2

Our ISP assigned us 16 public IP addresses that we want to assign to hosts behind a Watchguard firebox x750e.

The IP addresses are: x.x.x.176/28 of which x.x.x.177 is the gateway.

The hosts will be running software that needs to be directly assigned the public IP address so 1:1 NAT is not an option.

I found this document that gives examples on how to assign public IP addresses to hosts behind the firewall, using an optional interface: http://www.watchguard.com/help/configuration-examples/public_IP_behind_XTM_configuration_example_(en-US).pdf

However, I can't implement scenario 1 as it won't allow me to use the same subnet on both interfaces. As for scenario 2, splitting the address range into 2 subnets will decrease the usable hosts on the optional interface to 5 (8 - network - broadcast - optional interface ip).

I'm convinced that there must be a better way to address this problem and maximize the number of usable IP addresses but I'm not very familiar with this specific firewall.

Are there any suggestions on how to keep the hosts behind the firewall with public IP addresses while maximizing the usable IP addresses?

thanks

lbarbosa
  • 123
  • 1
  • 5
  • Are you in Drop-In mode or Routed mode? Drop-In mode maybe what you are looking for. http://www.watchguard.com/help/WSM/82/getstar8.htm more recent link: http://www.watchguard.com/help/docs/wsm/11/en-US/index_Left.html#CSHID=en-US%2Finstallation%2Fdropin_config_c.html|StartTopic=Content%2Fen-US%2Finstallation%2Fdropin_config_c.html|SkinName=WSM (en-US) – Nate Oct 21 '13 at 21:33
  • I'm in routed mode. One of the other interfaces is being used to serve another group of hosts that don't require public IP addresses. I don't think I could keep this separation in drop-in mode – lbarbosa Oct 21 '13 at 22:13
  • I am going to look into this to see if I can keep the 10.0.1.* addresses of the trusted interface in drop-in mode without any side-effects. thanks – lbarbosa Oct 21 '13 at 22:27

2 Answers2

1

You should be able to use Drop-In mode and Secondary Networks to allow your public and private ip addresses to both be used on each of the interfaces. You can then do any NAT that's needed for the private ip addresses and no NAT for the public ip addresses. The private ip address you configure for each Firebox interface will become the DG for privately addressed hosts connected off of that interface. The public ip address configured on the Interfaces tab will become the DG for publicly addressed hosts on each Firebox interface. Drop-In mode will allow you to use the same public address space on each interface without needing to subnet the address block.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • The firewall is old and had a few crashes so I lost confidence in it and decided to consider for a different solution. Nevertheless, I'm confident that this was the correct answer to my issue. Thanks – lbarbosa Oct 29 '13 at 16:12
0

I can't speak for the possibility of this on a Firebox running the native firmware but I have a similar setup on an x750e converted to pfSense.

I have created a bridge between the WAN interface and the interface that the devices with WAN IPs are connected to. This has the advantage that traffic is forced through the firewall to access these servers. You can set the gateway of those devices to the IP of the WAN interface to achieve this.

It's important to remember that the WAN side and the devices side must be separately switched or, at least, separate VLANs on the same switch else traffic may not be forced through the firewall.

phil-lavin
  • 590
  • 1
  • 3
  • 15