Solved

Configure ZyWALL Firewall/Router to work with Cox CIDR and WAN IP

Posted on 2014-11-25
12
380 Views
Last Modified: 2015-02-19
I have a small business network (~20 workstations and a few dozen VM-based servers) that is served by Cox Business.  All machines on our LAN have private IP addresses (192.168.1.xx) although some have a 1:1 NAT mapping to static public IPs.  Historically, we have paid Cox to provide us with a small number (~10) static IPs and configuring the network was a no-brainer.  Having now moved to a new office however, Cox initially provided us with five (5) static IPs but has now informed us that they are taking away four (4) of the five (5) static IPs and replacing them with a CIDR block (in an entirely different subnet).  I have read postings from others (both here on EE and elsewhere) who, like me , were confused as to how to configure their hardware to work with CIDR but their specific cases were slightly different than mine and they used different hardware).  While I am happy that Cox has assigned me what appears to be a much larger pool of usable public addresses (29), I am unsure how to take advantage of them!

My particulars are as follows (IPs changed slightly from actuals):

Router/Firewall: ZyXEL ZyWALL 110 (part of the ZyWALL 100/200/300 family)
WAN Address: 28.175.185.216
WAN Network Mask: 255.255.255.240
WAN Gateway: 28.175.185.209
DNS1: 68.105.28.16
DNS2: 68.105.29.16

Customer Network: 174.80.25.128/27
Suggested Default Gateway: 174.80.25.129
Customer Netmask: 255.255.255.224
Usable CIDR IPs: 174.80.25.130 - 174.80.25.158
Broadcast IP: 174.80.25.159

I would like to keep all of my machines on the same private network and, where necessary, provide either 1:1 NATing or port mapping as needed.

Can someone please:

1.


Explain the difference between my old approach (with dedicated static IPs, all in the same subnet) and the new CIDR approach with a block of IPs (in a different subnet from the assigned WAN IP).

2.


Educate me on how best to configure my specific firewall/router to work with this new approach.

Thanks in advance for any-and-all assistance!
0
Comment
Question by:Lloyd Charlier
  • 6
  • 6
12 Comments
 
LVL 39

Expert Comment

by:noci
ID: 40466352
just add the CIDR range to the WAN interface as a secondary range.
Select the right WAN interface(f.e. wan1), then create a virtual interface on it.
 (you will then get: wan1:1 ..) and fill out the fields with ipaddress & netmask.

Also adjust the firewall rules accordingly (in case an interface is mentioned f.e. wan1  is not equal to wan1:1
Then use those address for  NAT.
0
 

Author Comment

by:Lloyd Charlier
ID: 40466986
noci:

Thanks for the quick reply.  Your directions sound simple enough however I don't see any place to specify a range/block in the ZyWALL configuration screens:

ZyWALL 110 - Create Virtual Interface
In addition to the ZyXEL forums, I have searched the ZyWALL 110 User's Guide and Application Note docs but cannot find any reference to "secondary range" or "CIDR".  Perhaps they call it something else?  Do I have to create Virtual Interfaces for each-and-every IP address in the CIDR block instead?  Also where would I specify the CIDR default gateway and broadcast IP params?
0
 
LVL 39

Expert Comment

by:noci
ID: 40468202
ok you have the IP address & netmask field.
CIDR is a different netmask spec.

/32 = 255.255.255.255
/30 = 255.255.255.252   252 = (128 + 64 + 32 +16 + 8 + 4)
/28 = 255.255.255.240   240 = (128 + 64 +32 + 16)
/26 = 255.255.255.192  192 = (128 + 64)
/24 = 255.255.255.0
/16 =255.255.0.0
/8 = 255.0.0.0
/0 = 0.0.0.0
0
 

Author Comment

by:Lloyd Charlier
ID: 40473733
noci:

Again, much appreciate the reply.

Per your last response, I understand how a netmask is derived.  That said, it is still unclear to me where I can enter the CIDR information (in its entirety) as it was supplied to me by Cox:

The range of CIDR addresses: 174.80.25.128/27
The default gateway associated with the above CIDR block: 174.80.25.129
The netmask associated with the above CIDR block: 255.255.255.224
The broadcast IP associated with the above CIDR block: 174.80.25.159

Does the ZyWALL 110 device even have a facility for specifying a range?  If so, I don't see it.  If not, if I want to take advantage of all of the available usable IPs in the CIDR block (174.80.25.130 - 174.80.25.158), do I need to explicitly define a Virtual Interface for each-and-every IP (i.e. 29 Virtual Interfaces - wan:1:1-wan1:29)?

FWIW, I tried creating a Virtual Interface for one of the IPs (174.80.25.130) but it didn't appear to work (could not ping machine 1:1 NATed to IP):
Virtual Interface - wan1:1
Sorry if I'm being dense.  Please feel free to point out my stupidity... <grin>  Thanks.
0
 
LVL 39

Expert Comment

by:noci
ID: 40474018
Now did you get the block as a replacement for the current address or in addition to the one WAN address....
(What happens is that your provider has setup your entire block as being routed over the original WAN link.

(Additional CIDR Block)
If you have 1 address on WAN and a 2nd CIDR block on a virtual interface, then normaly only the WAN default gateway applies for ALL routes. In some cases you can also use the Broadcast & Base address as an address.

If it is a replacement then the old address appearantly are droppen, then you don't need the virtual interface, but modify the WAN. (BTW, THis is not what i read from your original Q).

Virtual addresses should not be created per address.
A NAT routing entry should be created for that. (And obviously a Firewall rule to allow the traffic to that address on the WAN). Also a WAN -> Zywall rule would be needed including that CIDR address range to respond to Ping.
And you may need specific routing rules specifying outgoin NAT settings for traffic. (A 1:1 NAT rule would do that for you).
0
 

Author Comment

by:Lloyd Charlier
ID: 40474066
noci:

Per your question, our ISP is routing the CIDR block over the original WAN IP.  That said, from your last posting, it appears that we need to create one Virtual Interface on WAN1.  Not to beat this to death, but the Virtual Interface dialog doesn't appear to accept IP address ranges - just discrete IPs (see image from previous post).  How do I specify the CIDR range?  In your post, you state "In some cases you can also use the Broadcast & Base address as an address".  In lieu of specifying the CIDR range, are you suggesting I try using one of these two address in the Virtual Interface instead?  I'll give it a try...

With respect to the ping testing, I already created firewall/routing rules to enable pinging a public IP and having it return an echo if the corresponding 1:1 mapped private IP is up-and-running.  I was already doing this without problems when I was using plain old static IPs in the same subnet as my WAN IP.

I will try re-configuring the Virtual Interface again using either the broadcast IP or base address and see if this fixes things.

Thanks again!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 39

Expert Comment

by:noci
ID: 40474352
Ip address = 174.80.25.128
Netmask = 255.255.255.224
The description that this is the X/Y/Z Address range provided by... [ if you want to ]
And possibly bandwidth settings.

(the first two define the range from 174.80.25.128 - 174.80.25.159 [ inclusive ]. )
nothing else.
0
 

Author Comment

by:Lloyd Charlier
ID: 40605654
Sorry for the long delay in responding.  I have been dealing with a major health issue that arose in December of last year...

Per your last post, I was never able to configure my specific firewall device (ZyWALL 110) according to your recommendations and get it to work.  I reached out multiple times to ZyXEL (via voice-mails, CSR ticket submissions and forum postings - no response).  Needless to say, I am less than impressed with their customer service... <grrr>
0
 
LVL 39

Accepted Solution

by:
noci earned 500 total points
ID: 40606680
In general their documentation is quite good, but these oversights are easy to get bogged down into.
what often can help is drawing the network picture exactly from the info in the router..., not s you meant it to be but literary what you see. If you then reach  diagram that is not what you intended then you will also know where it fails. If you do this often you will get  feeling for ip addresses & netmask and make the image more quickly mentaly, and more or less see immediately what is "wrong".

And i agree that zyxel often is less than helpful. afaik they sell rather cheap because they expect the resellers to do the support.
0
 

Author Comment

by:Lloyd Charlier
ID: 40617539
noci:

While I still cannot find any place in the 110's UI or their documentation that addresses specifying a CIDR block range, you have bent over backwards trying to help me and I won't string you along any further.  I finally made contact with ZyXEL Support asking them the same questions posed here and they seem to be just as much in the dark as I am (not very reassuring).  Regardless, I will continue to bang on them until they figure it out.

Thanks again for sticking with the thread as long as you did!
0
 
LVL 39

Expert Comment

by:noci
ID: 40617718
Well CIDR ranges need to be transposed to their netmask equivalences...

/1 = 128.0.0.0
/2 = 192.0.0.0
/3 = 224.0.0.0
/4 = 240.0.0.0
/5 = 248.0.0.0
/6 = 252.0.0.0
/7 = 254.0.0.0
/8 = 255.0.0.0
/16 = 255.255.0.0
/24 = 255.255.255.0
/32 = 255.255.255.255
0
 

Author Comment

by:Lloyd Charlier
ID: 40619977
FWIW, this is the response I just received from ZyXEL (sounds like they're admitting that the ZyWALL 110 does not not natively support CIDR block addressing):

Hello,

Unfortunately our devices is limited and we cannot accommodate the addresses with their suggested gateway. You would have to input each address under 1;1 NAT so you can map them to internal devices.

Please call our support center to better assist you at:

1-800-255-4101 Opt. 5
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now