Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SonicWall TZ670 Static Public IP with PPPoE

Hello,

I have a sonicwall TZ670 on which i am trying to configure receiving a static public IP assigned by the ISP and the authentication mode is PPPoE.

What the ISP told me so far, is that once i requested a public IP, they moved my account from residential to corporate account which received dynamic public IPs, and in order to receive my specific public IP i need to do some further configurations that requires RIP V2 protocol, disable NAT, add 0.0.0.0 etc...

Firstly, I could not figure out on the general method / way of how the entire process needs to be planned.

Second, i had some plans that i wanted to test, i could not figure out how to apply it in sonic OS.

Below is what the ISP sent me as text after switching my account:

When fixed public IP is required, the ONT (fiber modem) must then be placed in bridge mode, and the PPPoE is handled by your separate Ethernet-only router behind the modem. The router must support the required interface/ protocols: default route, enable RIP V2, disable NAT, etc.. you need to add 0.0.0.0/0 to your routing table. It could be a Cisco, Cyberoam, FortiGate, Juniper, Mikrotik, or any router you’d choose to use but works in such implementation.

When you request a Fix IP, Ogero moves your PPPoE account from residential category to the pool of corporate users that provides a Dynamic Static IP. Once you use RIP V2 on your firewall/router, the provided IP will be advertised using RIP and your connection will initiate through the provided subnet.


Can anyone please assist in figuring the exact way that the entire process should be implemented.

And then, assist in actually implementing it in SonicOS?


Thank you for your time!

Category: Entry Level Firewalls
Reply

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @avoakrabian ,

    Option-1

    You must configure your ISP modem to the bridge mode. then you would have to configure your Firewall X1 interface as PPPoE and enter the credentials which you received from your ISP and check whether you are getting the internet connection and the public IP.

    Option-2

    Request t o your ISP to provide you the public IP which they are going to reserve for your connection / the corresponding the user PPPoE credentials. Once you receive the Public IP, Configure the ISP modem as bridge mode and configure your Firewall WAN interface as static IP and enter the Public Ip information which you received from the ISP.

    The recommendation from the ISP for the back end modem which is required to configure as Bridge Mode. Where you need to stop the NAT etc.

    NB: in default RIP is disabled in all interface in Sonicwall.

  • avoakrabianavoakrabian Newbie ✭

    Thank you for the input.

    Maybe I forgot to add the part that, the modem is already set in bridged mode.

    Firewall connected to the modem, Wan being setup in pppoe mode and is getting online, but the issue is with a random public IP.


    As the isp mentioned, my pppoe account has been added to a pool where I receive random public IPs each time.

    And in order to get my specific public ip, I need to configure further above this point, using rip v2, disable nat etc...

    That's my problem, I am having difficulties figuring out how exactly.


    And regarding option 2, I doubt the isp will set the specific public ip on my account. This is the only option available.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @avoakrabian,

    As the isp mentioned, my pppoe account has been added to a pool where I receive random public IPs each time. --> Inform the ISP to reserve /Bind one of the Public IP with your WAN interface MAC address.

    The above step I did for one of the Lebanon based client and its worked well.

  • avoakrabianavoakrabian Newbie ✭

    I've thought about that as well, but I mean if they could've done that, they would've done it already without going into the hassle of sending every public IP client with the same instructions.

    I will however inquire, if they can do that, and maybe wait a week for a proper response (average quality of service).

    But my question still remains, what if they can't and the only way if to use rip v2 alongside all other configurations needed.

    How do I proceed?

  • ArkwrightArkwright Community Legend ✭✭✭✭✭
    edited April 2023

    You don't necessarily need to disable NAT, your requirements would determine that, not them.

    There is not enough information in your post for us to tell you exactly how to configure your firewall. What we have is an overview, mentioning some protocols and concepts, but without specifics.

    I think you should ask them for a configuration example, and if they don't have one for SonicOS, paste in here what they have for Mikrotik or Cisco and someone can then hopefully translate that in to what needs to be done on a Sonicwall.

  • avoakrabianavoakrabian Newbie ✭
    edited April 2023

    I will copy paste the concept / solution that some users with the same ISP as me had, the main difference between me and them is that they had a Mikrotik as a router.


    Hopefully it can give you an idea of what the ISP expects me to do, and perhaps assist me in implementing it in SonicWall.

    Appreciate your help!

    ----------------------------------------------------------------------------------------------------------

    ---now i have created pppoe connection and the rip settings as stated above but the problem the real ip i got is not mine and its dynamic and changes every time i connect----

    That's a misunderstanding. The address provided to you using PPPoE (in this run, 94.187.28.154) is used only for the inteconnection, so it can be any address, public or private, except the one(s) assigned to you. So it is not important what it is and that it changes.


    The whole idea is that you manually assign "your" public address(es) to one of the interfaces of your Mikrotik (other than the PPPoE one!), and you use RIP to inform the router behind the PPPoE channel that this address is accessible via that channel.


    The background is that while you only have got a single static public IP, e.g. the OP has got a whole subnet, and a subnet cannot be assigned using PPPoE as the name suggests. But on the other hand, PPPoE is the only way how to use commodity ADSL modems. So the ISP has everything based on PPPoE.


    -----the only information they give is disable NAT, enable ripv2 and use loopback-----

    Almost correct.

    • "Disable NAT" should have actually read "disable NAT on the PPPoE interface" because otherwise packets sent from your static public address would be NATed to the dynamically changing one assigned to the PPPoE. But you may want to NAT everything to your static public IP, and it is possible of course.
    • "enable ripv2" means that you will inform the neigbour (the PPPoE server) that your static public address can be routed to via your PPPoE client address. The PPPoE server will update its routing tables accordingly.
    • "use loopback" is there because they don't know you use Mikrotik (and don't care either), so what they actually tell you is that you have to assign the static public address to some other interface than the PPPoE one, and if you don't have any (which can be the case where a PC has a single Ethernet port connected to the modem), you should use the virtual interface called loopback or lo on unix-like systems. So in your case, you have to create an /interface bridge name=my-public-ip-holder protocol-mode=none and assign your static public address to it (/ip address add address=your.static.public.ip/32 interface=my-public-ip-holder). Do not make any other interfaces member ports of that bridge.


    ----another question how do i disable NAT on my pppoe connection ?-----

    I assume you use the default firewall and in /ip firewall nat, the is a rule saying chain=srcnat action=masquerade out-interface=pppoe-out1 (or maybe out-interface-list=WAN).

    By removing (or disabling) that rule, you disable the NAT.

    To NAT packets from your LAN subnet to your static public IP while preserving the RIPv2 packets from getting modified, you have to replace that rule by

    chain=srcnat action=src-nat src-address=your.lan.subnet/mask to-addresses=your.static.public.ip out-interface=pppoe-out1

    If it doesn't work, follow the suggestion in my automatic signature.

  • XeroXero Newbie ✭

    I'm a bit new here but keen to offer some input on this one as this is exactly how I've configured every Sonicwall I've used in the last 15 years.

    Say you have a bank of 8 IP's issued: 6 usable. Use the first (usable)for the Sonicwall WAN interface and the Last (usable) for the Router. eg...

    x.x.x.1 Unusable

    x.x.x.2 Sonicwall WAN interface (set the Gateway as x.x.x.7 see below) with the proper subnet Mask as given by the ISP

    x.x.x.3 Will be routed to Sonicwall WAN

    x.x.x.4 Will be routed to Sonicwall WAN

    x.x.x.5 Will be routed to Sonicwall WAN

    x.x.x.6 Will be routed to Sonicwall WAN

    x.x.x.7 This will be the static address of your Router again with the proper subnet.

    x.x.x.8 Unusable

    Indeed turn off absolutely everything on the router and just have it using the Username and Password to connect to the ISP.

    Use any LAN port on the router and this goes into the nominated WAN interface of the Sonicwall.

  • avoakrabianavoakrabian Newbie ✭

    Forgot to mention that my assigned subnet is a /30 subnet, which gives me one gateway and one usable IP.

    Your input is much appreciated.

    However at this point, with all the given info so far, I need someone to guide me through the entire setup and configuration of the firewall.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    I think Xero failed to clarify they are using a separate ROUTER device AS WELL AS the Sonicwall.

    From the info you provided:

    "The whole idea is that you manually assign "your" public address(es) to one of the interfaces of your Mikrotik (other than the PPPoE one!), and you use RIP to inform the router behind the PPPoE channel that this address is accessible via that channel."

    "you use RIP to inform the ROUTER BEHIND THE PPPOE CHANNEL that this address is accessible...." emphasis mine.

    To me this is implying two devices.

    Now, I dont have much experience with PPPoE connections cause not many corporate ISPs around me use it. But I did have ADSL at home for a long time and I always used the provided 'modem' as the PPPoE device (not as a router /firewall, it was in bridge mode) in front of my home router/firewall.

    I dont think the Sonicwall will do what you want in one device.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    I think in this instance the "loopback" interface on the Sonicwall could be substituted by means of a NAT policy. This is what I do with routed subnets where no IP in that subnet actually lives on an interface of the Sonicwall - there are simply some inbound and outbound NAT policies referencing an IP from the subnet. The outside world doesn't know or care that's how it's set up, and the Sonicwall just NATs the traffic as appropriate. Happy days.

    I am not sure about the RIP part of this, however. I have never set up RIP on SonicOS. If RIP requires that IPs be present on an interface in order to be announced, you might struggle. You maybe could put them on a VLAN to get around this.

    You might find that it's easiest just to buy a Routerboard to do the RIP/PPP part to give the Sonicwall a "normal" IP address to work with [IMO if you can afford a Sonicwall then you can definitely afford a Routerboard!]. A bit frustrating to have to stick in another box when the Sonicwall can do 99% of the job.

Sign In or Register to comment.