Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 4 subscribers
  • Views 13731 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Add another external IP address with NO NAT

EWIT

I'm working on a UTM 220 with multiple Ethernet interfaces, and a /27 subnet from our ISP.

ISP router is at .1

Our UTM WAN port is eth1 at .30.

We are hosting email services and other stuff at .a few other external IPs in our block, NATted through to a server on the LAN side; everything works fine once I added an "Additional Addresses" entry for each. Each additional address is set to subnet mask of /32 per recommendations I've seen around the forums.

Now, I have a VOIP box which cannot be NATted (protocol issue). It needs to have an external IP address. 

Here's what I've tried:

  • Add a new interface eth7 with IP address .7 and /32 subnet, enabled Proxy ARP.
  • Connect the VOIP box to eth7 and configure it with .6 and /27 subnet through its web UI.
  • Enable firewall rules to permit traffic to the .6 address of the VOIP box.

It works for about an hour, then stops!

Any idea?



This thread was automatically locked due to age.
  • 0

    My guess is that you have a routing conflict.  What happens if you set the subnet on eth1 to /32? (WebAdmin doesn't require that the default gateway be in the subnet.)

    Cheers - Bob

  • 0 in reply to BAlfson

    I've done the following now:

    • Updated eth1 to a /32 subnet. It didn't break anything...
    • Added a static route, interface type, to put the VOIP box address on the eth7 interface.
    • Enabled Proxy ARP on both eth1 and eth7.

    Seems to be more stable. Is this the "correct" way to get external IPs into another interface? It's kinda like a DMZ using a slice of our public space instead of NATting.

    Should I create a smaller subnet and put it on eth7 instead? Would that eliminate the need for Proxy ARP and a static route?

  • 0 in reply to EWIT

    This way works, and I can tell you've got a solid background in networking, so no reason to change it.  Yes to your last two questions if you aren't tired of fiddling with it. [;)]

    With WebAdmin, several long-time contributors here would do this a bit differently where no Proxy ARP is required and WebAdmin automatically creates the routing:

    • Have your ISP route x.y.z.0/27 to x.y.z.30
    • Change subnet on eth1 to not overlap with x.y.z.4/30
    • Create x.y.z.5/30 on eth7
    • Assign x.y.z.6 to the VoIP box with appropriate subnet and DG of x.y.z.5
    • Create appropriate firewall rule(s)

    Cheers - Bob

  • 0

    I don't know if I did it the "right" way, but I had a similar setup at my previous building. 

    I needed public IPs on a gateway for my VOIP system. 

    I just bridged the VOIP eth with the WAN eth and gave the VOIP eth a static inside the range of my external interface. 

    E.g.

    Eth1, Eth2 Bridge = Br0

    Eth 2 - Connected to VOIP box 

    Eth 1 - WAN 

    Br0 - 1.1.1.2/29 DFGW 1.1.1.1

    VOIP Box - 1.1.1.3/29 DFGW 1.1.1.1

    I could still create firewall rules for traffic between 1.1.1.1 and 1.1.1.3 and all traffic flowed correctly. 

  • 0 in reply to RichardCook

    I want to ask on how you make it work to bridge eth1 and eth2.

    My setup is this

    I have 13 Public IP's from my ISP. Now I want to put all those 13 IP's on a single port of Sophos SG 310, and distribute it to other port. Now, how can I make it like that? I need to monitor those IP's and distribute it to my Mail Server and to my Internal Network/

  • 0 in reply to JerryDela Cruz

    Hi, Jerry, and welcome to the UTM Community!

    The easiest way is to use Additional Addresses.  Depending on the subscriptions you have, you then can use proxies or DNATs.  I didn't see anything in your description that might indicate that a bridge would be desirable.

    Cheers - Bob

  • 0 in reply to BAlfson

    Thank you for your response sir. So if it is base on my subscription, how can I know my limitation on my subscription? Can you guide me? This device was passed on me without any document or any note. Thanks.

  • 0 in reply to JerryDela Cruz

    We have an unwritten rule here of "One topic per thread."  Please start a new thread in the General Discussion forum asking this question and include a picture of the Subscriptions from the Dashboard in WebAdmin.

    Cheers - Bob