Static NAT - why can't use a trusted interface/IP?
This is probably an edge use case and/or I need to convince the client to rearchitect their WAN setup, but I have a setup for which ideally I'd like to do a static NAT against a trusted interface IP address, but https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_static_config_about_c.html says it cannot be done for trusted or custom interfaces.
I guess I am wondering why that is not permitted, and would this qualify as an enhancement request.
The setup, interface wise, looks like this (using letters for simplification):
A = a MPLS WAN connection with a /30 IP (there is an Internet connection with a FireboxV on this WAN which inbound connections come through) - this is of type "External" for various reasons.
B = a "trusted" VLAN, which has its /24 subnet routable across the MPLS WAN.
C = a "custom" VLAN, which has a separate /24 subnet but is not routable across the MPLS WAN (and client doesn't want to pay to get it routed at this stage).
Request is to do some port forwardings to a device on interface C via the Internet connection reachable from the WAN on interface A.
While I could simply create the static NAT against the interface A IP address and be done with it (I'll have to do this in the interim), there is a high likelihood that there will be multiple devices on interface C I have to make accessible, and changing port numbers breaks the app.
The trusted interface B's subnet has spare IP addresses I can use for this (they also have access to sufficient public IP addresses), but since the interface type is "trusted" I can't use this for static NAT.
Is there a way around getting a larger subnet for the WAN link (interface A), short of an enhancement request to permit static NAT against trusted and custom interfaces?
Comments
How would devices on the Internet get packets routed to the private IP addr on the WAN interface which is in the SNAT ?
There exists a static route on the Internet-facing WatchGuard that points to the WAN IP of the second/branch WatchGuard appliance out a particular interface there, and that works currently (the interface A in my example).
A similar route exists for the trusted VLAN (B) which also works, but at the moment I can't get authorisation to get the subnet on interface C routed across the WAN (if I could I wouldn't need to be fiddling with this).
Ultimately I was curious as to why static NATs can't be made against an interface of type trusted or custom really since I have to setup the static NAT against the WAN interface on the branch appliance.
Presumably it is a design feature because almost all sites can't do what you are doing - allowing routing of private IP addrs from the Internet to a WAN interface.
I figured that to be the case, which is why I suspect what I'm trying to do is an edge case (down the track I may have needed to do a static NAT between two "internal" interfaces, but knowing that the one with NAT applied has to be an external or optional interface type, I'll keep that in mind).