ISP interface thru VLAN internal routing

We have a M270 and having difficulties to setup a new ISP with the ideal setting. Normally ISP delivery their dedicated connectivity thru a loaned Router which has all setup and we just have to add the provided public IP address and gateway or connect via PPPoE and that's it. However we just hired a new ISP which delivery our link thru a switch connected directly to their main router with the port set to Trunk Mode and a VLAN. Additionally, the routing is done via internal IP, so we have to deal with two different subnets and NAT between then.

VLAN ID: 3050
Our Internal IP: ----- removed
ISP Router IP (border): ------ removed (gateway)
Our Public IP Block: ------ removed

We tried a few combination of settings, but until now, none of then provide us a full operational or ideal connectivity.
The only working configuration is: VLAN added on the interface connected to the port of the ISP switch, main IP set to -----removed and gateway to -----removed On the "Secondary" tab he added the public address -----removed. The routing works with this, but he has to add a Dynamic NAT from our internal network -----removed to the ISP interface with the option "Set source IP" set to -----removed too.

The problem with this configuration is that we don't have a interface with the public IP to deal on the Policy Manager. The "interface" is the VLAN of -----removed, and the main problem is that we can't use "Link Monitor" properly since in this configuration it can only ping what it reachable from the Main IP of the VLAN "interface" which is -----removed, so we can't monitor the real world like 8.8.8.8 for example.

Can anyone guide us thru the right way?

Answers

  • Please edit your post and obfuscate your public IP addr, for security

  • How about a similar dynamic NAT for 172.16.0.10, and set source IP to your public IP addr?

  • FYI - there is no need to hide private IP addrs/subnet - no security risk to you on posting them.
    For obfuscate your public IP addr - I was thinking some thing like
    xxx.yyy.zzz.10/30

  • @Bruce_Briggs This wasn't necessary, IP was not real.

  • edited July 31

    Good.
    Let us know if my suggestion helped, didn't help or hurt.

  • @Bruce_Briggs It didn't work, appearently Link Monitor doens't consider Dynamic NAT rules.

  • edited July 31

    Consider opening a support case on this to see if support can provide any other suggestions on how to use Link Monitor successfully in your setup.

  • From a post by James of WG recently:
    "By default the firebox will source traffic that is destined to networks that it doesn't own via the first available IP address from the lowest numbered external interface."

    So, perhaps if you define a 2nd WAN interface, with your current one on a higher interface number than the new one and you assign a public IP addr to the new lower interface number, this would work.
    You can have an IP addr on an external interface which is not from the same subnet as the default gateway.

Sign In to comment.