Routing help

Hi all,
I'm struggling a bit with how to setup some IP subnetting and routing on our WG.
We have an M370 acting as our main firewall/router.
We get a /26 from our ISP (say 15.232.120.192/26, made up IP), our default gateway for that is 15.232.120.193.
We've always had that simply setup as one WAN interface on our WG.
We're migrating our old PRI to an IP-PRI, and the provider doesn't want us to put it behind NAT, they want an external IP.
Following the WG guide (https://www.watchguard.com/help/configuration-examples/public_IP_behind_Firebox_configuration_example_(en-US).pdf, scenario 2).
We've changed our main WAN interface into 15.232.120.194/27, and have secondary networks .225/28, .241/29, and .249/30 setup on it. We know we lost some IP's doing that but we don't need them all so wasn't an issue.
I setup an optional interface as 15.232.120.254/30, and have the SIP-PRI's adtran hooked up to that as .253/30, with gw of .254.
I can ping from the adtran to the 254 IP on the WG, and the 194 IP as well.
However we can't get further than that. I can see pings from the adtran trying to go out to say 8.8.8.8, but not getting replies.

I believe I need an IP route to be added to our ISP's router, is this correct?
I'm unclear from the WG guide if I'd want to ask our ISP to add a route for 15.232.120.252/30 to 12.232.120.254, or to point it to the 15.232.120.194?

Thanks in advance for any input.

Comments

  • 15.232.120.194/26 covers 15.232.120.192 -15.232.120.255.
    This tells the firewall that all of the IP addrs in the range belong on external.

    In order to use part of the /26 subnet on an internal interface, you need to change the external subnet mask from a /26 to a smaller range subnet mask such as /27, which results in a 15.232.120.192 -15.232.120.223 covered range.

    Then your 15.232.120.254/30 on optional will work.

  • Sorry typo in my description there, we did change the WAN to a .194/27
    I'll edit the first post.
    So question still remains about the route requirement

  • Not needed.

  • Something isn't working right then. I plugged in a PC to Eth6, where we have the optional network setup for the adtran (unplugged adtran) and set it up with static IP of 15.232.120.253, with gw of .254.
    It can ping the .254 of the optional interface, and can ping the .194 IP which is the WAN IP on the WG. But it can't ping out any further than that. Can't ping the .193 from our ISP, or any outside IP.

    Modified the WG Diagram to show how we're setup, see attached.

  • edited April 2022

    Reboot your ISP router.
    It may have an ARP cache entry for the Adtran and the public IP addr.

  • @Bruce_Briggs said:
    Reboot your ISP router.
    It may have an ARP cache entry for the Adtran and the public IP addr.

    We will do that after hours. But why does the WG document say we need to add a route on the ISP router?
    See screengrab.

  • Perhaps I am wrong about the need for a route for the /30 subnet.
    Talk to your ISP about it.

  • It was the route. We had the ISP add a route for 15.232.120.252/30 to 15.232.120.194 and the adtran is now reachable.

Sign In to comment.