WatchGuard XTM with two external IP subnets on single interface
Afternoon
I am after some clarification here as WatchGuard support are about as useful as chocolate fireguard!
I have a customer who has a Fortigate 110C which is connecting them to their BT Fibre - 50/100
Due to issues with their client VPN, and because it is our preferred firewall/router option we are looking to replace this device with a WatchGuard XTM 330. I have done this a lot in the past few years for shapes and sizes of companies so it should have been straight forward.
However, just before the change over I noticed that the Fortigate had a VDOM interface with an external IP range on it, but its physical interface on the device had an external IP on a different range. Now I know this is fairly typical of BT to do - you have an IP for internet access but your range of IP's is delivered on a different subnet, all of the natted services are on the second subnet range.
So I adjusted the external IP settings on the watchguard so that the primary interface was the external IP on the physical interface on the watchguard and put the secondary range of IP addresses on the secondary tab of the same interface. Now despite them being listed here, the internet works on the watchguard but none of the IP's on the secondary tab are accessible.
In a nutshell I belive the only way I am going to get this working is to stick another router in front of the watchguard, and then set secondary range on the watchguard external interface - not ideal as I only have Draytek to hand. The Fortigate didn't need it because the VDOM feature allows the creation of a router within a router, therefore eliminating the need for another physical routing device.
So, the question is - has anyone actually had a second public IP range assigned from an ISP (on a different subnet from the current range) and got it working just by assigning it to the secondary tab of the WatchGuard? (without another router involved, directly connected to BT kit)
Does the BT kit allow the route to be added to it to remove the need to add your own router?
Thanks
I am after some clarification here as WatchGuard support are about as useful as chocolate fireguard!
I have a customer who has a Fortigate 110C which is connecting them to their BT Fibre - 50/100
Due to issues with their client VPN, and because it is our preferred firewall/router option we are looking to replace this device with a WatchGuard XTM 330. I have done this a lot in the past few years for shapes and sizes of companies so it should have been straight forward.
However, just before the change over I noticed that the Fortigate had a VDOM interface with an external IP range on it, but its physical interface on the device had an external IP on a different range. Now I know this is fairly typical of BT to do - you have an IP for internet access but your range of IP's is delivered on a different subnet, all of the natted services are on the second subnet range.
So I adjusted the external IP settings on the watchguard so that the primary interface was the external IP on the physical interface on the watchguard and put the secondary range of IP addresses on the secondary tab of the same interface. Now despite them being listed here, the internet works on the watchguard but none of the IP's on the secondary tab are accessible.
In a nutshell I belive the only way I am going to get this working is to stick another router in front of the watchguard, and then set secondary range on the watchguard external interface - not ideal as I only have Draytek to hand. The Fortigate didn't need it because the VDOM feature allows the creation of a router within a router, therefore eliminating the need for another physical routing device.
So, the question is - has anyone actually had a second public IP range assigned from an ISP (on a different subnet from the current range) and got it working just by assigning it to the secondary tab of the WatchGuard? (without another router involved, directly connected to BT kit)
Does the BT kit allow the route to be added to it to remove the need to add your own router?
Thanks
Typically we create secondary networks as you have already done; but the routing part has to be done by the ISP, BT in this case.
They must send all traffic on secondary IP subnet to WG; please check with them if this is not happening.
You can open traffic monitor and send some junk traffic on random TCP ports on secondary IP subnet and you should some entries; if none, BT is to blame.
Once you see the entries we can configure firewall policies and relevant NAT policies to get the traffic in.
Thank you.
They must send all traffic on secondary IP subnet to WG; please check with them if this is not happening.
You can open traffic monitor and send some junk traffic on random TCP ports on secondary IP subnet and you should some entries; if none, BT is to blame.
Once you see the entries we can configure firewall policies and relevant NAT policies to get the traffic in.
Thank you.
ASKER
So to clarify further
The service is on a 21CM BT appliance, 50/100mb fibre
the "External Router Pair" is 212.1.1.68/31 (212.1.1.69 is on the WAN IP of the current fortigate)
The "Network range" is 212.1.2.240/28
I stuck a Draytek in front of the WatchGuard this morning with the external pair on the WAN interface and the IP's from the network range on the LAN. The WatchGuard used IP's on the network range - again I got internet access but nothing from the network range?.....When I went to www.whatismyip.com I got the external interface IP from the Draytek!!
If you had an unmanaged fibre line service from BT and a WatchGuard router what is the proper configuration?...
The service is on a 21CM BT appliance, 50/100mb fibre
the "External Router Pair" is 212.1.1.68/31 (212.1.1.69 is on the WAN IP of the current fortigate)
The "Network range" is 212.1.2.240/28
I stuck a Draytek in front of the WatchGuard this morning with the external pair on the WAN interface and the IP's from the network range on the LAN. The WatchGuard used IP's on the network range - again I got internet access but nothing from the network range?.....When I went to www.whatismyip.com I got the external interface IP from the Draytek!!
If you had an unmanaged fibre line service from BT and a WatchGuard router what is the proper configuration?...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi
Thanks for the response - I understand what you are saying - given that the ISP is Talk, Talk I wanted to implement a workaround for now. Plus as its classed as an unmanaged solution they might take longer sorting
I have attached a diagram outlining the setup - IP's are made up but SNM apply.
So my workaround is to drop a Draytek into the mix to route the IP range to the WAN block - can you see any reason why this wouldn't work? Its effectively what the Fortigate is doing
Router-issue.PNG
Thanks for the response - I understand what you are saying - given that the ISP is Talk, Talk I wanted to implement a workaround for now. Plus as its classed as an unmanaged solution they might take longer sorting
I have attached a diagram outlining the setup - IP's are made up but SNM apply.
So my workaround is to drop a Draytek into the mix to route the IP range to the WAN block - can you see any reason why this wouldn't work? Its effectively what the Fortigate is doing
Router-issue.PNG
bit confused mate. don't you already have the ip/subnet & gateway? why put a workaround in? just set it up as it should be and drop the draytek?
yea, the example in the diagram should work but the draytek shouldn't be necessary.
yea, the example in the diagram should work but the draytek shouldn't be necessary.
ASKER
Time really, I don't have direct access to the ISP so waiting on confirmation is taking ages
When I tried with the Draytek I had the same issue, although its just a workaround I wanted to confirm my logic was good
When I tried with the Draytek I had the same issue, although its just a workaround I wanted to confirm my logic was good
ASKER
Dawned on me that actually the incoming route must already be in place for the public IP through to the WAN block, otherwise the current router wouldn't work.
Rebooting the ISP kit (the BT21CN) will clear out its ARP cache and resolve the issue. So adding the secondary IP range on the external interface should be all that is needed to get the incoming SNAT's to work.
Onsite tomorrow to carry this out so I will confirm for completeness
Rebooting the ISP kit (the BT21CN) will clear out its ARP cache and resolve the issue. So adding the secondary IP range on the external interface should be all that is needed to get the incoming SNAT's to work.
Onsite tomorrow to carry this out so I will confirm for completeness
ASKER
Well, the solution, for completeness, was that because the ISP couldn't ping the external interface of the WG it meant it affected there IP SLA's and this effects the routing of the secondary subnet
So simple.......so frustrating!!
So simple.......so frustrating!!
to confirm:
the external interface has a valid external IP/subnet/gateway listed
the external interface also has additional external IPs/subnets listed on the 'secondary' tab.
what element of this doesnt work? if you try to setup a rule for one of the secondary IPs what happens? is it outbound or inbound traffic that's an issue?