New here so I hope this is right spot for this question.
I have a router from an ISP that is giving a public /28 subnet out its lan port. (Nat off)
I can't easily replace the device for a couple of reasons.
I wish to run the traffic from this through my PA so I can apply policies to the other devices I will place on this subnet.
A Virtual Wire would work but wouldn't give me any layer 3 control - as I understand it.
I tried a ingress and egress interface in a test virtual router but this can't work because the subnets overlap.
You could put all the devices behind the PAN and NAT them through it. Put all the public IPs on the firewall and use rules for incoming traffic.
Definately not the only option but it would be a good way of controlling all the traffic. This would require:
* Security Policies
* NAT Policies
* Internal & External Zones
* Private IP subnet (DHCP or no)
Internet <--> Vendor Router <--> PAN <--> Servers/hardware
If done properly there isn't any reason why you wouldn't be able to setup the DHCP to hand out the available public IPs, and then setup a couple layer2 interfaces on the PA to actually gain all of the functionality of the firewall. NAT would really be the best solution however, and if you setup a NAT policy properly I've never really had an issue with IPSec tunnels.
I believe when using NAT and IPSEC Tunnels we needed to do PBFs (Policy Based Forward). That may have been our environment as not everything was in the Virtual Routers default routes (you could probably put everything there?).
It is probably possible to use the firewall as the gateway for the rest of the public IPs (creating rules that way) and just hand them out but I think the return route will be a problem as the ISP gateway is in the same subnet and will want to send return traffic directly to the devices. BPry is probably right about using firewall interfaces (or a switch off of one of the interfaces) and passing the traffic through the firewall and setting up Security Policies based on the IPs. I have not played with this however.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!