Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

How to utilize provided 8 public IP addresses with NSA 5600 via a PPOE connection

Hi all.

I am very glad to be here and would like to ask a question on how to implement network settings on the NSA 5600 system.

Background:

VNPT (ISP) provided us a block 8 static public ip of 113.160.164.y/29 via a PPOE connection (FTTH) with dynamic ip address.

We have set up the system as following:

+ Get WAN connected via X4;

+ Set up Arp for 8 public IP addresses

+ Set up Rules to allow connection via those 8 ip address to our internal network (10.86.19.x/24)

+ Set up NAT 1:1 from those ip to internal server 10.86.19.11-18

The system work fine, connections can be done successfully from outside to those server insides without any problem.

Problems:

Recently, there are few organisations provided with static ip address of the same 113.160.164.xx can not access our servers being NAT via 113.160.164.1-8 to the internal 10.86.19.11-18 (for Web, monitor, mail...ssh..etc)

Simply, if we create a virtual interface at X4, Vlan 19 for the PPOE connection, allows pinging. Computer from other 113.160.164.xx addresses can not even ping to the interface.

VNPT (ISP) said that we configured wrongly and they inquired us to set up a modem/router in between to do the PPOE connection and the secondary LAN of the Modem/router set up with the first Public IP (113.160.164.1) will be connected to the NSA firewall as WAN connection for the entire network.

From our view, we double VNPT has problem with their owned routing but they refused such claims.

Questions: Please help to guide us on how to set up such requirements properly

Thank you very much for your support.

From Vietnam

Category: Entry Level Firewalls
Reply

Best Answer

Answers

  • prestonpreston Enthusiast ✭✭

    Hi, you shouldn't need to do the Static ARP entries if the allocated X4 WAN IP is in the same Subnet,

    if it is not you can enable the Enable Secondary Subnets option in the Diag page.


    Then select the 1st useable IP one in Edit X4 Interface/Advanced/Secondary IP Address section giving it a subnet mask as below (you can then use these IP addresses for NATs etc.. with the static ARP also.


    If the X4 IP is in the Same subnet, have you tried changing the PPPoE subnet mask in the Diag page to 255.255.255.248 ?


  • paulsteigelpaulsteigel Newbie ✭
    edited July 2020

    Hi Preston,

    Even this have been discussed on the other topic (this one was created earlier and I didn't realized that it was saved and posted as I navigated away from editing screen) but provided solution was not solved accordingly. So allow me to continue the discussion here!

    I tried changing the Net mask to /29 already but it did not work. That why I posted the question here. Logically, I doubt the ISP has done thing wrong on routing as there are 02 services provided by them:

    1. The other clients with 113.160.164.x are using option 1 service with static public IP assigned directly to the PPOE connection. This option 1 connect to a different router.
    2. We are using option 2 service with 8 public static ip in the range 113.160.164.x/29 and get connected via PPOE (X4) and X4 IP was dynamically assigned and different from the 8 ip block.
    3. The connection from clients with option 1 static ip to our system is not stable, sometime work, sometime totally interrupted (can not ping and event access to web/mail service on our system). ISP has done the allocation of IP under option 1 service to 113.160.163.x and it works for now but this is not a long term solution at all as they will have to use the 113.160.164.x in near future.

    I will try with your previous response on setting the enable secondary subnet and will inform you on the result.

    Thank you very much for your attention.

    Ngoc - Vietnam

    ======================YOUR GUIDANCE

    I tried to change IP to the first ip as you said with /29 net mask but it failed and reported

    Invalid IP Address - Choose an address within the subnet

    Please help!

  • prestonpreston Enthusiast ✭✭

    in that case use the secondary subnet option and set the PPPoE Subnet mask back to 255.255.255.255 in the diag page, just use the 255.255.255.248 on the X4 Interface/Advanced/ Secondary IP address section, we come across this a lot with ISPs in the UK when they are using multiple public IPs with BT and using PPPoE they always get allocated a dynamic IP not in the same range as the routed subnet or for other scenarios where they have given you more routed IPs but in a different block.

  • paulsteigelpaulsteigel Newbie ✭
    edited July 2020

    Hi Preston,

    I changed the subnet mask to 255.255.255.255 as your guidance, secondary subnet is 113.160.164.1/255.255.255.248

    but failed in pinging the interface!

    For security issues, the ip provided on this discussion is not the real but they are in similar scenario for disscussion!

  • paulsteigelpaulsteigel Newbie ✭

    Hi Preston,

    As I have discussed with ISP guy, they, finally, the problem is routing issue on their side. Our system set up was corrected implemented without the need for enabling Secondary subnet but with following:

    1. Add static arp for public ip addresses;
    2. Add rule to allow WAN>LAN connection to internal servers
    3. Implement NAT (1:1) for mapping to internal servers

    Then all works. If ping needed, I just created a virtual interface with designed public ip via X4 and VLAN, allow ping and it is pingable.

    Also make a full NAT to inside servers with ping enable would also work.

    The only issue remain that I dont know how to do is to set up VPN to work on 1 of the provided public ip (IP A) but not the PPOE ip (Dynamic).

    Please help if you have some time to deal with. I made a question on this but no one answer.

    Thank you very much for your attention.

    Ngoc

  • prestonpreston Enthusiast ✭✭

    What is the model of the Modem router you are using?

  • paulsteigelpaulsteigel Newbie ✭

    Hi Preston,

    I used the x4 interface to dial ppoe directly without any modem in between! It was provided with a dynamic ip /32 (IP A) of a sub net that is different from the 8 ip block provided by the isp.

    I have VPN set up successfully with ip A. As Ip A changed often so I want the VPN to be bound to one IP in the block of 8 ip. I tried quite some efforts but failed!

    Thanks for your attention

    Ngoc

  • prestonpreston Enthusiast ✭✭

    So what does X4 plug into ? what is that device or is it just a cable you have been presented with?

    if that is the case the best option would be to use something like in front of the SonicWall that can do the PPPoE and utilise a No Nat Configuration,

    so you let the Modem/Router do the PPPoE connection then turn NAT off on its LAN Interface and give it the 1st IP in your block(make sure you use the correct Subnet mask and turn off DHCP) then the Sonicwall X4 has the Second IP with the 1st IP as the Gateway, like below for the Router setup

    you lose one of the Public IP addresses to the Modem router but this is the only alternative,

    I presume you have already tried the specify IP on the SonicWall X4 PPPoe as one of the IP addresses rather than letting it use the Dynamic?

  • paulsteigelpaulsteigel Newbie ✭
    Hi Preston,
    X4 connected to a media converter and hooks up to the internet by ppoe cinnection. I actually do not want a modem so decided to use the built in X4 of the firewall. Anyway, i used dyndns for the dynamic ip X4 and things worked fine. Logiccally i think there should be a way to route wan to wan for the firewall so vpn request to the provided public ip can be forwarded to ppoe ip address wherr vpn host at the firewall. But no way found yet.
    I tried to set up a vpn server behind Nat and it worked also.
    Many thanks for your consulting.
    Ngoc
Sign In or Register to comment.