Upgrading to Dedicated Circuit - configuration and route(s) questions

Apologies in advance for the long post and my lack of understanding.

We are upgrading to a dedicated circuit from Lumen. Our current setup utilizes a M270 and a Adtran router which will be going away with the dedicated circuit. They indicate we will need to setup a route to their peer network from the M270 and should be doable.

I've been looking into this with the Fireware documentation and I'm unclear on how or if this is possible. Normally with the Adtran we have the typical setup - our public facing static IP address on the external interface, the gateway and DNS servers, and internal LAN subnets and VLANs IP's all of which of course got handed off to the Adtran for external connections and the M270 handles all internal routing.

Now the connection information I have mentions Customer and Lumen VLAN with no IP information, WAN IP with CIDR that is different from our public static IP, "LAN IP" that is our old public facing IP's network with CIDR, Customer Peer IP and Lumen Peer IP addresses.

For clarity here is the redacted info I have:
IP Version: IPv4
Edge Device/Port: eXX.XXXX lag XX
Upstream Device/Port: XXXX.XXX2
Customer VLAN:
Lumen (S)VLAN:
Hub VLAN:
WAN IPv4: 4.X.XXX.XXX/30
LAN IPv4: 65.XXX.XXX.0/27-reused IP
Peer IP (IPv4): 4.X.XXX.XX6
Lumen Peer IP (IPv4): 4.X.XXX.XX5

I'm not sure where to go with these values and if a simple static route will work since I really didn't see anything tying to external interface for the route.

With a static route, if it is the proper way to handle it, will entries need to be made for every subnet/VLAN we have configured? How will static routes affect the failover/2nd WAN connection - will routes need to be defined for that as well?

Or will I need to set the External interface to the new Peer IP's with the Lumen Peer IP as the gateway. What do I do for the Public IP address? Assign it as a 2nd IP address on the interface?

Or do we need to get a routing device from Lumen to replace the Adatan afterall?

Thanks again

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hello,

    Insofar as the interface configuration itself, you'll just need to set up an external interface with the IP, subnet, and gateway. If they require a VLAN, configure it as a vlan and assign it to your desired port (some ISPs are picky about the VLAN #.)

    The Peer IPs are likely for dynamic routing -- if you're just sending all of your external data to Lumen, there's not much of a need to set that up -- just use the static route.

    -James Carson
    WatchGuard Customer Support

  • edited October 2021

    I appreciate the reply. Please bear with me as I try to wrap my head around this.

    So our current config is pretty standard. We have the ISP assigned public IP assigned to the external interface with the gateway that is the ISP provided Adtran (I assume that’s the case).

    With the new circuit, Lumen is pulling the Adtran out of the loop. We are supposed to config the Watchguard M270 to the essentially replace the Adtran while still retaining/using our existing public IP.

    Current Watchguard config:
    External interface
    static IP: 65.1xx.xxx.2
    gateway: 65.1xx.xxx.1

    The information given from Lumen is:
    WAN IP: 4.7.xxx.xx4/30
    LAN IP: 65.1xx.xxx.0/27-reused IP (these are the current external Public ip’s that will be migrated)
    Peer IP: 4.7.xxx.xx6
    Lumen Peer IP: 4.7.xxx.xx5

    Maybe I’m overthinking this. Would it be as simple as configuring the external with the peer IP’s and adding the LAN IP (current Public IP’s) as secondary IP’s on the interface, then adding a static route with 1 hop to route any traffic on those IP’s to/from the Lumen Peer IP? Or would you use the other Peer IP (our/jcustomer peer ip)?

    Example using the WG policy manager:
    Route Type: Static Route
    Destination Type: Network IPv4
    Route To: 65.1xx.xxx.0/27
    Gateway: 4.7.xxx.xx5 or would it be 4.7.xxx.xx6

  • Just for clarification:

    You're keeping your current "LAN" ip addresses on the external public addresses block of 65.x.x.x /27 (you have 32 public ip addresses?) How are these ip's on your LAN if they are public? No 10.x or 172.16.x or 192.168.1.x? Confusing.

    What is this 2nd WAN connection you are referring to?

    The new WAN ip block of 4.x.x.x /30 makes sense for gateway endpoints between routers, and looking at your Peer IP the FB external interface would be 4.7.x.6 with a gateway of 4.7.x.5 with static ip for routing between the two endpoints.

    Add your "LAN" ip address block as secondary addresses to the FB external interface and it should automatically create a static route entry from the external interface to that subnet.

    Curious as to why Lumen isn't supplying a gateway device like they did before. I just a new Zayo fiber connection and was supplied a new router. Oh well, ISP's, go figure.

    It's usually something simple.

  • edited October 2021

    shaazaminator, thanks for replying. Sorry if I wasn't clear. The 65.xxxx addresses are our current public IP's assigned to the Firebox's external interface which is connected to Lumens Adtran. Our internal IP LAN's/VLAN's are 192.168.xxx.xxx subnets.

    The 2nd external interface is a cellular based ISP connected to a Cradlepoint router. It is setup in a multi-wan failover external interface in the Firebox as a backup.

    Lumen is migrating our current public IP's to the new circuit.

    If I understand you correctly, by replacing existing IP's with the Peer IPs on the primary external interface and assigning the exiting public IPs that will be migrated as secondary IPs on the interface. The static route will be automatically created and no need to add a route for traffic coming and going from the migrated public IP's?

    Do you know if this would make traffic originating from our internal networks come from the existing/migrated IP or would it appear to from the Peer IP? Asking because this could impact some Azure resources that have whitelisted our existing IP.

    As to why they didn't provide a gateway... I wasn't in the original contract/setup for that. I came in after the fact. But I discussed with them adding one back in. But it would a)delay implementation and b)add cost. They wanted to try this 1st if possible.

  • The outbound traffic from your FB will automatically be NAT'd to the Peer IP of the external interface. In your case I believe that would be 4.7.x.6/30
    If you want to utilize the secondary IP's for outbound traffic to Azure, just create a Dynamic NAT from the secondary 65.x.x.x address you wish to the external IP address of your Azure instance.

    It's usually something simple.

Sign In to comment.