/32 WAN IP
loyaltyorkide
Newbie ✭
Hi All,
Our new provider has given us what they call a 'consolidated' ipv4 address.
For WAN interface they have asked us to configure 10.10.1.x/30 and then setup a WAN alias.
The actual WAN IP is 80.x.x.x/32
The interface IP is easy, but for Alias, how do I create the outbound NAT rule? And do I need to publish a static ARP entry?
Am I correct in assuming for the outbound NAT rule, I create the rule was LAN to WAN translate to /32 WAN IP?
The provider only has guides for Microtik and Draytek.
Cheers
Best Answer
-
CORRECT ANSWER
BWC
Cybersecurity Overlord ✭✭✭
@loyaltyorkide you were right with your assumption, a static ARP and a NAT rule (outbound) should do the trick, you might need additional NAT rules for inbound traffic, but this was not mentioned in the Mikrotik PDF. You might check with the Packet-Monitor if inbound packets arrive at X1.
This KB-article covers the steps for Gen6 and Gen7, if you need further information just drop a note.
--Michael@BWC
1
Answers
@loyaltyorkide if you can provide the information for Mikrotik I could tell you what the steps are on SNWL. But I think NATing to the 80.x.x.x/32 is the way to go.
--Michael@BWC
Thank you Michael, I have attached as PDF
Thank you for confirming what I had thought.
And because I have to publish the ARP entry, I then have to manually create inbound NAT for management and any other ports that need to be open.
@loyaltyorkide yes, you need the Inbound Rules, just make sure that you mark your Access Rules as Management Traffic if you need to access the Web-Interface for example. I'am not certain if VPN will work properly, you might need to tinker with the default rules for that.
There is a setting in the Internal Settings section which need to be enabled to have full control over default NAT and Access Rules.
--Michael@BWC
Hmm I guess that could present a problem with SSL VPN. I was thinking I could NAT the public IP for SSL VPN to the x1 interface (wan) and disable the default rule.
@loyaltyorkide did you tried to enable "Secondary Subnets" in the internal settings, this might offer a solution for that. The secondary IP can than be bound on X1 in the Advanced tab.
I can't test it at the moment and never used it before, but it must be there for a reason :)
--Michael@BWC
This only works for forwarding a secondary subnet on the WAN instead of using the Static ARP method you will still have the issue with the VPN termination as it doesn't add the IP to the default WAN Interface IP address object group which is needed for the VPN and SSL VPNs ( I have put in an R.F.E about this and the secondary subnets with SonicWall)
one thing you could try is assigning the secondary subnet to a VLAN on the Microtik, then create a subinterface on the SonicWall WAN interface we have customers doing it this way with Microtiks and SonicWalls, this way the Sub interface on the SonicWall would be another WAN Interface and no need to do any static Arp etc.. and the VPN would work as expected, just don't forget to add it in to the WLB group