How to set up multiple Public static IP via PPOE connection!
Hi all,
I am from Vietnam and would like to seek your help on the following matter of configuring public static ip access to NSA 5600 via PPOE with dynamic ip:
Background:
VNPT (Local ISP) provided us a block of 8 public static ip (113.160.164.1-8) via a PPOE connection with Dynamic IP address,
We run some servers inside the firewall with sub-net of 10.86.19.x. To provide services to outside world via those public ips we did the following:
- Create ARP for those public ip
- Create network address group for those ip
- Create access rule for those address group to allow WAN-LAN connection
- Create 1:1 NAT for each of those public ip to the inside lan servers
The above settings works well for almost a year with Web, mail, ssh and other services. However, recently, some client provided with static public ip of the range 113.160.164.x can not access our system (not stable, sometime can access our web, sometime failed). VNPT complained that we did the configuration wrongly and need to have a modem/router in between the firewall and the Media Converter to handle PPOE connection and the secondary LAN port shall be set up with the 113.160.164.1 address and act as a gateway for the entire network.
Question:
Logically, we believe VNPT has problem with routing setting at their (ISP) side. The option of having a router in between is good but NSA 5600 firewall has supported PPOE and others, so we would like to know whether we can do thing properly without an additional modem or router?
We only want the system to be accessible to all as this is a public service tool for our community in the province so we don't mind to stop the argument with them.
If anyone have experience on this, please be so kind to help us to do the configuration properly.
Dang Dinh Ngoc - Vietnam
Best Answers
-
Saravanan Moderator
Hi @PAULSTEIGEL,
Thanks for the confirmation.
It seems like you are using secondary WAN subnet offered by your ISP to access your internal servers from external network. We need some configuration on the firewall to instruct the firewall to accept connections on the secondary WAN subnet which is already in place as per your description. Just referencing below KB article pointing to same scenario.
In such scenarios when there is access issue to resources behind SonicWall intermittently could be because of ARP cache getting cleaned up very often on the upstream ISP device. When the access not happening at any cost, is again could be of ARP issue between ISP and SonicWall.
We may need to perform a packet monitor for ARP in SonicWall to understand if the ISP device sends and responds to ARP packets. Moreover this has to be done during the issue time. In case if the issue is with ISP device losing ARP cache details of SonicWall configured secondary WAN subnet range 113.160.164.1- 113.160.164.8, then a diag page option in SonicWall might help. But again this works with assumption that the ISP device does proper routing on its end.
The diag page option is "Periodically broadcast system ARPs every minutes". You can enable this check box and set the value to a lesser value lets say 5 minutes.
If at all tweaking the ARP broadcast value didn't help finding it to be an ARP issue, then it means the ISP doesn't route the traffic. Such situation demands you to follow the ISP procedures and suggestions since the solution resides on the ISP side.
Hope this clarifies and gives some idea to you.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
1 -
Saravanan Moderator
Hi @PAULSTEIGEL,
I would recommend you to perform packet capture on SonicWall when the issue happens to identify if the packet loss is that their end or SonicWall end if they claim to be right on their side. This packet capture will be evident to pin point the issue and can act as a proof. To be precise, I'm afraid to be unsure about the additional router that they are asking you to put in since I'm quite not sure about their side routing and their devices that handles routing. As I have suggested above, if this is a ARP issue, an option on SonicWall's diag page might help you. But if its all on the ISP side, then I would recommend you to follow their advise as this would be out of SonicWall scope.
Let me know if any questions and how it goes.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
1
Answers
Hi @PAULSTEIGEL,
Thank you for contacting SonicWall Community.
Appreciate your efforts in drafting a well briefed description.
I presume the current WAN IP address on your SonicWall is configured with one of the IP addresses in the range of 113.160.164.1- 113.160.164.8. If this is right, could you please confirm if both the SonicWall and upstream router are in bridge mode? If they are in bride mode, we get a flexibility to use public IP addresses directly on our firewall interfaces.
Please confirm your response to this and we can help you isolate and identify the possibilities to solve it.
Have a good day!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Dear Mr. SARAVANAN,
Thank you very much for your quick response to my question. Please find my response as below:
I presume the current WAN IP address on your SonicWall is configured with one of the IP addresses in the range of 113.160.164.1- 113.160.164.8. If this is right, could you please confirm if both the SonicWall and upstream router are in bridge mode? If they are in bride mode, we get a flexibility to use public IP addresses directly on our firewall interfaces.
The current WAN IP address on the SonicWall is dynamically provided by ISP as the current firewall is directly connected to the Media Converter via X4 interface.
ISP Offering us to have a router in between the media converter and our firewall. However, we are not so excited with this option and would like to seek help for a proper configuration for our requirement, keeping the NSA to directly connected to the media converter and run it's owned PPOE connection.
Thank you very much for your attention
Ngoc - Vietnam
@PAULSTEIGEL - Thanks for the response.
Could you please confirm the IP address on the WAN interface? I wanted to understand if SonicWall's WAN is assigned with IP address on this range 113.160.164.1- 113.160.164.8 or on a different subnet. Please specify.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi SARAVANAN
Could you please confirm the IP address on the WAN interface? I wanted to understand if SonicWall's WAN is assigned with IP address on this range 113.160.164.1- 113.160.164.8 or on a different subnet. Please specify.
The WAN interface was provided with other ip 14.226.41.x (dynamically changed via PPOE connection) not the one in the provided block!
Thank you very much for your attention.
Ngoc
Dear Mr. SARAVANAN,
I told VNPT (ISP) that they have done things wrongly but they refused. Please see my description below:
I created a virtual interface with ip 113.160.164.1 (enable ping) and do the tracert (the last bit blocked is hidden)
I made 113.160.164.1 to change to 113.160.164.2 and ping worked well with tracert as below:
Please be noted that VNPT provide static ip address in 02 forms:
Option 1: Only 02 public static ip: they assigned the public ip directly to WAN PPOE connection;
Option 2: /29 IP with 08 addresses (our case) via WAN PPOE connection (dynamic different IP as confirmed previously):
VNPT said that, any other client with provided static ip of 113.160.164.x will not be able to access our system. Today, I made a test from our neighboring office and discover tha the system access still Ok no interruption at all, Ping work well.
But yesterday, most of other customers with that ip range 113.110.164.x can not access our system.
Today I told VNPT that the gateways for those two options are wrongly configured:
+ the 37.77 (router for the 02 static ip option) and the 6.22 (router for the 08 ip option) can not talk to each other;
+ 37.77 was not informed with correct route to the 6.22 and finally the ip block provided.
Please advice me then. (generally, my configuration is correct, I am now thinking about having a router in between, and I am sure will not work as well)
Thank you very much for your attention.
Dang Dinh Ngoc
Yes Mr. SARAVANAN,
I will try to see things!
Many thanks for your supports!
Ngoc - Vietnam
Hi Mr. SARAVANAN,
Following is the monitoring results on ARP packet generation on the Sonicwall
Please advice me with thanks
Here is the full details of the packet:
Ethernet Header
Ether Type: ARP(0x806), Src=[c0:ea:e4:b2:c2:d9], Dst=[ff:ff:ff:ff:ff:ff]
ARP Packet:
ARP TYPE: ARP Response
Sender MAC Address: c0:ea:e4:b2:c2:d9
Sender IP Address: 10.86.2.252
Target MAC Address: ff:ff:ff:ff:ff:ff
Target IP Address: 0.0.0.0
Value:[0]
Generated (Sent Out) 0:0)
Please advice
@PAULSTEIGEL - Looks like the capture is incomplete. This may need real-time assistance for better results. Please call our support team on number referenced in the below web-link for assistance on this same.
Have a good one!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Another point to note is my static ARP for all IP have similar mac address