ISP forwarding WAN IP
Hello Everyone,
I hope that everyone's doing well.
I'm having some issues with the way the ISP is giving my client their WAN IP.
We've a Tz 370 connecting the X1 (WAN) to their device, for this connection to work, I need to use some IPs that they gave me, lets say that these IPs are:
For my sonicwall: 10.0.0.1
Their device: 10.0.0.2
And then they're forwarding our WAN IP to 10.0.0.1 which is the IP that we've configured on our WAN port.
The issue with this is that we've IPSec connections, and our WAN port should have the outside WAN IP, not the 10.0.0.1.
To work this out, what I did was:
On the X1 port I've configured the WAN IP
After that, I went to the ARP table and created on the X1 port the IP 10.0.0.1 and ticked "publised".
Also, I added the 10.0.0.2 IP with the MAC address from my ISP device to the X1 port in the ARP table.
After all this, I went to the routing page, and created a route:
This works ok for a while, after some time, and it really depends, can be 1 hour to 4 hours or even 6 hours.
The connection to the internet stops working.
I used the packet capture, and the ARP requests from 10.0.0.2 (ISP device) are being dropped.
Any one can help me with this one?
Update 1: If I go to the advanced DIAG page of the sonicwall and I do a "Send System ARP" the connection comes back up.
Note: I opened this same post on SSL VPN, but it was a mistake, I'm sorry for that...
Answers
Update 2: Packet monitor
Gives me this:
ARP TYPE: ARP Response
Sender MAC Address: Mac of ISP device
Sender IP Address: 10.0.0.1
Target MAC Address: Sonicwall MAC address
Target IP Address: 10.0.0.1
Value:[0]
DROPPED, Drop Code: 54(Arp reply ignored.)
Unless your ISP can directly hand off your Public WAN IP address you'll need another device in front of the Sonicwall. Whether you obtain it or have the ISP provide it (they usually call them 'managed routers') is up to you. Or you can find another ISP.
Personally I dislike ISPs that route Public IPs through a private IP subnet visible to the client.
So there's really no other way around it?
It is odd, I've done this same configuration for another of my clients, the only difference is that this client was using a ASA5506X, but I did the exact same configuration as I did in the SONICWALL, and it keeps working like a charm...
It must be because SONICWALL has more security probably.
We can take another look at it...
"Also, I added the 10.0.0.2 IP with the MAC address from my ISP device to the X1 port in the ARP table." Can you explain this further or provide a screenshot? I'm not sure why or what you are doing.
What are you using as the default gateway on the WAN interface? What is the PT_Gateway IP addres syou are using in the route?
" Sender MAC Address: Mac of ISP device; Sender IP Address: 10.0.0.1
Target MAC Address: Sonicwall MAC address; Target IP Address: 10.0.0.1"
Is this a typo 10.0.0.1 for both sender and target?
Hello TKWITS, no its not a type.
When I do use the packet monitor it gives me that, and as soon as I get that one the connection stops working...
I have to get into the hidden DIAG page, and do a "Send system arp" for it to start working again, but after a while same thing happens.
You have failed to answer my other questions...
Hi @CÉSAR_S,
As per the packet detail given by you, both the source and destination IP addresses are same. I'm unsure how can the ISP device generate an ARP reply packet with its MAC as source and SonicWall's WAN IP address as Source and Destination IP addresses. This packet drop may be a valid drop.
As per your initial comment on this post, I understand that you have configured both the public IP address and 10.0.0.1 on the SonicWall WAN interface. The public IP address is configured directly whereas the private IP address 10.0.0.1 is published to WAN interface. This arrangement is done on the SonicWall for you to utilize IPsec VPN. If this is right, could you please explain me why would there be a necessity to use the private IP address 10.0.0.1 on the WAN interface of SonicWall when you have configured a public IP address directly?
Possibly I can make some progress on your question.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Sorry...
" Can you explain this further or provide a screenshot? I'm not sure why or what you are doing."
On my X1 interface (WAN) What I did was adding the Public IP.
To get my SONICWALL to respond to ARP requests I've added the IP 10.0.0.1 to the ARP table, picked X1 interface and Published it.
Also, I've added to the ARP table the 10.0.0.2 and the MAC address from the ISP device.
After that I've created the routing to the 10.0.0.2 Gateway.
"What are you using as the default gateway on the WAN interface? What is the PT_Gateway IP address you are using in the route?"
The PT_GATEWAY is the 10.0.0.2 IP, the ISP device IP.
Sorry I can't get screenshots, I had to remove the SONICWALL and leave the old firewall plugged in, the client wasn't happy though...
Hello Saravanan,
Ok so what the ISP did was:
They gave me both 10.0.0.1 IP that would be configured on my WAN interface and 10.0.0.2 that would be configured as the Default gateway of the WAN interface, this would be for my SONICWALL to communicate with the ISP device.
Then they route the Public IP to the 10.0.0.1 IP.
But I can't have it like this, because of the IPSec tunnels.
So I configured the Public IP on my WAN interface, without any default gateway configured on it.
I published the 10.0.0.1 IP on the ARP table and also added the 10.0.0.2 to the ARP table with the ISP MAC address.
On the packet monitor, I filtered by ARP.
Could it be that its also detecting an IP Spoof and its dropping it?
I would love to see the working config from your cisco device... I have no idea how you managed to get anything working.
What information did the ISP give you? Two sets of ip addresses, two subnets masks, two gateway addresses?
Hi @CÉSAR_S,
Thanks for explaining the scenario better.
I believe there are only two suggestions to get this working on SonicWall. The dropped packet is because the private IP address 10.0.0.1 is not configured directly on the physical interface or on the virtual interface and it just acts a virtual IP.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hello Saravanan, the mask of the public IP is a 255.255.255.255 mask.
The ISP are forwarding the Public IP to the 10.0.0.1 IP already.
I noticed that there's a new thing available on the WAN port configurations, on the advanced settings, there is a new option called "Secondary subnet", what is this? And what should it be used for?
Is it something like an IP Alias?
I read somewhere that on ASA5506, you could use the ARP table to get two devices communicating.
They basically gave me 1 Subnet with the mask 255.255.255.252, the IP and the default gateway for my device.
And then they have the public ip that is being forwarded to the IP that is configured on my ASA.
Hi @César_S,
The Secondary Subnets if enabled on the diag page and configured under the WAN interfaces, makes the SonicWall to enable ARP Responses for Secondary Subnets on WAN interfaces. You may give this a shot once and see if it helps. This option does similar job as publish ARP entry.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thank you again Saravanan.
And what IP do you think that I should configure there?
The Public IP or the 10.0.0.1 IP?
@César_S - Try the IP 10.0.0.1.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Will do.
But can only do it on 5 of August...the client are closed until 5 of august, summer holidays...
Sure @César_S. please keep us posted.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
I am being literal. I would like to see a copy of the working config from the ASA. If you aren't comfortable posting I understand.
Hello Saravanan,
I was able to teste it, didn't work.
I've had a chat with the ISP, I think that we'll be able to sort it.
I hope so.
Great @César_S.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services