We help IT Professionals succeed at work.

Publically Routable IP addresses

OLLIE2783
OLLIE2783 used Ask the Experts™
on
Hi,

We were using a cisco with 1 IP address. We are now going to use a zyxel and a watchguard.
We have asked the ISP for a range of public IP's to use. 1 ip for wan of router 1 ip for lan of router and 1 ip for wan of firewall.

Now they have provided our internet address which they say to put  on the wan interface of the router example
88.215.70.124 /29
Now they have provided a completely different IP range 1 to go on lan of the router example
177.66.75.78 and one for wan of firewall 177.66.75.75. I have said to them i do not want to use nat on the router only NAT on the firewall and they have said I do not need NAT on the router, i do not see how traffic from the internet will route into my network without nat on the router or the router set in bridge mode or in the same address range as lan of router and wan of firewall. All our A records point at the IP on the wan interface of the router.

Am i missing something? will what the ISP say work and if so how will the router know to pass the traffic.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
You can either put a static route in your firewall that points to the IP you give the router.
Or you can do a static NAT of that same IP to a non-routable IP assigned to the outside interface on the router.

The ISP has already pushed a route to the Internet that says those IPs are reachable at 88.215.70.124, so the device with that IP just needs to complete the routing to your other hosts.
Paul MacDonaldDirector, Information Systems

Commented:
The router will simply accept packets for 88.215.70.124 /29 and pass them back to the firewall, where all the NATing will take place.

Author

Commented:
So no natting or routing needs to be put on the router? It will just pass traffic from 88.215.70.124 to 177.66.75.78  then firewall can NAT to internal ip? so lets say A record pointing at external of router ip, A = remote.mydomain.com/owa = 88.215.70.124  will pass to firewall 177.66.75.75 then firewall can nat to internal. Will that just work?
Top Expert 2012

Commented:
No, your A record needs to point to the 177.66.75.78 IP, which is then NAT'd on the firewall to your internal server

Author

Commented:
This isn't what I asked the isp to do I asked them for same range so we didn't have to change all A records
Yes.  It's called "router mode" in some devices - as distinct from "gateway mode".  That's what they call No NAT.

A router need not provide NAT.  It simply routes.
Whereas, with NAT, there can be a one-to-many addressing such as from a single public IP to an entire private subnet.

In the case of a plain router, packets arrive and show up at the proper ports with no address translation.

I'm using an RV042 as an ISP interface that's set up exactly like this in the "router" mode.
We have multiple public IPs available in a subnet behind it.  It takes up one of those addresses on the LAN side and an entirely different public IP on the WAN side.
Same thing with ADSL modems where a public subnet is provided.
In both cases, the device in question is follwed by a switch where the publicly-addressed devices plug in.  Think of this node as an extension of the internet as it *is* in the public address space.

Then anything can plug in: VPN devices, LAN firewalls, etc. set up with their respective public addresses.
Paul MacDonaldDirector, Information Systems

Commented:
"Will that just work?"
Yes.
Top Expert 2012
Commented:
How many IP's have they provided you with?
The way this works is they provide you with an IP block, the WAN IP isn't part of that block(least not in all cases)

We have a block of 8 public IP's - 81.138.x.x/29
So we have 3 servers which we NAT on our firewall - 81.138.x.1 - 192.168.1.1 for example
Now our WAN IP isn't in that same subnet, its 88.39.x.x - totally different IP subnet

That's just the way some ISP's provide IP blocks...
Top Expert 2012

Commented:
Sorry @fmarshall we must been typing same time, didn't mean to 'stomp' on your post!

OLLIE2783 - did you have a different public IP in the beginning? Was it just 1 IP?
When you say - 'I asked them for same range so we didn't have to change all A records' - not sure what you mean by this?

Note the WAN IP is irrelevant in your case, just ignore it, its the 177.x.x.x range that is your public range

Author

Commented:
Thanks guys really helpful feedback.

So am i going to have to change our A records to Wan address of the firewall. A records currently point at our 1 ip address on our cisco which is going to be put on router WAN interface

Author

Commented:
smckeown777

OLLIE2783 - did you have a different public IP in the beginning? Was it just 1 IP?
When you say - 'I asked them for same range so we didn't have to change all A records' - not sure what you mean by this?
No same main internet IP which ISP have now said to put on wan interface of the router,Yes we had 1 ip address on a cisco 837 then used NAT

Note the WAN IP is irrelevant in your case, just ignore it, its the 177.x.x.x range that is your public range, Yeah so going to have to change A records, nevermind.

Thanks

Author

Commented:
Hi Guys,

Set it up as above and can get internet directly on the zyxel router though can't get it to pass traffic from wan to lan. Turned firewall and Nat of on the router. We can ping wan of router though not lan of the router does that mean the isp haven't made the addresses routeable?
Top Expert 2012

Commented:
Just refresh what your config currently is, can you confirm the following...

1) WAN of router = 88.215.70.124
2) LAN of router = 177.66.75.78
3) WAN of firewall = 177.66.75.75
4) Firewall doing NAT to internal clients

Is this correct?

The ISP doesn't need to make the addresses routable - they are already routable(since they are public IP addresses)

The pinging could be due to ICMP traffic being blocked on router
Do you have internet access from clients behind firewall at this point?

Author

Commented:
Thats correct.

I've allowed icmp ping both lan and wan. exteranlly i can ping wan of router but not lan.

No, no internet behind firewall. On the watchguard set up firewall policies to nat, 80 ,443, 53 from internal to external. Could you think of anything else on the watchguard that would need configuring? Saw snat though think firewall policies cover what is needed for internet access
Top Expert 2012

Commented:
There's no NAT on firewall for internal clients?
What IP range are they on?
Are they not on a private range internally?

From the firewall can you ping WAN IP of router?(Not familar with the Watchguard models, is there a section within it to allow you to ping hosts?)

What device is doing DHCP on this network? What IP is it if not firewall or router?

Author

Commented:
There's no NAT on firewall for internal clients?  yes included in firewall policies
What IP range are they on?  an internal 10.10.10.0
Are they not on a private range internally? yes they are

From the firewall can you ping WAN IP of router?(Not familar with the Watchguard models, is there a section within it to allow you to ping hosts?) I'll have a look

What device is doing DHCP on this network?  The domain controller. What IP is it if not firewall or router?  a 10 address.

Thnaks