Reply
Highlighted
New Member
Posts: 3
Registered: ‎11-27-2018
Accepted Solution

Assigning external IP and routing back

First, let me describe my setup. I'm running a small ISP serving a handful of customers. 

 

Upstream Fiber

- Assigned: w.w.w.210

- Gateway is w.w.w.209

- WAN IPs /39, x.x.x.136

- Additional routed /24

 

I have an Office LAN, and my Tower LAN. 

- Office LAN will have 3 devices, (should be routed to the /39); DHCP server currently assigns office to 192.168.100.0/24

- Tower will be for customer use, (should be routed to the /24)

 

 

Questions:

  1. I was able to assign my first office device (192.168.100.39) to an external static IP of x.x.x.138 by mapping that device as a static IP in the DHCP server. I then used a NAT translation rule to make the external IP static.  This works, but it feels a bit hacky.  Is there a better way to set this up?
  2. So far, I've been unable to figure out how to get outside traffic pointed to x.x.x.138 to route back to the internal IP of that office device (192.168.100.39). How do I set this up?
  3. When I setup my tower, I want all those users to be dynamically assigned one of the external /24 IPs, then have all traffic auto forwarded back to their private IP. How should I go about this?
  4. Can my DHCP servers be configured to assign an external IP instead of using a private IP? Any drawbacks to this?

 

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 80 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth6
                }
            }
            modify {
                table main
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action accept
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            disable
            log disable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action accept
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            disable
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            disable
            log disable
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN_Failover_Fybercom
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.100.1/24
        description "eth2 - Office LAN"
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        address w.w.w.210/30
        description "eth6 - WAN Upstream Fiber"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth7 {
        address 10.0.0.1/24
        description "eth7 - Tower LAN"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group G {
        interface eth0 {
            failover-only
        }
        interface eth6 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop w.w.w.209 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Office_DHCP_ETH2 {
            authoritative disable
            subnet 192.168.100.0/24 {
                default-router 192.168.100.1
                dns-server x.x.x.65
                dns-server x.x.2.65
                lease 86400
                start 192.168.100.20 {
                    stop 192.168.100.240
                }
                static-mapping Ryan_Router {
                    ip-address 192.168.100.39
                    mac-address xx:xx:xx:xx:6a:30
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN 2"
            outbound-interface eth0
            type masquerade
        }
        rule 5012 {
            description "Translate Upstream for Office, Static IP"
            log disable
            outbound-interface eth6
            outside-address {
                address x.x.x.138
            }
            protocol all
            source {
                address 192.168.100.39
            }
            type source
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }    
}

 


Accepted Solutions
SuperUser
Posts: 7,853
Registered: ‎01-05-2012
Kudos: 2077
Solutions: 1034

Re: Assigning external IP and routing back

Did you read this ? Do you have a /30 as p2p,  plus a /29 and a /24, as public networks ?

Cheers,

jonatha

View solution in original post


All Replies
SuperUser
Posts: 7,853
Registered: ‎01-05-2012
Kudos: 2077
Solutions: 1034

Re: Assigning external IP and routing back

Did you read this ? Do you have a /30 as p2p,  plus a /29 and a /24, as public networks ?

Cheers,

jonatha

New Member
Posts: 3
Registered: ‎11-27-2018

Re: Assigning external IP and routing back

Thanks for the tip; I had NOT read that article yet. It looks like the piece I was missing was the Destination NAT. Up and running now, thanks!
Reply