Announcement

Collapse
No announcement yet.

IP Address Routing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IP Address Routing

    Sadly, routing has never been my strong point. I'm planning a network change for a client and need to know if the following is possible:

    1. The client uses routable ip addresses internally so NAT is not being performed. The customer ip address block is 64.28.42.0/24. This has been subnetted by another consulting firm as detailed in item number 2.

    2. 2 subnets are in use. The 2 subnets are: 64.28.42.64/26 and 64.28.42.128/25.

    3. The client has a Watchguard firewall configured in Drop-In mode. Currently only the External and Trusted interfaces are in use. Both interfaces use the same ip address (per Drop-In mode). That ip address is 64.28.42.226/25. An external address is configured on the firewall and assigned to the upstream router. That ip address is 64.28.42.252/25. The Watchguard uses this ip address as it's DG.

    The /26 subnet is used for a TS NLB cluster. The /25 subnet is used for everything else. Traffic to the /26 subnet is routed by the Watchguard to a layer 3 switch with ip address 64.28.42.65.

    I want to configure the Watchguard in Routed mode and drop the layer 3 switch from the configuration. My plan is as follows:

    A. Configure the Trusted interface with ip address 64.28.42.226/25. This interface would be connected to VLAN1 on a single switch. All non-NLB hosts would be plugged into this VLAN and would continue to use this ip address as their DG.

    B. Configure the Optional interface with ip address 64.28.42.65/26. This interface would be connected to VLAN2 on the same switch as item A. All NLB hosts would be plugged into this VLAN and would continue to use this ip address as their DG.

    C. Have the client ISP allocate a different ip address for the External interface (64.28.35.2). This interface would be connected to the ISP router and the DG of the Watchguard would be set to the router's corresponding ip address (64.28.35.1).

    So the question is, can traffic for any 64.28.42.0/24 ip address (which would include the /25 and /26 subnets) be routed to 64.28.35.2 and would the Watchguard forward the traffic internally without the use of NAT? What I don't want to do is to acquire the 64.28.35.0/24 ip address block and then perform NAT at the firewall for the 64.28.42.0/24 ip addresses. I also don't want to re-address the internal hosts with RFC 1918 ip addresses in order to continue to use the 64.28.42.0/24 ip addresses that all of the public DNS records resolve to. I also don't want to have to change all of the public DNS records that currently resolve to the 64.28.42.0/24 ip addresses.

    EDIT:

    Alternately, I can simply change the subnet mask of all devices to /24 and continue to use Drop-In mode. In this configuration the Watchguard should "discover" which ip addresses are reachable via each interface. Does anyone have any experience with this? Does it work reliably?
    Last edited by joeqwerty; 6th September 2013, 02:42.

  • #2
    Re: IP Address Routing

    I've always used Watchguards in routed mode so I can't speak to the drop in question.

    What you've described in steps A - C should allow things to flow correctly. The default NAT rules only apply to the private addresses. You can put in any NAT rules you like of course but if you don't then the Watchguard should route the traffic without an issue.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: IP Address Routing

      With the goal of making as few changes to the internal network as possible, here's another idea:

      External interface: 64.28.42.2/26 - DG: 64.28.42.1/26 (upstream router)

      Trusted interface: 64.28.42.226/25

      Optional interface: 64.28.42.65/26

      I know that the firewall will route traffic correctly for the Optional interface but will it route traffic correctly for the Trusted interface?

      Comment


      • #4
        Re: IP Address Routing

        It should... but what model/firmware you running?
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: IP Address Routing

          Firebox X1000

          WatchGuard, Copyright (C) 1996-2007 WGTI
          Firebox Release: pandora
          Driver version: 7.5.0.B167687
          Daemon version: 7.5.0.B167687
          Sys_B Version: 7.1.B1405
          BIOS Version: 3ffa79aaf0e040ee4d58706abee5a76d Sicily

          Comment


          • #6
            Re: IP Address Routing

            Oh my... I can't say for sure. That is a pretty old box. They looking to upgrade soon? The XTM 3 or 5 series would be leaps and bounds better.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: IP Address Routing

              Unfortunately, they're not in a position to spend any money.

              I'm thinking it should work as long as none of the addresses behind the Trusted interface fall between .0 and .127, which they don't.

              .0 - .63 fall behind (in front of) the External interface

              .64 - .127 fall behind the Optional interface

              .128 - .255 fall behind the Trusted interface

              So it should route traffic correctly... I think?

              Comment


              • #8
                Re: IP Address Routing

                Correct, you basically have 60 addresses being unused on the subnet that the ISP router and the Watchguard communicate on. As long as the ISP router (64.28.42.1) has routes on it that tell it to send traffic to the Watchguard for subnets 64.28.42.64/26 and 64.28.42.128/25 then you'll be fine.

                You could make the ISP router <-> Watchguard ext int subnet a /30 and then you would have other address to use in the future if you needed.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: IP Address Routing

                  That's what I thought. The unused ip addresses in the External interface subnet are in use at a remote office that used to have a connection to this network, so they're unused in the Trusted/Optional networks with no plans for using them in the future.

                  Thanks much for your input.

                  Comment


                  • #10
                    Re: IP Address Routing

                    Originally posted by joeqwerty View Post
                    The unused ip addresses in the External interface subnet are in use at a remote office that used to have a connection to this network, so they're unused in the Trusted/Optional networks with no plans for using them in the future.
                    This is not a good idea if the subnet is in use elsewhere. You should either further subnet the range or get an another IP block from the ISP and use that for the ISP/Watchguard subnet.
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: IP Address Routing

                      That subnet is in use internally at a remote office, but it's behind a NAT'ed block of ip addresses. For all intents and purposes that subnet is internal/private and those ip addresses are never routed externally.

                      Comment


                      • #12
                        Re: IP Address Routing

                        OK as long as you know what you're getting into. If you ever want that other site to access resources in this site then you'll have to do some fancy NATing or you'll need to reassign IP addresses.
                        Regards,
                        Jeremy

                        Network Consultant/Engineer
                        Baltimore - Washington area and beyond
                        www.gma-cpa.com

                        Comment


                        • #13
                          Re: IP Address Routing

                          Understood. Thanks much for your help.

                          Comment

                          Working...
                          X