6

My routing knowledge is a little rusty. I have a fibre internet connection hooked up like this: existing network

The managed switch breaks out VLANS for transparent lan service that is also through the ISP's box. I think that's mostly irrelevant for this problem, so I've left it out of the diagrams.

I have two /29 subnets (using example addresses from RFC5735):

  • 192.0.2.144/29 (.144-151) - the main one. Our gateway is 192.0.2.145, and the firewall's main address is 192.0.2.146.
  • 203.0.113.88/29 (.88-.95) - second subnet that has no gateway and is routed by the ISP to the first one (I think, this is the part where I get confused).

The firewall has all the usable IP addresses of both subnets added to it's WAN interface, and does NAT to various servers.

Now I want to add a separate network with it's own firewall, outside of our firewall, and it needs it's own public IP address, like this: proposed network

I am not using 203.0.113.94 yet, so I was going to remove it from the additional addresses on the existing firewall and give it to the new firewall...but that won't work will it? It has no gateway on its subnet.

Or I could rearrange things and give it one of the 192.0.2.144/29 addresses. Would that work properly and let both networks function properly? Is there a better way to do this?

I could attach the new firewall to the existing one if it could still get a real public IP, not NAT - but I don't know if there is any way to do that with the watchguard firewall. It would probably require further subnetting, and I'm almost out of IP addresses already.

The new network is to be our test lab (so I can finally stop testing things in production!). I don't want the two network to ever be able to speak to each other because it will have the same internal subnet and clones of production machines. I need the new firewall to have a public IP address, without any NAT.

Community
  • 1
Grant
  • 17,671
  • 14
  • 69
  • 101
  • You are actively using IPs on both of the /29 ranges right? In your current Watchguard do you have two gateways defined or just the one? – Tim Brigham Mar 29 '16 at 20:40
  • @TimBrigham using IPs from both, and they all work through the Watchguard box doing NAT to various services. Only one gateway - 192.0.2.145. – Grant Mar 29 '16 at 20:58
  • 1
    The more I think about it I'm not sure how your existing firewall is able to use that second range. There has to be a route directing the traffic. – Tim Brigham Mar 29 '16 at 22:44
  • @TimBrigham yeah, that's where I get confused too...but I know it's a common thing on business DSL/cable connections to give a single address then somehow route another small subnet to it. ISP level routing wizardry isn't something I have enough experience with yet. – Grant Mar 30 '16 at 00:24
  • it sounds like you're going to have to talk to your ISP and double check what the gateway on that second subnet needs to be in this use case.. There must be some kind of wizardry being done we can't readily see. – Tim Brigham Mar 31 '16 at 21:33
  • Won't you still need NAT on the new firewall to be able to translate your test servers to some public IP? Will you be accessing the test servers from the internet or just from within the LAN? – Tedwin Mar 31 '16 at 23:13
  • @tedwin new firewall will do nat. Just needs 1 public ip on firewall to do it. Test servers will need to be internet accessible for some of the stuff we are working on – Grant Mar 31 '16 at 23:16
  • How many interfaces, if any, are free on the existing Watchguard? Are you open to using it if possible? – Tedwin Mar 31 '16 at 23:18
  • @Tedwin I have a few interfaces free on the watchguard box. I would prefer to have it completely separate from the existing firewall, but I'm open to using it if there is a good reason to. – Grant Apr 01 '16 at 00:34
  • As Ron says in comments below, you can achieve two completely separate networks on the same box without even trying most likely. In other words, let's say you have ge4 and ge8 free (I have no idea what WG calls their interfaces.) Make ge4 your "test LAN" port and make ge8 your "test wan" port. Now you test to be sure no traffic can pass between ge4 and your other LAN port(s), but by default I would assume there's a rule that prevents those LAN ports from talking. Sometimes it's called something like "block intra zone" or "block intra subnet." – Tedwin Apr 02 '16 at 02:38
  • Of course you can use the separate box too. It's just one more thing humming along in the rack and using up electricity. And you'll have two different appliances to manage instead of one. But if it feels easier to use the physically distinct box then go for it. Use one of the 192.0.2.144/29 addresses that you mention having the ability to utilize - you already know the gateway. Be sure to remove the public IP from the production box first, and you should be up and running! Does this help at all or do you still have questions? – Tedwin Apr 02 '16 at 02:42
  • I'm curious to know what the end result was. Care to share? – pat o. Apr 07 '16 at 13:35
  • 1
    @pato. Had to schedule some downtime on the weekend for other reasons, so decided to just try it. Rearranging things so I could use one of the 192.0.2.144/29 addresses on the new firewall worked. I still don't understand how the other subnet actually gets routed to me, but I have what I need for now. – Grant Apr 07 '16 at 13:51

5 Answers5

3

I think your best bet is going to be to contact your ISP and clarify exactly what they are giving you with the 203.0.113.88/29 block. There is no reason for things to be complicated by the uncertainty about these IP addresses.

The most ideal scenario is for you to connect a second firewall to that switch and give it one of the IPs on the 203.0.113.88/29 network with a default gateway on the same network.

pat o.
  • 1,919
  • 1
  • 16
  • 28
0

how can your ISP route the 203.0.113.88/29 within your network? Somehow I doubt that's the case.

If you are not fully using your 192.0.2.144/29 (or the 203.0.113.88/29) network, you should be able to put an interface on your switch with on of the ip address on that range. I would recommend using 2 IP addresses (if available) - So for example:

Switch1:

Interface FaX/X (your new firewall connects here)

Ip address 192.0.2.147 255.255.255.252 !

Then on your new firewall you would put

Interface X/X 192.0.2.148 255.255.255.252

This would clarify your need for a default gateway, you could also put the /29 mask on it and use the same gateway that is currently in use on your switch.

so for example (lets say you are using vlan 20 on your switch)

Vlan 20 ip address 192.0.2.145 255.255.255.248

interface FaX/X (your new firewall connects here) switchport access vlan 20

on your new firewall

ip address 192.0.2.147 255.255.255.248

Regarding the no-communication rule you would either need a seperate subnet or an ACL on your switch.

Hope this helps

AceCoop
  • 16
-1

Assigning the lab firewall an address within 192.0.2.144/29 or 203.0.113.88/29 wouldn't work unless it's behind whatever device acts as the gateway for that address space because whatever device has that broadcast address is going to respond to ARP requests.

You would want to assign the address upstream of your Watchdog firewall or, rather than have the Watchdog advertise the /29 network you can break that /29 up into /30's. Assign a /30 to one firewall and another /30 to the new lab firewall if you don't need all 8 host addresses within the /29 on one firewall.

Rashan Hodge
  • 1
  • 1
-1

I don't know the specifics of your firewall, but this is how I would do it with just about any business-grade firewall, two firewalls being unnecessary:

Put the 203.0.113.88/29 network on your first firewall, on a separate interface (or sub-interface if you can use VLANs), and have the firewall protect the networks from each other. Just assign the firewall interface an address from the network block, and that will be the gateway for the network. You will need a default route from the network to the WAN interface of the firewall (or the ISP router address), and you are done.

NAT really has nothing to do with firewalls; firewalls are usually just a convenient place to NAT. You don't need to NAT on the network if you don't want to, and I wouldn't with public addresses.

Ron Maupin
  • 3,158
  • 1
  • 11
  • 16
  • One of his defined goals is to have a completely separate network and firewall, so this answer doesn't really fit. – pat o. Apr 01 '16 at 13:24
  • 1
    @pato, my point, that you seem to have missed, is that a separate network, with its own firewall can be achieved on the single box. The single firewall box, can have a separate firewall, within it, for multiple separate networks. – Ron Maupin Apr 01 '16 at 13:46
  • the OP states "I don't want the two network to ever be able to speak to each other because it will have the **same internal subnet** and clones of production machines." Can one accomplish this using the same physical firewall? – pat o. Apr 01 '16 at 13:52
  • 1
    @pato., correct, and you can do that as I described. There is nothing special about what the OP asks for. – Ron Maupin Apr 01 '16 at 13:54
  • 1
    @pato., in fact, we get questions on NE about why two networks, on different interfaces of the same firewall box, can't talk to each other. A business-grade firewall should, by default, prevent that, and you must take steps to allow it, if that is what you want to do. – Ron Maupin Apr 01 '16 at 14:28
  • I am curious: if both internal networks have the same subnet, could you configure the firewall to differentiate the traffic coming from each physical network and route it out the appropriate WAN link accordingly? – pat o. Apr 01 '16 at 14:37
  • @pato., if you read the question, the public networks, which will touch the firewall, are different. They can have duplicate networks inside those public networks. – Ron Maupin Apr 01 '16 at 14:54
  • I did read the question but I guess we must be interpreting something differently. I'll leave it at that. :) – pat o. Apr 01 '16 at 14:57
  • @pato., this is what I'm seeing: "_I am not using 203.0.113.94 yet, so I was going to remove it from the additional addresses on the existing firewall and give it to the new firewall...but that won't work will it? It has no gateway on its subnet._" By moving this to a separate interface, it will work as described. – Ron Maupin Apr 01 '16 at 15:03
-1

If your ISP is routing both of those scopes to your current firewall, you should be able to set up your desired config with no additional software, depending on your Watchguard model. Watchguard is real good at handling these sorts of issues. It sounds like you may have a bad configuration with regard to the 192 or 203 network, at least in terms of using it as a public network. You should have at least one year of support on the appliance and if not pay for another it is well worth their guidance in setting up this config for you. But first get them to confirm that your current model firewall can handle the config and the traffic load you may expect from both networks.

Regarding your ISP, it sounds like they are just dumping the second network scope on top of the first. Whoever provisioned the service, probably was not able at that time to config both endpoints at your facility and left it as it is now. Getting that cleared up from them would help a lot. It would help you to discuss your config with Watchguard. I personally would use just one firewall, for a number of reasons, electrical load for one, but service contracts and other recurring costs and support needs is another reason. Unless you truly have another issue, like if your development projects require resets of the unit for some reason, i.e. developing network management software. Or if the current unit is undersized for the job of supporting load of both networks. Take these issues into consideration.

htm11h
  • 170
  • 11