1

I have a VyOS router. VyOS is an OSS fork of Vyatta pre-Brocade/pre-Ubiquiti EdgeRouter. It has a DMZ fronting several servers that face the public and a private zone fronting our private WiFi and ethernet networks.

We have previously been working off of DSL with one static IP address. The DSL modem was simply in bridge mode, and the static IP address was assigned to the VyOS router's WAN interface. DSL (and a single IP address) became unsustainable.

We're getting Comcast Business Class Internet configured (5 static IP addresses). With it, you must use the Comcast Business IP Gateway (a fancy DOCSIS 3.0 modem, in this case a Cisco type-BWG model-DPC3939B) if you want to have static IP addresses (your own equipment is only allowed with a dynamic IP address). Additionally, if you want to have static IP addresses, you cannot put the IP Gateway in bridge mode. It will revert to dynamic addressing if you do so. Static addressing is only available in router mode, though Comcast stresses that you can disable all the router features (DHCP, NAT, WiFi, firewall, etc.) and use your own equipment (our VyOS router) behind the modem. And this is where things are weird.

The 5 static IP addresses come from a /29: In our case, this is *.168 through *.175, with *.168 and *.175 reserved/unusable, and *.174 assigned to the IP Gateway, leaving us with *.169, *.170, *.171, *.172, and *.173 to use for our equipment. *.174 is the "default gateway," the address through which all outbound traffic goes.

I'm able to set up a simple configuration whereby VyOS has one static IP address (*.169) on its WAN and all traffic goes in and out of that through the IP Gateway. It works fine. But I'm not sure how / the best way to use all five. I've surmised that I can assign all five addresses to the WAN and use 1:1 NAT (DNAT+SNAT) to handle mapping incoming traffic to those public IP addresses to private IP addresses on the DMZ, and reverse, but I wanted to avoid this setup. (I know I have to use SNAT for my private DHCP/WiFi/ethernet networks; I need no help with that.)

I was hoping that I could assign just one public IP (*.169) to the VyOS WAN, and then assign *.170 through *.173 directly to the hosts in my DMZ, set up VyOS to route traffic to those public IPs in the DMZ, and set up the IP Gateway to send all *.169 - *.173 traffic to *.169 for further routing. Is this possible? Or is the above NAT approach the best / only solution?

Nick Williams
  • 153
  • 1
  • 7

2 Answers2

1

In general the tool you want/need here is proxy arp. Your router responds to arp requests as-if it was the host in question and can then route it onwards to your original network.

I have no idea if vyos supports this though.

Peter Green
  • 4,056
  • 10
  • 29
  • VyOS does support Proxy ARP, but I'd have to learn how to configure it. Is there an advantage to using Proxy ARP over 1:1 NAT for this, or an advantage to using 1:1 NAT over Proxy ARP? Would I also need to configure something in the Cisco IP Gateway? – Nick Williams Jan 11 '18 at 04:20
  • 1
    One to one NAT as you call it (static NAT) will allow you to use all five addresses on your LAN, whereas with proxy ARP you would need one IP for your router so only four LAN devices, Also you can share that subnet with other non-Internet devices. However proxy ARP is a "cleaner" solution if those are not considerations. – marctxk Jan 11 '18 at 14:31
  • I went with 1:1 NAT. It was just a far simpler configuration, and gave me an extra address, plus I had little confidence in Comcast's modem handling the Proxy ARP properly. – Nick Williams Jan 16 '18 at 06:15
0

All you need to do is buy 4 more routers. Any Netgear will do and then make the wan address be one of the static ip addresses. The gateway address will be one on the Comcast router but will not be one of the 5, it will probably be one number higher than your highest number in the 5. Each of the new routers you buy will be a full router and can be configured any way you want. I have this setup and it works fine.

gregp
  • 1