior” setup. I am assuming that provided I get a single, static IP address, regardless of source to the BR1, I can do port-forwarding to pass appropriate ports to the secured router.

The vehicle is a mobile communications truck for a volunteer sheriff’s search and rescue organization. Those of us volunteers need to have flexibility in acquiring our network source and adding software to all of our machines. In order for law enforcement to use our network, it must be locked down tighter than a drum, preventing the volunteers from making changes to what WiFi hotspot we connect to or choosing to disable one cellular network if it is giving us problems in a particular location. Having our primary network locked down would also prevent us from making ANY change to our computers for adding or trying software because it will ALWAYS require that a paid and approved county IT professional make any changes. This does NOT work when we may be called out at any time or day and may be in the middle of a forest somewhere. I am needing to find a way to allow us to both co-exist. I understand their need for extremely tight security, but we volunteers need to be in a relative sandbox.

This kind of requirement comes up quite regularly and everyone will have their own approach depending on the politics and technical/compliance requirements but this is what I would do.

  1. Set the default LAN on the BR1 as the volunteer network. Let them connect via its wifi AP or plug in a switch to LAN1 for any volunteer wired device connectivity. They can do what they want on this network pretty much (within the bounds of available bandwidth).
  2. Create a new VLAN, assign it to the LAN2 port disable inter VLAN routing and plug the managed secure network VPN router into that Port. (the volunteer network users can’t even ping to this network using this configuration, but even if they could, the only thing that can access is the WAN of the secure router which will be locked down tight as a drum).
  3. Create a PepVPN tunnel between the BR1 and either a Cloud Hosted FusionHub (option 1) or a Balance device in the secure HQ/DC (option 2). Set the secure router to send all of its traffic over the PepVPN.
  4. Using either option 1 or 2 presents traffic from the WAN of the secure router from a known static IP (the Fusionhubs public IP or the Balance LAN IP in the DMZ). Which stays the same no matter how the BR1 is actually connected to the internet.
  5. Since the secure router has a static IP it can now create its own secure VPN connection over the existing PepVPN connection. All secure devices can be plugged into the LAN of the secure router onboard the vehicle and only these devices can communicate with the central secure network.
  6. The volunteers can then have full control of the BR1 and manage how it connects to the internet. They can connect to any public wifi hotspot, use cellular or wifi WAN or plug direct into a landline network connection (if one was available). Once they have connected the BR1 to the internet, the PepVPN connection will come up, then the secure router onboard can create its IPSEC tunnel and secure traffic will flow.
  7. If it was me, I would then physically isolate the onboard secure router. Likely in a lockable cabinet/comms rack or peli style case with a padlock so that no one can accidentally (or otherwise) plugin a volunteer device into the secure router. The onboard secure network is then logically and physically isolated from everything else.
  8. I would also consider a bigger MAX device that supports SpeedFusion Bonding so that I could enable WAN smoothing and use multiple WAN links at the same time to guarantee the delivery of the IPSEC VPN traffic.

Did that answer your question @RonRN18 ? Any follow up?