Incoming Public IP Addresses and A Records

We have an AT&T DSL Modem with 5 public IPs (let's just use 1.1.1.1 to 5), a SonicWall TZ 170 and several physical servers on a gigabit switch.  The SonicWall is the only device plugged into the DSL Modem with a WAN Port Address of 1.1.1.2.  Our domain has an A record for www to 1.1.1.2 (Web), mail to 1.1.1.3 (OWA/OA) and smtp to 1.1.1.4 (Mail Gateway) and everything is working.

So how does incoming traffic -- other than 1.1.1.2 -- get to the individual servers on the internal, NATted LAN (192.168.0.1/24) if the SonicWall's WAN Port address is 1.1.1.2?  I don't see any Access Rules specifying any of the other public IPs but I do see respective Ports being forward to the appropriate, physical server on the LAN side.  I accessed the Netopia DSL Modem's configuration but don't see any configuration settings that's doing it.
Wade_ChestnutAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Cas KristConnect With a Mentor Commented:
Hi there. yeah sure the DSL modem routes the traffic to a device with a matching ip. With the one-to-one NAT you instruct the sonicwall to have another public ip and listen for traffic for it.
The DSL-modem finds the extra public ip's through ARP (maybe google "how arp works"??). The discovery show what ip's have been found on what mac-addresses.
A lot of technical stuff, but rest assured, when you plug in a new modem, the modem will figure it out by itself.
0
 
savoneCommented:
If your servers interfaces are not set up for the public IP addresses then they are just answering on the private IP addresses.

If you have port 80 (for www) forwarded to the internal IP address of the server, the server will respond accordingly.  The setup you have now is only using 1 of the public IP addresses.

0
 
shauncroucherCommented:
this can be done with NAT overload where one public can be used for multiple private ip access, cluding port forward to private ip.

shaun
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
nappy_dCommented:
I would:

- Connect a separate switch for a DMZ
- set your OPT to be work in transparent mode
- configure the appropriate public IP to each server
- connect the severs to the switch
- connect the swtich to the OPT port
- create firewall rules for the OPT port for each device
0
 
Wade_ChestnutAuthor Commented:
Thanks for the input so far.  Maybe I didn't ask the question correctly so I'll try to simplify it and rephrase.  I'm trying to understand how it's working as configured -- not necessarily make any changes yet.
How is the public traffic from 1.1.1.3 and 1.1.1.4 reaching the SonicWall if the SonicWall's WAN port IP address is 1.1.1.2?  I'm guessing the AT&T DSL Modem is doing something but I didn't see anything like forwarding in its configuration.
0
 
nappy_dCommented:
Well, IP 1.1.1.3 and 1.1.1.4 cannot reach your LAN if you do not have them forwarded from 1.1.1.2 in a rule.  Also your ISP is performing other routing which allows your modem to receive those IP addresses.
0
 
Wade_ChestnutAuthor Commented:
So it has to be the AT&T DSL Modem that's transferring 1.1.1.3 and 1.1.1.4 to the SonicWall's 1.1.1.2 WAN address?  I guess I'll have to contact them to see where that's configured.
0
 
Wade_ChestnutAuthor Commented:
UPDATE: In the Netopia DSL Modem (Model# 3347-02-1002), I found this in the Troubleshooting section:
LAN Host Discovery Table:
Host-Name        IP               MAC               Interface State
1.1.1.2      1.1.1.2      00-06-b1-3e-2e-b2 Eth 100BT online
1.1.1.3      1.1.1.3      00-06-b1-3e-2e-b2 Eth 100BT online
1.1.1.4      1.1.1.4      00-06-b1-3e-2e-b2 Eth 100BT online
1.1.1.5      1.1.1.5      00-1e-58-f4-1c-86 Eth 100BT online
I substituted the real IPs for the one I've been using here.  To me, this is now making some sense where the incoming traffic from 1.1.1.3 and 4 are being routed to the SonicWall's MAC address (00-06-b1-3e-2e-b2) -- but how did this table get created?  There are no static ARP entries in the configuration.  FYI - the 5th entry is a Wireless Access Point we use to provide free Internet service.
I talked to 3 Techs at AT&T and 2 at Netopia and none of them could help explain how this "Discovery" table is created.  I need to know in case the modem fails and I need to re-configure a new one.
Thanks in advance for everyone's help on this so far!
0
 
nappy_dCommented:
You will probably never get answer from your service provider.  If this device is provided by them and they support it, all you should concern yourself with it documenting your IP address info for your servers etc.

The techs you speak with are just 1st level and really have no in depth knowledge of the network and device configurations beyond maybe reboot or ping.
0
 
Wade_ChestnutAuthor Commented:
3 out of the 5 I spoke to were Level 2 and a Level 2 Supervisor and they still couldn't explain it, which is why I'm back here. : )
If the modem dies and I have to reconfigure another one, I need to know how -- and quickly.  Otherwise, if I install a new one and it doesn't do this forwarding that I need, the only thing I know how to do is get 2 more firewall/routers and assign them with the other 2 public addresses on the WAN side.
Would I be correct in assuming if it doesn't do this "Discovery" correctly, that all I would need to do is add a static ARP entry for each public IP address and point it to the SonicWall's MAC address?
0
 
nappy_dCommented:
Why do you have to configure another ADSL modem?  Usually this task and IP address provisioning is performed by the ISP.  They simply dropship you are replacement and their systems and techs do the rest.
0
 
Cas KristCommented:
I think the public IP's are NATted to the servers with NAT Policies in the SonicWall. Are you running SonicOS Enhanced or SonicOS Standard?
0
 
nappy_dCommented:
caskrist, I think the author points out in his post; http:#29109614 that he sees the config on the netopia for DSL modem.  This is where his ISP takes over.  I don't think that he should be messing with this routing.
0
 
Cas KristCommented:
I'm only answering his question:
"How is the public traffic from 1.1.1.3 and 1.1.1.4 reaching the SonicWall if the SonicWall's WAN port IP address is 1.1.1.2?"

I don't tell him to mess with it.
0
 
Wade_ChestnutAuthor Commented:
We have SonicOS Standard 3.1.2.6-97s and are about to upgrade to the latest 3.1.6.3-4s.  But something has to be going on before the SonicWall so the traffic from the other 2 IPs can even reach the IP on the WAN port.  
AT&T claims they aren't doing any kind of special routing for us. And, again, I noticed that ARP table that seems to be doing the magic without static entries via discovery.  But how does the discovery process work?
If the modem was new and the first packet came in to 1.1.1.3, for example, how does it automatically go to 1.1.1.2?  Or am I just missing something?
0
 
nappy_dCommented:
Were the person who setup the Sonicwall for your company?

Do you have admin access to the Sonicwall WebUI?

If so, can you open it up and take a look at your rules?
0
 
Wade_ChestnutAuthor Commented:
Yes, I have access and have already reviewed the SonicWall's Access Rules -- and scary enough, I'm a Certified SonicWall Security Administrator.  The Access Rules are  forwarding packets by IP Port numbers (Services) from the WAN interface with no Source (Client) IPs specified.  But, again, the question is not what happens WHEN the packet gets to the SonicWall's WAN port, it's how does the packet get TO the interface from the DSL Modem?
If we had 2 other SonicWalls on the DSL Modem with WAN port IPs 1.1.1.3 and 1.1.1.4, that would make sense.  But there' sonly 1 WAN device attached to the DSL Modem with only 1 WAN IP address.  One Netopia Engineer believed the SonicWall had the ability to be assigned multiple WAN IPs to the physical port which would also make sense, but this model does not have that feature.
0
 
nappy_dCommented:
Please post your rules...
0
 
Cas KristCommented:
Probably because the sonicwall is instructed also to accept/forward traffic for the 1.1.1.3 address too. This can be done with a one-to-one NAT rule. In the screenshot you can see that an public ip is NATted to 192.168.102.10. The public ip in the screenshot is not the sonicwall WAN ip. Next to that there are firewall rules in place to filter the traffic.
ono-to-one-nat.png
0
 
Wade_ChestnutAuthor Commented:
Attached Access Rules
SonicWall-Access-Rules.jpg
0
 
nappy_dCommented:
This is what I was getting at. According to your rules, you are passing traffic from anywhere(*) to your internal servers.

This means that your ISP is controlling how those IP addresses are routing data.
0
 
Wade_ChestnutAuthor Commented:
caskrist, VOILA!  That's part of the answer I've been looking for!  The One-to-One NAT Translation lists the exact 2 public IPs I've been asking about.
So, then I'm assuming the DSL Modem automaticlly fowards all incoming traffic to the SonicWall's WAN IP as a "catch-all" or something?

SonicWall-One-to-One-NAT-Transla.jpg
0
 
Cas KristCommented:
Are there One-to-One NAT rules in place? This is the only way to make a sonicwall listen for other public IP's! Post them.
0
 
Cas KristCommented:
Sorry my last post was too late.
Somehow ARP finds the ip's and the DSL-modem knows where to deliver the traffic.
0
 
Wade_ChestnutAuthor Commented:
nappy_d, how is the ISP controlling the routing?  AT&T claimed they don't do that on their end.
The (*) in the Access Rules represents from any "Source" IP address, i.e. the public IP of the client computer - not our public IP, correct?  Or do I have that backwards?
0
 
Wade_ChestnutAuthor Commented:
caskrist, so the One-to-One NAT settings allow the SonicWall's WAN port to "listen" for other public IPs?  Interesting.  I thought the DSL Modem actually routed traffic to a device matching the public IP.
Now this is starting to make some sense.  I'm thinking the DSL Modem "broadcasts" IP addresses to all attached devices.  The One-to-ONE NAT entries allow the SonicWall to respond to other IPs in addition to the one on it's WAN port?
Then maybe the DSL Modem gets notified (i.e. "Discovery") by the SonicWall that it can accept traffic from other public IPs and put that into its ARP table for future routing?
0
 
Wade_ChestnutAuthor Commented:
BTW, THANK YOU GUYS for helping me understand what's going on.  My fear was the modem blows up, we replace it and all of the sudden we're not receiving any incoming e-mail traffic.  Now I know the SonicWall's One-to-One NAT settings are responsible and we're backing the config in case it blows up.
0
 
Wade_ChestnutAuthor Commented:
(One-to-Ine NAT in addition to the Firewall's Access Rules, that is)
0
 
Wade_ChestnutAuthor Commented:
Fantastic... thanks, caskrist!
0
 
Cas KristCommented:
Youre welcome, glad to be of help!
0
All Courses

From novice to tech pro — start learning today.