topic Re: I've bought 1 more public IP range but cannot use it in General Topics

I've bought 1 more public IP range but cannot use it

Hongson — Sun, 25 Mar 2018 02:09:22 GMT

Dear all,

I've 2 internet lines connected to 2 different ISP: ISP-1 and ISP-2. Default route to internet is the connection to ISP-2

I just bought 1 more public IP range from ISP-1 that belong to a different subnet with my current ISP-1 public IP range.

Now I want to NAT my server using an IP in the new public IP range, but server cannot connect to internet. I've checked logs and see no problem (NAT is successfull, securitiy rules is allowed).

I've no problem if I NAT using current old public IP range. So is there any configuration I have to do before using the new IP range for NAT?

Re: I've bought 1 more public IP range but cannot use it

Raido_Rattameister — Sat, 24 Mar 2018 23:17:56 GMT

Do you have only default gateway in your virtual router or have also configured policy based forwarding policies?

Re: I've bought 1 more public IP range but cannot use it

Hongson — Sun, 25 Mar 2018 01:46:44 GMT

Thank you Raido for your reply.

I use pbf also, because by default traffics from my server go outside via ISP-2 so I created a pbf rule redirect traffic to ISP-1.

I also add an IP in the new IP range to ISP-1 interface.

I've no ploblem when NAT using the old IP range, but when using the new IP range, connection failed.

Re: I've bought 1 more public IP range but cannot use it

SARowe_NZ — Sun, 25 Mar 2018 20:43:37 GMT

If you traceroute and look at the associated session, can you see it egressing on the ISP1 interface, with the SNAT address of your new IP?

If so, I think it sounds like the Internet does not have a route back to your new IP. Either your ISP will need to advertise this on your behalf, or you are using BGP. If the latter, have you added the new IP into your export statements for BGP and can you confirm it is being advertised (you can see this from the BGP RIP under network > routers)?

Cheers,

Shannon

Re: I've bought 1 more public IP range but cannot use it

reaper — Mon, 26 Mar 2018 08:52:52 GMT

id you add the IP to your ISP-1 external interface?

you'll want to do that to ensure NAT and routing are using the appropriate interface to send packets out of and perform proxy arp

Re: I've bought 1 more public IP range but cannot use it

Hongson — Tue, 27 Mar 2018 05:39:46 GMT

Thank you all for your help,

'Cause the default route is connection to ISP-2 so I've to create a pbf rule redict it to ISP-1. And found out that my pbf rule configuration missed Next hop IP ( I thought that only Egress interface is enough).

Problem has been solved now 🙂