Some background, I am coming from a Sonicwall (which I'm not a big fan of, but I'm familiar with it) and I also have experience with the open-source pfSense system. I'm not super-knowledgeable regarding subnetting, but I have a basic understanding and I get how CIDR works and the correspondence between "slash-notation" and the typical decimal dotted quad system.
We currently have two different /28 blocks from our ISP on the Sonicwall. On their system, you define a primary interface IP and subnetmask, and then you can add additional secondary IPs to use them for either outbound or inbound translation.
The two /28s are noncontiguous so we can't summarize them. The ISP takes one IP out of each block and assigns to their upstream router, and I have default routes for both subnets to those IPs with our Sonicwall. (The network addresses are x.y.z.32/28 and x.y.z.128/28, so the ISP is using .33 and .129 on their router.)
From the research I've done I understand that the PA is smart enough to know that if I put in x.y.z.34/28, it will answer for any address in that block. Very handy. However, how do I tell it not to answer ARP requests for .33 and .129 (as those are remote addresses)? Do I need to specify individual /32s for each address, and if this is the case how can I tell the device to route back to .33 and .129 for the separate subnets given that each IP wouldn't have the correct network mask and thus have no way to know that it is "local" to .33 or to .129?
The suggested configuration is to only put one IP address on the External interface, then use inbound NAT policies to allow a arp response for individual IP addresses. You would set up a one to one static NAT for inbound traffic.
You can add a second IP address to your external IP address, but the real problem is that you can only have one default gateway per Virtual Router. In 3.1.X we add Policy Based Forwarding, which will be what you need to use to work around the routing problem you will have with two Public addresses ranges.
I'm already running 3.1.x so that won't be a problem at least.
However, 1:1 NAT will be. We often "hide" multiple systems behind a single external IP - I will take incoming traffic on port 80 and send it to one server, and traffic on 25 and send it to a different one, so I need to be able to use 1:many inbound NAT. Any suggestions?
My ISP made the suggestion that they could route both blocks to us via private addresses, or requisition another public /30 to do so. Then our virtual router would have a single default gateway and we'd use the other end on our WAN interface. I'd then have all 32 addresses available for our use, and shouldn't have any routing problems, right? Will the device have any problems with routing public IPs out over an RFC1918 network?
You can setup 1:many destination NAT as you're suggesting by specifying multiple rules that use the "Service" field to specify the port you would like to forward.
Public IP - x.y.z.12
Mail Server IP - 10.0.0.1
Web Server IP - 10.0.0.2
|Name||Destination Address||Service||Destination Translation|
The options suggested by your ISP sound reasonable. The firewall won't have any issues routing out of an interface with a private IP address.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!