Help setting up routing

Dashrender

I need some assistance understanding in general, and we'll use a ER-X for specifics in the following scenario.

ISP will provide /29 of usable IPs (125.25.25.6/29)
Static assignment 125.25.25.1 - 172.16.16.200.11
Static assignment 125.25.25.2 - 172.16.16.200.12
Static assignment 125.25.25.3 - 172.16.16.200.13
Static assignment 125.25.25.4 - 172.16.16.200.14
Static assignment 125.25.25.5 - 172.16.16.200.15
Static assignment 125.25.25.6 - 172.16.16.200.x (all others)
ISP connection to your router will be over non public routable connection 10.100.100.2/30
ISP Default Gate 10.100.100.1
Internal network will be NATed 172.16.200.x/24

Assuming Port 0 is the WAN port, I assume we'll assign 10.100.100.2/30 to port 0, and the DG as 10.100.100.1.

Assuming Port 1 is LAN port, assign 172.16.200.1/24.

I don't know what to do with the the 125.25.25.6/29 address so my LAN is NAT'ed, and then sent via the 10. network.

Thanks for any insight.

1337

@Dashrender said in Help setting up routing:

Static assignment 125.25.25.1 - 172.16.16.200.11
Static assignment 125.25.25.2 - 172.16.16.200.12
Static assignment 125.25.25.3 - 172.16.16.200.13
Static assignment 125.25.25.4 - 172.16.16.200.14
Static assignment 125.25.25.5 - 172.16.16.200.15
Static assignment 125.25.25.6 - 172.16.16.200.x (all others)

So you mean 1:1 NAT on the first 5 public IPs and 1:many on the .6 IP?

BTW, network is 125.25.25.0/29 and not 125.25.25.6/29.

Dashrender

@Pete-S said in Help setting up routing:

@Dashrender said in Help setting up routing:

Static assignment 125.25.25.1 - 172.16.16.200.11
Static assignment 125.25.25.2 - 172.16.16.200.12
Static assignment 125.25.25.3 - 172.16.16.200.13
Static assignment 125.25.25.4 - 172.16.16.200.14
Static assignment 125.25.25.5 - 172.16.16.200.15
Static assignment 125.25.25.6 - 172.16.16.200.x (all others)

So you mean 1:1 NAT on the first 5 public IPs and 1:many on the .6 IP?

yes

JaredBusch

It is all source and destination NAT rules. This is very basic actual "routing" knowledge.

JaredBusch

First, destination rules to handle the inbound NAT translation.

set service nat rule 4 description 'Allow SMTP from Microsoft'
set service nat rule 4 destination group address-group ATT242
set service nat rule 4 destination port 25
set service nat rule 4 inbound-interface eth0
set service nat rule 4 inside-address address 10.1.1.5
set service nat rule 4 inside-address port 25
set service nat rule 4 log disable
set service nat rule 4 protocol tcp
set service nat rule 4 source group network-group Microsoft_SMTP_Networks
set service nat rule 4 type destination

set service nat rule 6 description 'Inboud PBX traffic'
set service nat rule 6 destination group address-group ATT244
set service nat rule 6 inbound-interface eth0
set service nat rule 6 inside-address address 10.1.1.30
set service nat rule 6 log disable
set service nat rule 6 protocol all
set service nat rule 6 source group
set service nat rule 6 type destination

set service nat rule 7 description 'Inbound Exchange Traffic'
set service nat rule 7 destination group address-group ATT242
set service nat rule 7 destination group port-group Web_Ports
set service nat rule 7 inbound-interface eth0
set service nat rule 7 inside-address address 10.1.1.5
set service nat rule 7 log disable
set service nat rule 7 protocol tcp
set service nat rule 7 source group
set service nat rule 7 type destination

set service nat rule 8 description 'Inbound Proxy Traffic'
set service nat rule 8 destination group address-group ATT245
set service nat rule 8 destination group port-group Web_Ports
set service nat rule 8 inbound-interface eth0
set service nat rule 8 inside-address address 10.1.1.6
set service nat rule 8 log disable
set service nat rule 8 protocol tcp
set service nat rule 8 source group
set service nat rule 8 type destination

set service nat rule 9 description 'Forward SSS to JumpBox'
set service nat rule 9 destination group address-group ATT242
set service nat rule 9 destination port 22
set service nat rule 9 inbound-interface eth0
set service nat rule 9 inside-address address 10.1.1.36
set service nat rule 9 inside-address port 22
set service nat rule 9 log disable
set service nat rule 9 protocol tcp
set service nat rule 9 type destination

JaredBusch

Next source rules for the outbound NAT translation

set service nat rule 5900 description 'PBX Traffic'
set service nat rule 5900 log disable
set service nat rule 5900 outbound-interface eth0
set service nat rule 5900 outside-address address 125.25.25.244
set service nat rule 5900 protocol all
set service nat rule 5900 source group address-group PBX_Inside
set service nat rule 5900 type source

set service nat rule 5997 description LAN
set service nat rule 5997 log disable
set service nat rule 5997 outbound-interface eth0
set service nat rule 5997 outside-address address 125.25.25.242
set service nat rule 5997 protocol all
set service nat rule 5997 source address 10.1.1.0/24
set service nat rule 5997 source group
set service nat rule 5997 type source

set service nat rule 5998 description 'Public WiFI'
set service nat rule 5998 log disable
set service nat rule 5998 outbound-interface eth0
set service nat rule 5998 outside-address address 125.25.25.243
set service nat rule 5998 protocol all
set service nat rule 5998 source address 10.204.5.0/24
set service nat rule 5998 source group
set service nat rule 5998 type source

set service nat rule 5999 description 'Default NAT Masquerade'
set service nat rule 5999 log disable
set service nat rule 5999 outbound-interface eth0
set service nat rule 5999 protocol all
set service nat rule 5999 type masquerade

JaredBusch

Then Firewall rules to allow the types of traffic you want, matching the NAT rules.

Note, the Firewall rules are applied AFTER the inbound NAT translation. SO the rules need to reference the internal IP.

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'Internet to internal networks'

set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Accept Established / Related'
set firewall name WAN_IN rule 10 log disable
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable

set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop Invalid'
set firewall name WAN_IN rule 20 log disable
set firewall name WAN_IN rule 20 state invalid enable

set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description 'Inbound PBX'
set firewall name WAN_IN rule 30 destination group address-group PBX_Inside
set firewall name WAN_IN rule 30 log disable
set firewall name WAN_IN rule 30 protocol all
set firewall name WAN_IN rule 30 state established disable
set firewall name WAN_IN rule 30 state invalid disable
set firewall name WAN_IN rule 30 state new enable
set firewall name WAN_IN rule 30 state related disable

set firewall name WAN_IN rule 40 action accept
set firewall name WAN_IN rule 40 description 'Inbound Exchange HTTP'
set firewall name WAN_IN rule 40 destination group address-group Exchange_Servers
set firewall name WAN_IN rule 40 destination group port-group Web_Ports
set firewall name WAN_IN rule 40 log disable
set firewall name WAN_IN rule 40 protocol tcp
set firewall name WAN_IN rule 40 state established disable
set firewall name WAN_IN rule 40 state invalid disable
set firewall name WAN_IN rule 40 state new enable
set firewall name WAN_IN rule 40 state related disable

set firewall name WAN_IN rule 50 action accept
set firewall name WAN_IN rule 50 description 'Inbound Proxy HTTP'
set firewall name WAN_IN rule 50 destination group address-group Internal_Web
set firewall name WAN_IN rule 50 destination group port-group Web_Ports
set firewall name WAN_IN rule 50 log disable
set firewall name WAN_IN rule 50 protocol tcp
set firewall name WAN_IN rule 50 state established disable
set firewall name WAN_IN rule 50 state invalid disable
set firewall name WAN_IN rule 50 state new enable
set firewall name WAN_IN rule 50 state related disable

set firewall name WAN_IN rule 70 action accept
set firewall name WAN_IN rule 70 description 'Allow SMTP from Microsoft'
set firewall name WAN_IN rule 70 destination group address-group Exchange_Servers
set firewall name WAN_IN rule 70 destination group port-group SMTP_Ports
set firewall name WAN_IN rule 70 log enable
set firewall name WAN_IN rule 70 protocol tcp
set firewall name WAN_IN rule 70 source group network-group Microsoft_SMTP_Networks
set firewall name WAN_IN rule 70 state established disable
set firewall name WAN_IN rule 70 state invalid disable
set firewall name WAN_IN rule 70 state new enable
set firewall name WAN_IN rule 70 state related disable

set firewall name WAN_IN rule 100 action accept
set firewall name WAN_IN rule 100 description 'Allow SSH to JumpBox'
set firewall name WAN_IN rule 100 destination address 10.1.1.36
set firewall name WAN_IN rule 100 destination group
set firewall name WAN_IN rule 100 destination port 22
set firewall name WAN_IN rule 100 log disable
set firewall name WAN_IN rule 100 protocol tcp
set firewall name WAN_IN rule 100 state established disable
set firewall name WAN_IN rule 100 state invalid disable
set firewall name WAN_IN rule 100 state new enable
set firewall name WAN_IN rule 100 state related disable

I make use of firewall groups because I like names instead of IP addresses.

set firewall group address-group ATT242 address 125.25.25.242
set firewall group address-group ATT242 description 'AT&T IP 242 - Exchange'
set firewall group address-group ATT243 address 125.25.25.243
set firewall group address-group ATT243 description 'AT&T IP 243 - Proxy'
set firewall group address-group ATT244 address 125.25.25.244
set firewall group address-group ATT244 description 'AT&T IP 244 - PBX'
set firewall group address-group ATT245 address 125.25.25.245
set firewall group address-group ATT245 description 'AT&T IP 245'
set firewall group address-group ATT246 address 125.25.25.246
set firewall group address-group ATT246 description 'AT&T IP 246'
set firewall group address-group Exchange_Servers address 10.1.1.5
set firewall group address-group Exchange_Servers description 'Exchange Server'
set firewall group address-group Internal_Web address 10.1.1.6
set firewall group address-group Internal_Web description 'Proxy Server'
set firewall group address-group PBX_Inside address 10.1.1.30
set firewall group address-group PBX_Inside description 'Phone System Internal IP'
set firewall group address-group PBX_Outside address 125.25.25.244
set firewall group address-group PBX_Outside description 'Phone System External IP'
set firewall group network-group Microsoft_SMTP_Networks description 'networks used by Microsoft to send email'
set firewall group network-group Microsoft_SMTP_Networks network 40.92.0.0/15
set firewall group network-group Microsoft_SMTP_Networks network 40.107.0.0/16
set firewall group network-group Microsoft_SMTP_Networks network 52.100.0.0/14
set firewall group network-group Microsoft_SMTP_Networks network 104.47.0.0/17
set firewall group network-group Private_LAN description 'Private LAN Networks'
set firewall group network-group Private_LAN network 10.204.0.0/16
set firewall group port-group SMTP_Ports description 'Ports used for SMTP'
set firewall group port-group SMTP_Ports port 25
set firewall group port-group SMTP_Ports port 587
set firewall group port-group Web_Ports description 'Inbound Web Ports'
set firewall group port-group Web_Ports port 80
set firewall group port-group Web_Ports port 443

1337

@JaredBusch said in Help setting up routing:

It is all source and destination NAT rules. This is very basic actual "routing" knowledge.

That's a good description. It doesn't require that you set up any routes as such.

It's the use of a routing network that can be confusing. But it just means that the public IPs end up being routed to the WAN interface over the private routing subnet. Doesn't require any special config to be done in the router.

Dashrender

@JaredBusch said in Help setting up routing:

outbound-interface eth0

@JaredBusch the reference to eth0 in both inbound/outbound - does that simply mean that's the interface where the traffic comes from, but has zero to do with eth0's actual IP?

If that's right, that definitely helps me understand better.

JaredBusch

@Dashrender Yes

pmoncho

@Dashrender said in Help setting up routing:

I need some assistance understanding in general, and we'll use a ER-X for specifics in the following scenario.

ISP will provide /29 of usable IPs (125.25.25.6/29)
Static assignment 125.25.25.1 - 172.16.16.200.11
Static assignment 125.25.25.2 - 172.16.16.200.12
Static assignment 125.25.25.3 - 172.16.16.200.13
Static assignment 125.25.25.4 - 172.16.16.200.14
Static assignment 125.25.25.5 - 172.16.16.200.15
Static assignment 125.25.25.6 - 172.16.16.200.x (all others)
ISP connection to your router will be over non public routable connection 10.100.100.2/30
ISP Default Gate 10.100.100.1
Internal network will be NATed 172.16.200.x/24

Assuming Port 0 is the WAN port, I assume we'll assign 10.100.100.2/30 to port 0, and the DG as 10.100.100.1.

Assuming Port 1 is LAN port, assign 172.16.200.1/24.

I don't know what to do with the the 125.25.25.6/29 address so my LAN is NAT'ed, and then sent via the 10. network.

Thanks for any insight.

I have a question about this setup (just for my general understanding of networking).

Would this be considered a double nat situation? If so, does this create any issues with users on your 172. network?

JaredBusch

@Dashrender said in Help setting up routing:

ISP connection to your router will be over non public routable connection 10.100.100.2/30
ISP Default Gate 10.100.100.1
Internal network will be NATed 172.16.200.x/24
Assuming Port 0 is the WAN port, I assume we'll assign 10.100.100.2/30 to port 0, and the DG as 10.100.100.1.
Assuming Port 1 is LAN port, assign 172.16.200.1/24.
I don't know what to do with the the 125.25.25.6/29 address so my LAN is NAT'ed, and then sent via the 10. network.

It is not a private network, but the NAT examples above are on a router where that /29 is not on any interface.

The only WAN IP is a /30 from AT&T.

JaredBusch

Basically, when I order fiber service from an ISP, I refuse their termination router.

So they drop in fiber, and a router that converts the fiber to ehternet. I hook my router up there.

The Fiber services (from the 3 companies I have used so far) all terminate on a /30. That is what I put on my router as the WAN. See above.

But then I make NAT rules to route all the traffic via the IP that they should show. See config posts above.

The only time I ever use the /30 IP if for VPN connectivity.

Your setup should be identical. Just the ISP provides a 10. instead of a public IP for that part of the routing.

JaredBusch

@pmoncho said in Help setting up routing:

Would this be considered a double nat situation?

It depends on the ISP, but I would assume not in this scenario. it sounds like normal routed traffic.

Dashrender

@pmoncho said in Help setting up routing:

Would this be considered a double nat situation? If so, does this create any issues with users on your 172. network?

As Jared said - no, it's not a double NAT, at least not in my example

scottalanmiller

@JaredBusch said in Help setting up routing:

@pmoncho said in Help setting up routing:

Would this be considered a double nat situation?

It depends on the ISP, but I would assume not in this scenario. it sounds like normal routed traffic.

That was my thinking, I didn't see an extra NAT anywhere.

FATeknollogee

@JaredBusch Just curious, what it the /23 on eth3, is that one of your LAN IP blocks from AT&T?

pmoncho

@Dashrender said in Help setting up routing:

@pmoncho said in Help setting up routing:

Would this be considered a double nat situation? If so, does this create any issues with users on your 172. network?

As Jared said - no, it's not a double NAT, at least not in my example

I was only thinking of double NAT, as the ISP uses private 10.x and you use private 172.16.x and that would create a double NAT. My bad.

JaredBusch

@FATeknollogee said in Help setting up routing:

@JaredBusch Just curious, what it the /23 on eth3, is that one of your LAN IP blocks from AT&T?

No. That is the LAN.

FATeknollogee

@JaredBusch Got it. I now see that it's a 10.202.0.x vs your LAN IP of 10.202.8.x - men, need to put my glasses on!