two public WAN IP-Subnets on one interface

Security Gateway Discussions
Post Reply
stebill
Posts: 6
Joined: 14 Mar 2019, 03:26

two public WAN IP-Subnets on one interface

Post by stebill » 25 Mar 2019, 08:55

Hello,

I have a problem configurating a clavister E10.

I got two static subnets from my ISP. I want to have them both on one interface.

Subnet one: x.x.1.x/29 GW: x.x.1.1
Subnet two: y.y.2.y/29 GW :y.y.2.1

The first one is no problem, but how do I setup the second one?

I have core 12.0.6 firmware.
Any help will be great. :D
Last edited by stebill on 02 Apr 2019, 22:51, edited 1 time in total.

Peter
Posts: 648
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: two public WAN IP-Subnets on on interfaces

Post by Peter » 29 Mar 2019, 10:16

Hello.

This can be a little tricky as it depends on how the ISP have setup the routing on their side.

Lets assume your current setup looks something like this:
Route Wan 198.51.100.0/29
Route Wan all-nets GW=198.51.100.1
Then you got another IP range that is e.g : 203.0.113.0/29

The easiest way to configure this would be by simply adding another route that looks either like this:
Route Wan 203.0.113.0/29
or
Route Wan 203.0.113.0/29 LocalIP=203.0.113.2
The second one is the most likely one to use, what Local IP does here is that it uses this IP as the sender when making ARP queries towards this network instead of the interface IP (the interface IP is e.g. 198.51.100.2). But unless there is a machine in the /29 network you want to reach it is only needed for the default gateway (which should be 198.51.100.1 depending on how the ISP have configured things).

But as i said, this depends on how the ISP have configured things on their side. The ISP should "reasonably" just add another route for the new network towards the Firewall and still allow you to use the gateway in the first IP range as the default gateway for internet access.

However, if the ISP requites you to specifically use the default gateway for each network segment based on the sender IP range, then it becomes more problematic. Then you need to involve Policy Based routing in order to create a new routing table where the default route (all-nets) is using a different gateway. I will not go into details about that solution as it should "hopefully" not be needed.

Best regards
/Peter

stebill
Posts: 6
Joined: 14 Mar 2019, 03:26

Re: two public WAN IP-Subnets on on interfaces

Post by stebill » 29 Mar 2019, 10:53

Hello Peter,

thanks for the reply.
However, if the ISP requites you to specifically use the default gateway for each network segment based on the sender IP range, then it becomes more problematic. Then you need to involve Policy Based routing in order to create a new routing table where the default route (all-nets) is using a different gateway. I will not go into details about that solution as it should "hopefully" not be needed.
Unfourtunally this is exact what I need. I have two /29 Networks with two different gateways.

Best regards

Stephan

Peter
Posts: 648
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: two public WAN IP-Subnets on one interface

Post by Peter » 03 Apr 2019, 08:26

Hello.
Unfourtunally this is exact what I need. I have two /29 Networks with two different gateways.
Are you sure the ISP requires you to use the gateway in the second IP range when using the secondary IP range? It should "reasonably" be that it accepts the use of either gateways for internet access no matter your sender/source IP.

Or perhaps you have already tried and it did not work?

Best regards
/Peter

stebill
Posts: 6
Joined: 14 Mar 2019, 03:26

Re: two public WAN IP-Subnets on one interface

Post by stebill » 03 Apr 2019, 09:49

Hello,

I am sure. I can ask the ISP to change this.

Best regards

Stephan

stebill
Posts: 6
Joined: 14 Mar 2019, 03:26

Re: two public WAN IP-Subnets on one interface

Post by stebill » 03 Apr 2019, 09:50

Will it be easier to use to interfaces and to handle this like a second ISP?

Post Reply