Firebox in AWS - secondary external interface/elastic IP

I am writing this post to help out any others who wanted to get this working. Firebox in AWS (I'm assuming Azure as well) does not support more than 1 external interface and this will be eth0. If you need to have multiple external IP addresses attached to 1 firebox cloud instance what you need to do is provision a secondary IPv4 address on the primary eth0 interface. Once you have a secondary private internal IPv4 address on that interface, you can then associate a separate elastic IP to that network interface and private IP address. This will essentially grant the external IPs to route properly and you can access eth0 from two separate public elastic IP addresses. This could help for port conflicts and you can use two external IPs and use static nats easily, just make sure to match up the inbound on the secondary IPv4 address and it works correctly.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Crazyhorse88 I'll send a note to our documentation team to see if we can get a knowledge base or something similar posted for this type of procedure.

    -James Carson
    WatchGuard Customer Support

  • Hi @Crazyhorse88 , Did you have to do anything else after adding the second private ip to eth0 and adding the EIP? We are trying to get static NAT set up as well but it doesn't seem to be working. For your static NAT configuration did you just use "Any-External" for External?

  • Hi Davej,

    In the Policy Manager check Network -> Configuration and on eth0 verify that you see the two public elastic IP addresses under Public IPv4s and you should also have 2 corresponding private local IPv4s as well. These private local IPv4 addresses are what you want to use in the static NAT, the local IPv4s. So in your policy that is using the static NAT, select the local secondary IPv4 address (which should translate to the secondary elastic IP) and then your normal internal IP address for where you want the destination traffic to hit. I have confirmed this worked in our environment where we set a rule using the static NAT to route only to the secondary public address (using the local private ipv4) and it worked. Let me know if I can be of any further help.

    Also note that Watchguard needs to update their AWS instance types as the c4 family has perpetual crash issues. We got burned by Watchguard where we followed their documentation which stated that the c4 family was supported and we locked in a reserved instance for 3 years and then this year all of the c4 instances crash when we upgrade or make a policy change. We then had to upgrade the instance to a c5 family type. Just fair warning when purchasing reserved instances for Watchguard in AWS, just do 1 years in case the instance/family types all of a sudden don't work for your Watchguard appliance/instances.

  • Hello @Crazyhorse88

    I dont seem to have the option for Policy Manager then Network -> Configuration. Is your device set up as Cloud Managed?

Sign In to comment.