How to utilize provided 8 public IP addresses with NSA 5600 via a PPOE connection
Hi all.
I am very glad to be here and would like to ask a question on how to implement network settings on the NSA 5600 system.
Background:
VNPT (ISP) provided us a block 8 static public ip of 113.160.164.y/29 via a PPOE connection (FTTH) with dynamic ip address.
We have set up the system as following:
+ Get WAN connected via X4;
+ Set up Arp for 8 public IP addresses
+ Set up Rules to allow connection via those 8 ip address to our internal network (10.86.19.x/24)
+ Set up NAT 1:1 from those ip to internal server 10.86.19.11-18
The system work fine, connections can be done successfully from outside to those server insides without any problem.
Problems:
Recently, there are few organisations provided with static ip address of the same 113.160.164.xx can not access our servers being NAT via 113.160.164.1-8 to the internal 10.86.19.11-18 (for Web, monitor, mail...ssh..etc)
Simply, if we create a virtual interface at X4, Vlan 19 for the PPOE connection, allows pinging. Computer from other 113.160.164.xx addresses can not even ping to the interface.
VNPT (ISP) said that we configured wrongly and they inquired us to set up a modem/router in between to do the PPOE connection and the secondary LAN of the Modem/router set up with the first Public IP (113.160.164.1) will be connected to the NSA firewall as WAN connection for the entire network.
From our view, we double VNPT has problem with their owned routing but they refused such claims.
Questions: Please help to guide us on how to set up such requirements properly
Thank you very much for your support.
From Vietnam
Best Answer
-
preston All-Knowing Sage ✭✭✭✭
are you trying to ping the IP in the same subnet as your message? I don't think this works as there is no rule for it as it is not classed as X4 IP (it just enables you to ustilise the range for port forwarding ) I have already suggested to my SE for this to be able to show up included in the X4 IP(WAN) address object Group fo it could be utilised for IPSec.SSLVPN etc....
currently the only way to be able to Ping or manage would be to utilise this rule mentioned in the link below, you could create one for Ping also (just make sure you tick the box for enable Management)
5
Answers
Hi, you shouldn't need to do the Static ARP entries if the allocated X4 WAN IP is in the same Subnet,
if it is not you can enable the Enable Secondary Subnets option in the Diag page.
Then select the 1st useable IP one in Edit X4 Interface/Advanced/Secondary IP Address section giving it a subnet mask as below (you can then use these IP addresses for NATs etc.. with the static ARP also.
If the X4 IP is in the Same subnet, have you tried changing the PPPoE subnet mask in the Diag page to 255.255.255.248 ?
Hi Preston,
Even this have been discussed on the other topic (this one was created earlier and I didn't realized that it was saved and posted as I navigated away from editing screen) but provided solution was not solved accordingly. So allow me to continue the discussion here!
I tried changing the Net mask to /29 already but it did not work. That why I posted the question here. Logically, I doubt the ISP has done thing wrong on routing as there are 02 services provided by them:
I will try with your previous response on setting the enable secondary subnet and will inform you on the result.
Thank you very much for your attention.
Ngoc - Vietnam
======================YOUR GUIDANCE
I tried to change IP to the first ip as you said with /29 net mask but it failed and reported
Invalid IP Address - Choose an address within the subnet
Please help!
in that case use the secondary subnet option and set the PPPoE Subnet mask back to 255.255.255.255 in the diag page, just use the 255.255.255.248 on the X4 Interface/Advanced/ Secondary IP address section, we come across this a lot with ISPs in the UK when they are using multiple public IPs with BT and using PPPoE they always get allocated a dynamic IP not in the same range as the routed subnet or for other scenarios where they have given you more routed IPs but in a different block.
Hi Preston,
I changed the subnet mask to 255.255.255.255 as your guidance, secondary subnet is 113.160.164.1/255.255.255.248
but failed in pinging the interface!
For security issues, the ip provided on this discussion is not the real but they are in similar scenario for disscussion!
Hi Preston,
As I have discussed with ISP guy, they, finally, the problem is routing issue on their side. Our system set up was corrected implemented without the need for enabling Secondary subnet but with following:
Then all works. If ping needed, I just created a virtual interface with designed public ip via X4 and VLAN, allow ping and it is pingable.
Also make a full NAT to inside servers with ping enable would also work.
The only issue remain that I dont know how to do is to set up VPN to work on 1 of the provided public ip (IP A) but not the PPOE ip (Dynamic).
Please help if you have some time to deal with. I made a question on this but no one answer.
Thank you very much for your attention.
Ngoc
What is the model of the Modem router you are using?
Hi Preston,
I used the x4 interface to dial ppoe directly without any modem in between! It was provided with a dynamic ip /32 (IP A) of a sub net that is different from the 8 ip block provided by the isp.
I have VPN set up successfully with ip A. As Ip A changed often so I want the VPN to be bound to one IP in the block of 8 ip. I tried quite some efforts but failed!
Thanks for your attention
Ngoc
So what does X4 plug into ? what is that device or is it just a cable you have been presented with?
if that is the case the best option would be to use something like in front of the SonicWall that can do the PPPoE and utilise a No Nat Configuration,
so you let the Modem/Router do the PPPoE connection then turn NAT off on its LAN Interface and give it the 1st IP in your block(make sure you use the correct Subnet mask and turn off DHCP) then the Sonicwall X4 has the Second IP with the 1st IP as the Gateway, like below for the Router setup
you lose one of the Public IP addresses to the Modem router but this is the only alternative,
I presume you have already tried the specify IP on the SonicWall X4 PPPoe as one of the IP addresses rather than letting it use the Dynamic?
X4 connected to a media converter and hooks up to the internet by ppoe cinnection. I actually do not want a modem so decided to use the built in X4 of the firewall. Anyway, i used dyndns for the dynamic ip X4 and things worked fine. Logiccally i think there should be a way to route wan to wan for the firewall so vpn request to the provided public ip can be forwarded to ppoe ip address wherr vpn host at the firewall. But no way found yet.
I tried to set up a vpn server behind Nat and it worked also.
Many thanks for your consulting.
Ngoc