No internet on specific subnet 192.85.65.X

Hi,

We have a strange problem with our T70. When I create a lan on subnet 192.85.65.X/24 I cannot connect to the internet. I can ping my WAN of my firewall but nothing further. Ping internally no problem. I have no extra rules and the device is already reset.

When i change the subnet to 192.168.0.X/24 or 10.0.0.X/24 everything works.

The T70 is on the latest firmware.

Comments

  • Thank you! Problem solved.

  • Your subnet is a public IP range, not private, which is why you had to add your entry. You should NOT be using a public range internally. That is why private ranges were created!

    NetRange: 192.85.0.0 - 192.85.255.255
    CIDR: 192.85.0.0/16
    NetName: ESLAC-EDS
    NetHandle: NET-192-85-0-0-1
    Parent: NET192 (NET-192-0-0-0-0)
    NetType: Direct Allocation
    OriginAS:
    Organization: Enterprise Services Latin America Corporation (ESLAC)
    RegDate: 1991-01-09
    Updated: 2017-06-07
    Ref: https://rdap.arin.net/registry/ip/192.85.0.0

    OrgName: Enterprise Services Latin America Corporation
    OrgId: ESLAC
    Address: 3000 Hanover St
    City: Palo Alto
    StateProv: CA
    PostalCode: 94304
    Country: US
    RegDate: 2018-05-17
    Updated: 2019-01-18
    Ref: https://rdap.arin.net/registry/entity/ESLAC

    OrgAbuseHandle: DSIRCC-ARIN
    OrgAbuseName: DXC Security Incident Response Control Centre
    OrgAbusePhone: +1-703-245-9675
    OrgAbuseEmail: [email protected]
    OrgAbuseRef: https://rdap.arin.net/registry/entity/DSIRCC-ARIN

    OrgTechHandle: ESIPA-ARIN
    OrgTechName: ES IPADDR
    OrgTechPhone: +1-800-524-7638
    OrgTechEmail: [email protected]
    OrgTechRef: https://rdap.arin.net/registry/entity/ESIPA-ARIN

    OrgNOCHandle: ESIPA-ARIN
    OrgNOCName: ES IPADDR
    OrgNOCPhone: +1-800-524-7638
    OrgNOCEmail: [email protected]
    OrgNOCRef: https://rdap.arin.net/registry/entity/ESIPA-ARIN

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • There is nothing inherently wrong with using public IP addrs behind a firewall.
    At my earlier site, we had a class B subnet, and we did use public IP addrs behind the firewall as there was no real need not to since we had plenty of public IP addrs.

    The issue here is that either
    1) this public subnet does not belong to this site and this the site should really be using a private subnet, not this public one
    or
    2) the ISP has not set up their ISP device to forward packets for that public subnet to the firewall external interface IP addr

  • Bruce,

    There are times when just because one CAN do something, one should NOT do it. This is one of those times. Private IP ranges were created for a reason and they work perfectly behind firewalls and cannot cause issues with public networks.

    To each his own, I guess!

    The OP may have other issues, but why NOT start off right? Or, there are pieces of the puzzle I don't know about yet.

    Gregg

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • Public IP addrs also work perfectly behind firewalls IF the ISP has set up their routes correctly AND the site actually has ownership of the public IP addrs.

    I worked at an EDU site which had early Internet access, and we were assigned a /16 subnet.
    Life it totally different now, so most sites need to use private IP addrs behind a firewall or NAT device, only because there are way more devices needing an IP addr than there are public IP addrs for those internal devices.

    Should a site have significant public IP addrs, there is no reason why they can not use real public IP addrs behind their firewall. It really works. And, note that the Dynamic NAT entries are only for the private IP addr ranges - which implies that public IP addrs work just fine from behind a firewall - as has been my experience for many many years.

    If you insist that one should not, please post a link which indicates this. Otherwise, it is just an opinion.

  • Bruce,

    I am not saying that it cannot be done or has not been done. I am saying that it just does not make much sense to do so today.

    Two of your statements pretty much sum up the reasons not to use public IPs on a private LAN in today's world.

    1) "Life it totally different now"
    2) "Should a site have significant public IP addrs"

    Yes, when I started 20 years ago, some places had public IPs. I worked at a company that had 16(?), then we ran out. Rather than pay for more, I switched to NAT on private IPs, dropped their multiple public IPs down to one static, and saved them a bunch of money. So, saving money is one benefit, and never having to worry about running out of LAN IPs is a huge benefit.

    It makes almost no sense to use public IPs on a LAN today, especially if one does not own those IPs. It just leads to possible future problems. It's kind of like naming one's internal Active Directory domain with a .local suffix. Yes, it can be done, and worked fine until Macs were introduced to AD domains. I think I read that the .local domain is now being considered as made a public domain.

    Mathieu wants a 192.85.65.X/24 subnet. He cannot be the owner of that subnet publicly, because the 192.85.0.0/16 belongs to someone else. Why create confusion?

    If the intent is to have those unique second and third octets, a better subnet would be 10.85.65.0/24. That way, he gets the range he needs, he gets those unique second and third octets, and he has ZERO chance of the LAN IPs interfering with any public IP address.

    Gregg

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

Sign In to comment.