OLLIE2783
asked on
Publically Routable IP addresses
Hi,
We were using a cisco with 1 IP address. We are now going to use a zyxel and a watchguard.
We have asked the ISP for a range of public IP's to use. 1 ip for wan of router 1 ip for lan of router and 1 ip for wan of firewall.
Now they have provided our internet address which they say to put on the wan interface of the router example
88.215.70.124 /29
Now they have provided a completely different IP range 1 to go on lan of the router example
177.66.75.78 and one for wan of firewall 177.66.75.75. I have said to them i do not want to use nat on the router only NAT on the firewall and they have said I do not need NAT on the router, i do not see how traffic from the internet will route into my network without nat on the router or the router set in bridge mode or in the same address range as lan of router and wan of firewall. All our A records point at the IP on the wan interface of the router.
Am i missing something? will what the ISP say work and if so how will the router know to pass the traffic.
Thanks
We were using a cisco with 1 IP address. We are now going to use a zyxel and a watchguard.
We have asked the ISP for a range of public IP's to use. 1 ip for wan of router 1 ip for lan of router and 1 ip for wan of firewall.
Now they have provided our internet address which they say to put on the wan interface of the router example
88.215.70.124 /29
Now they have provided a completely different IP range 1 to go on lan of the router example
177.66.75.78 and one for wan of firewall 177.66.75.75. I have said to them i do not want to use nat on the router only NAT on the firewall and they have said I do not need NAT on the router, i do not see how traffic from the internet will route into my network without nat on the router or the router set in bridge mode or in the same address range as lan of router and wan of firewall. All our A records point at the IP on the wan interface of the router.
Am i missing something? will what the ISP say work and if so how will the router know to pass the traffic.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Paul MacDonald
The router will simply accept packets for 88.215.70.124 /29 and pass them back to the firewall, where all the NATing will take place.
ASKER
So no natting or routing needs to be put on the router? It will just pass traffic from 88.215.70.124 to 177.66.75.78 then firewall can NAT to internal ip? so lets say A record pointing at external of router ip, A = remote.mydomain.com/owa = 88.215.70.124 will pass to firewall 177.66.75.75 then firewall can nat to internal. Will that just work?
No, your A record needs to point to the 177.66.75.78 IP, which is then NAT'd on the firewall to your internal server
ASKER
This isn't what I asked the isp to do I asked them for same range so we didn't have to change all A records
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"Will that just work?"
Yes.
Yes.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry @fmarshall we must been typing same time, didn't mean to 'stomp' on your post!
OLLIE2783 - did you have a different public IP in the beginning? Was it just 1 IP?
When you say - 'I asked them for same range so we didn't have to change all A records' - not sure what you mean by this?
Note the WAN IP is irrelevant in your case, just ignore it, its the 177.x.x.x range that is your public range
OLLIE2783 - did you have a different public IP in the beginning? Was it just 1 IP?
When you say - 'I asked them for same range so we didn't have to change all A records' - not sure what you mean by this?
Note the WAN IP is irrelevant in your case, just ignore it, its the 177.x.x.x range that is your public range
ASKER
Thanks guys really helpful feedback.
So am i going to have to change our A records to Wan address of the firewall. A records currently point at our 1 ip address on our cisco which is going to be put on router WAN interface
So am i going to have to change our A records to Wan address of the firewall. A records currently point at our 1 ip address on our cisco which is going to be put on router WAN interface
ASKER
smckeown777
OLLIE2783 - did you have a different public IP in the beginning? Was it just 1 IP?
When you say - 'I asked them for same range so we didn't have to change all A records' - not sure what you mean by this?
No same main internet IP which ISP have now said to put on wan interface of the router,Yes we had 1 ip address on a cisco 837 then used NAT
Note the WAN IP is irrelevant in your case, just ignore it, its the 177.x.x.x range that is your public range, Yeah so going to have to change A records, nevermind.
Thanks
OLLIE2783 - did you have a different public IP in the beginning? Was it just 1 IP?
When you say - 'I asked them for same range so we didn't have to change all A records' - not sure what you mean by this?
No same main internet IP which ISP have now said to put on wan interface of the router,Yes we had 1 ip address on a cisco 837 then used NAT
Note the WAN IP is irrelevant in your case, just ignore it, its the 177.x.x.x range that is your public range, Yeah so going to have to change A records, nevermind.
Thanks
ASKER
Hi Guys,
Set it up as above and can get internet directly on the zyxel router though can't get it to pass traffic from wan to lan. Turned firewall and Nat of on the router. We can ping wan of router though not lan of the router does that mean the isp haven't made the addresses routeable?
Set it up as above and can get internet directly on the zyxel router though can't get it to pass traffic from wan to lan. Turned firewall and Nat of on the router. We can ping wan of router though not lan of the router does that mean the isp haven't made the addresses routeable?
Just refresh what your config currently is, can you confirm the following...
1) WAN of router = 88.215.70.124
2) LAN of router = 177.66.75.78
3) WAN of firewall = 177.66.75.75
4) Firewall doing NAT to internal clients
Is this correct?
The ISP doesn't need to make the addresses routable - they are already routable(since they are public IP addresses)
The pinging could be due to ICMP traffic being blocked on router
Do you have internet access from clients behind firewall at this point?
1) WAN of router = 88.215.70.124
2) LAN of router = 177.66.75.78
3) WAN of firewall = 177.66.75.75
4) Firewall doing NAT to internal clients
Is this correct?
The ISP doesn't need to make the addresses routable - they are already routable(since they are public IP addresses)
The pinging could be due to ICMP traffic being blocked on router
Do you have internet access from clients behind firewall at this point?
ASKER
Thats correct.
I've allowed icmp ping both lan and wan. exteranlly i can ping wan of router but not lan.
No, no internet behind firewall. On the watchguard set up firewall policies to nat, 80 ,443, 53 from internal to external. Could you think of anything else on the watchguard that would need configuring? Saw snat though think firewall policies cover what is needed for internet access
I've allowed icmp ping both lan and wan. exteranlly i can ping wan of router but not lan.
No, no internet behind firewall. On the watchguard set up firewall policies to nat, 80 ,443, 53 from internal to external. Could you think of anything else on the watchguard that would need configuring? Saw snat though think firewall policies cover what is needed for internet access
There's no NAT on firewall for internal clients?
What IP range are they on?
Are they not on a private range internally?
From the firewall can you ping WAN IP of router?(Not familar with the Watchguard models, is there a section within it to allow you to ping hosts?)
What device is doing DHCP on this network? What IP is it if not firewall or router?
What IP range are they on?
Are they not on a private range internally?
From the firewall can you ping WAN IP of router?(Not familar with the Watchguard models, is there a section within it to allow you to ping hosts?)
What device is doing DHCP on this network? What IP is it if not firewall or router?
ASKER
There's no NAT on firewall for internal clients? yes included in firewall policies
What IP range are they on? an internal 10.10.10.0
Are they not on a private range internally? yes they are
From the firewall can you ping WAN IP of router?(Not familar with the Watchguard models, is there a section within it to allow you to ping hosts?) I'll have a look
What device is doing DHCP on this network? The domain controller. What IP is it if not firewall or router? a 10 address.
Thnaks
What IP range are they on? an internal 10.10.10.0
Are they not on a private range internally? yes they are
From the firewall can you ping WAN IP of router?(Not familar with the Watchguard models, is there a section within it to allow you to ping hosts?) I'll have a look
What device is doing DHCP on this network? The domain controller. What IP is it if not firewall or router? a 10 address.
Thnaks