two public WAN IPs on two interfaces

Security Gateway Discussions
Post Reply
saras
Posts: 2
Joined: 14 Jan 2018, 18:51

two public WAN IPs on two interfaces

Post by saras » 19 Jan 2018, 19:21

Hello,

i have a problem to configure our firewall W20 with two public static IPs from our ISP. We would like to use both IPs on two interfaces,
e.g.
G2 WAN: X.X.X.2 -> dhcp client=yes, this IPs is for Exchange Server Mail in and out, it works without problems
G3 WAN: X.X.X.3 -> dhcp client=yes, i can see here discovery on the interface state and the info "ip collision" ?

Would like to use G2 for Exchange Server and G3 for Sharepoint Server.

Both IPs have the same Gateway and Net from ISP

I have core 12.0.6 firmware on W20

What can i do does it works with both ip?

Peter
Posts: 636
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: two public WAN IPs on two interfaces

Post by Peter » 14 Feb 2018, 12:00

Hello.

It is possible to configure it like that yes but you need to use either Virtual Routing or Policy Based Routing to make sure the traffic flow goes the way you want it and to make sure you do not end up with a routing problem.

But i am unsure what you mean when you say you have Static IP's from the ISP but further down you say you need to use the DHCP client. Or is it that you have statically set IP addresses from your ISP but you need to use DHCP to get them?

Usually when it is static corporate IP address they get routed to you directly, then you simply just add another IP address to the external interface using e.g. ARP publish.

But if DHCP is required it becomes more problematic as we can only fetch one IP lease from the ISP and assign that to an interface. There is the possibility of pre-fetching a large number of IP addresses from a DHCP server using IP pools but that functionality is only possible to use on IP CFG Mode objects.

So i guess the easiest way to solve it would be to use VR, something like this:

<Main Routing table>
Route G2 all-nets Gateway=ISP_GW (Dhcp object)
Route G2 g2net <dhcp object> Gateway=ISP_GW (dhcp object)
Route Lan Lannet
Route Dmz Dmznet
<Secondary Routing table, ordering Only>
Route G3 all-nets Gateway=ISP_GW (Dhcp object)
Route G3 g2net <dhcp object> Gateway=ISP_GW (dhcp object)
Route Lan Lannet
Route Dmz Dmznet
Where you make the G3 interface a specific member of the Secondary routing table (the Virtual Routing tab). The Routes created by both G2 and G3 will be automatically created if you leave the DHCP/interface settings at their default, so you should not have to bother with manually creating those.

Ordering only is easier to configure and understand as basically anything that enters this routing table can only use this routing table to find the target source or destination hosts. All other interfaces are a member of all routing tables meaning we can duplicate the routes without any problems and it something we need to do if for instance you want to SAT traffic coming in to G3 towards a server in DMZ or if you want to NAT traffic from Lan to the G3 interface (although that would require a PBR rule that tells cOS Core that it should not use the default main routing table for that).

The G2 and G3 interface should be locked down to be in their specific routing tables though (although it is only the G3 interface that MUST be a specific member of the secondary table).

This way you should be able to fetch two leases from the ISP using two different physical interfaces.

Best regards
/Peter

saras
Posts: 2
Joined: 14 Jan 2018, 18:51

Re: two public WAN IPs on two interfaces

Post by saras » 29 May 2018, 18:03

a little late.... :)

but thank you very much...

DelmarB
Posts: 1
Joined: 08 Jun 2018, 12:24

Re: two public WAN IPs on two interfaces

Post by DelmarB » 15 Jun 2018, 14:32

Hi Peter, can you go with even more than two interfaces with this approach? I'm just curious.

Peter
Posts: 636
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: two public WAN IPs on two interfaces

Post by Peter » 16 Aug 2018, 14:08

It should be no problem to duplicate it as long as you have free interfaces and don't hit the "Max PBR Tables" limit in the license.

So one PBR table per lease. It's a bit cumbersome though as you lock physical interfaces, but maybe with VLAN's it would be less "restrictive".

Best regards
/Peter

Peter
Posts: 636
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: two public WAN IPs on two interfaces

Post by Peter » 28 Jan 2019, 09:38

A potential problem with this scenario that was brought to my attention is that cOS Core does a route lookup for the lease offer from the ISP. In case there are a route matching, the lease is not accepted and reported as a "ip conflict". Having the "ISP" interfaces separated in different routing tables does not help either.

Two potential workarounds to this problem:
  • Restart the firewall so both interfaces a requesting a dhcp-lease at the same time before dhcp-enabled interface routes are added, or to remove the conflicting route.
  • Change the following two settings to "False".
    DHCPDisallowIPConflicts=False
    DHCPDisallowNetConflicts=False

    In newer versions (10.x) they are called "Do not allow IP collisions with static routes." and "Do not allow network collisions with static routes." and can be found on the interfaces you activated the DHCP client on.
Best regards
/Peter

P.s. Developer ID for an enhancement in this area is COP-10671.

Post Reply