Assigning two seperate IP ranges
Hey all,
We have hit a potential issue - we're running out of IP Addresses in the externally assigned range. We've spoken to Time Warner Cable who provide us with our ethernet connection and they've said they can assign us an additional range, but it will not be sequential from the current range.
All fine with that, we don't really care - we just need more IP's.
Problem being, the Time Warner ethernet connection plugs directly into one of the ethernet ports on our Sonicwall (Sonicwall 3060 - assume latest firmware, if it's not we can update it without issue). From what I can see, there is no way of assigning two external IP ranges to the same port on SonicOS.
My question would be, what would we need to purchase / do to allow the Sonicwall to use the two seperate ranges, even though they're being delivered on the same media - note, that if this involves buying a router or such to sit between the Sonicwall and the provider, then that's fine.
A thought that's just come to me, would it be as simple as hooking the delivered ethernet connection into a hub (taking layer 3 out of the equation) and then two ports from the hub into two interfaces on the Sonicwall and assigning their seperate address ranges?
We have hit a potential issue - we're running out of IP Addresses in the externally assigned range. We've spoken to Time Warner Cable who provide us with our ethernet connection and they've said they can assign us an additional range, but it will not be sequential from the current range.
All fine with that, we don't really care - we just need more IP's.
Problem being, the Time Warner ethernet connection plugs directly into one of the ethernet ports on our Sonicwall (Sonicwall 3060 - assume latest firmware, if it's not we can update it without issue). From what I can see, there is no way of assigning two external IP ranges to the same port on SonicOS.
My question would be, what would we need to purchase / do to allow the Sonicwall to use the two seperate ranges, even though they're being delivered on the same media - note, that if this involves buying a router or such to sit between the Sonicwall and the provider, then that's fine.
A thought that's just come to me, would it be as simple as hooking the delivered ethernet connection into a hub (taking layer 3 out of the equation) and then two ports from the hub into two interfaces on the Sonicwall and assigning their seperate address ranges?
Call timewarner and tell them you want a routed block they can assign you /30 and route both of your blocks thru that ip address, or you can ask them to route the new block through your current block using the address of your sonic firewall as the default gateway.
ASKER
I don't think the issue is getting Time Warner to assign the addresses - they've already said that they can assign the addresses without issue at their end.
The problem I'm having a tough time getting my head around is where on the Sonicwall I can assign the additional range details, or at least how I can work around this. At the moment, an external IP is assigned to the Sonicwall and lets say a /29 is set as being the subnet mask. If the ranges aren't consecutive ranges, and I can't set two subnets as being assigned to one interface, how do we get around the "address is not in range" error that will inevitably appear when I try and add address objects based on the new range?
The problem I'm having a tough time getting my head around is where on the Sonicwall I can assign the additional range details, or at least how I can work around this. At the moment, an external IP is assigned to the Sonicwall and lets say a /29 is set as being the subnet mask. If the ranges aren't consecutive ranges, and I can't set two subnets as being assigned to one interface, how do we get around the "address is not in range" error that will inevitably appear when I try and add address objects based on the new range?
sorry i dont know enough about sonic firewall to answer that part different with ASA's
Hi,
I understand that you are having internet from single ISP i.e. TW Cable and using pool of LAN ip address. Now this ip pool is exhausted so you are going for another pool of ips (different range!). How to use this new pool? TW Cable is directly terminated on Sonicwall device.
Answer:
Advice to go for Standard network design for scalability as below:
WAN Link > Internet router/L3 Device > Firewall > LAN
As per your budget, you may plan for Cisco Router/L3 Switch for termination of the WAN link (internet).
Any additional ip pool range you get from ISP can be used in LAN by assigning gateway ip address to Router LAN interface.
Additional WAN links also can be terminated on router for failover and high availability without any much network changes.
--
Does this answer your query!, any more info required?
I understand that you are having internet from single ISP i.e. TW Cable and using pool of LAN ip address. Now this ip pool is exhausted so you are going for another pool of ips (different range!). How to use this new pool? TW Cable is directly terminated on Sonicwall device.
Answer:
Advice to go for Standard network design for scalability as below:
WAN Link > Internet router/L3 Device > Firewall > LAN
As per your budget, you may plan for Cisco Router/L3 Switch for termination of the WAN link (internet).
Any additional ip pool range you get from ISP can be used in LAN by assigning gateway ip address to Router LAN interface.
Additional WAN links also can be terminated on router for failover and high availability without any much network changes.
--
Does this answer your query!, any more info required?
you just need a simple router like ken suggests.
then you can assign mutiply IP address to the wan interface.
you also may be able to get your ISP to assign your current router inside your fire wall as the next hop for getting to the new IP network.
then you set up the routing your end.
so say you have a current ip range of 192.168.0.1/24 and your router is 192.168.0.254
you get a new range 192.168.10/24
your ISP then assigns a route on there router that borders you of
192.168.10.0 255.255.255.0 192.168.0.254
so all traffic comming on to your site is still going to the origianl ip address range.
your internal router then deals with splitting it off to its own network.
Now I am not sure if they will set this up for you. but if they did you could achive what you want with out any changes to hard ware as long as you ahve some routing cababilities within you network they can direcct the traffic to.
then you can assign mutiply IP address to the wan interface.
you also may be able to get your ISP to assign your current router inside your fire wall as the next hop for getting to the new IP network.
then you set up the routing your end.
so say you have a current ip range of 192.168.0.1/24 and your router is 192.168.0.254
you get a new range 192.168.10/24
your ISP then assigns a route on there router that borders you of
192.168.10.0 255.255.255.0 192.168.0.254
so all traffic comming on to your site is still going to the origianl ip address range.
your internal router then deals with splitting it off to its own network.
Now I am not sure if they will set this up for you. but if they did you could achive what you want with out any changes to hard ware as long as you ahve some routing cababilities within you network they can direcct the traffic to.
ASKER
So, in this scenario, we'd have a router which would have two seperate ranges assigned to one interface. The internal interface on the router would plug directly into the currently used interface on the Sonicwall.
But we still have no way of assigning the two ranges to the Sonicwall as it only allows one range to be entered per interface, thus when we try to enter a mapping on the Sonicwall for one of the external IP's it'll just tell me that the address is not within the allocated range.
I know what you're both saying above, I appreciate that - what I don't see a solution to is how to get the two ranges to be recognised by the sonicwall.
But we still have no way of assigning the two ranges to the Sonicwall as it only allows one range to be entered per interface, thus when we try to enter a mapping on the Sonicwall for one of the external IP's it'll just tell me that the address is not within the allocated range.
I know what you're both saying above, I appreciate that - what I don't see a solution to is how to get the two ranges to be recognised by the sonicwall.
ahh get you
mmmm that may be more dificult. it will really depend if the fire wall si built to deal with two ranges.
the only other way to get around this would be to "supernet" the two ranges in to one. Now i understand that they will nto be continious, but if they are quie close you could then simple refilter out any of the range that dose not belong to you?
mmmm that may be more dificult. it will really depend if the fire wall si built to deal with two ranges.
the only other way to get around this would be to "supernet" the two ranges in to one. Now i understand that they will nto be continious, but if they are quie close you could then simple refilter out any of the range that dose not belong to you?
ASKER
Yeah, that's what I'd thought - the range hasn't been assigned yet, so we're not sure what it will be - this "issue" was brought up before we ordered the additional range and we all sat around for a while scratching our heads wondering how we were going to do it.
It's a class C range that we currently have, and we're currently assigned x IP's - I know TWC have already stated that they cannot give us continuous addresses as the next range up and down are both allocated already. Lets say that they're currently assigned range is /29 and they give us the new range on the same scope - I've no problem setting my subnet mask on the Sonicwall to be /24 (!) if needed and setting static routes to the provider gateway to addresses that I've carpet bombed in my subnet allocation.
It's a class C range that we currently have, and we're currently assigned x IP's - I know TWC have already stated that they cannot give us continuous addresses as the next range up and down are both allocated already. Lets say that they're currently assigned range is /29 and they give us the new range on the same scope - I've no problem setting my subnet mask on the Sonicwall to be /24 (!) if needed and setting static routes to the provider gateway to addresses that I've carpet bombed in my subnet allocation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Agreed, that's definately something we'll have to look at.
In terms of a firewall that can handle multiple ranges, any suggestions on one of those? I fear that knowing Murphy's Law pretty intimately, we'll end up getting an additional range which is all kinds of different from our currently.
In terms of a firewall that can handle multiple ranges, any suggestions on one of those? I fear that knowing Murphy's Law pretty intimately, we'll end up getting an additional range which is all kinds of different from our currently.
Two networks is not possible with Sonicall and Cisco firewall device also with single interface.
Supernetting can help you if your ISP can provide contiguous range of ip pool for you.
I feel the below options exist
1. Supernetting of the both ip ranges using existing Sonicwall config.
2. Using PATting to manage with preset ip range.
3. Use additional Interface on your Sonicwall device to terminate your
http://www.sonicwall.com/us/products/PRO_Series.html
I see with enhanced SonicOS upto 6 interfaces are availabel for use.
4. Linux firewall with multiple interfaces can also be used for managing economics
5. If the need for more IPs is growing, its time for moving to ARIN/RIPE/APNIC ips whatever applicable to your country.
Supernetting can help you if your ISP can provide contiguous range of ip pool for you.
I feel the below options exist
1. Supernetting of the both ip ranges using existing Sonicwall config.
2. Using PATting to manage with preset ip range.
3. Use additional Interface on your Sonicwall device to terminate your
http://www.sonicwall.com/us/products/PRO_Series.html
I see with enhanced SonicOS upto 6 interfaces are availabel for use.
4. Linux firewall with multiple interfaces can also be used for managing economics
5. If the need for more IPs is growing, its time for moving to ARIN/RIPE/APNIC ips whatever applicable to your country.