Adding a second external IP

Atomicweight · December 3

Hi all,

I've got a T80 firebox handling traffic in/out of the building. I have two external IP's given to me by my ISP.

Current setup:

External interface on firebox has x.x.x.132
Internal (trusted) interface has 192.168.100.1 <------- this connects to a 48 port switch and then on to the inside of the network.

One of my servers has an internal and external NIC. Its current configuration is:
Inside NIC is 192.168.100.5 and works fine on the internal side.
The outside NIC is as follows: 192.168.13.51 ----> (router) 192.168.13.1 ----> x.x.x.133

I want to put that x.x.x.133 on the T80 firebox and remove the router completely. I've tried several configs and have come close, but something still not right.

Would I add the .133 address as a secondary network on the existing external of .132?
If so, how would I route traffic from the outside NIC of the server (192.168.13.51) in/out through the x.x.x.133 external interface correctly?

Appreciate any help,
Atomic in VA

PhilT_VIT · December 3

@Atomicweight said:
Hi all,

I've got a T80 firebox handling traffic in/out of the building. I have two external IP's given to me by my ISP.

Current setup:

External interface on firebox has x.x.x.132
Internal (trusted) interface has 192.168.100.1 <------- this connects to a 48 port switch and then on to the inside of the network.

One of my servers has an internal and external NIC. Its current configuration is:
Inside NIC is 192.168.100.5 and works fine on the internal side.
The outside NIC is as follows: 192.168.13.51 ----> (router) 192.168.13.1 ----> x.x.x.133

I want to put that x.x.x.133 on the T80 firebox and remove the router completely. I've tried several configs and have come close, but something still not right.

Would I add the .133 address as a secondary network on the existing external of .132?
If so, how would I route traffic from the outside NIC of the server (192.168.13.51) in/out through the x.x.x.133 external interface correctly?

Appreciate any help,
Atomic in VA

Which one of the 192.168.x.x subnets corresponds to the majority of the network - the 192.168.13.x or 192.168.100.x?

If say the 192.168.100.x subnet is the primary one used internally (which it sounds like), then the server needs to have 192.168.100.1 set as its default gateway, remove the 192.168.13.x one (or at least disable it while testing) - if 192.168.13.x has to coexist for anything else, add it as a secondary address on the internal network for the time being.
Add the required subnet/s to the dynamic NAT table if you have modified it from defaults (which normally allows all RFC1918 [private] addresses).

Yes the additional x.x.x.133 address would be added as an additional IP on the external interface if that's how the ISP routes that address to the Firebox.

Bruce_Briggs · December 3

Best practice - dual homed devices are strongly discouraged .

Disconnect the server trusted NIC and make all traffic to/from it go via a single connection to the firewall, as a DMZ.
Set an unused firewall interface to 192.168.13.1 & connect the server external interface to that.

Set up the desired policies to allow access from the Internet to the server and to/from the server from Trusted.

Bruce_Briggs · December 3

You can associate 192.168.13.51 with x.x.x.133 using a 1-to-1 NAT setup.

About 1-to-1 NAT
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/one_to_one_nat_c.html

Atomicweight · December 4

Thanks all. Agree on dual homed being discouraged - certainly understand. That said, I'll see which way to go with this as per what you have responded with.

The 192.168.100.1 is the primary internal. The 192.168.13.51 & 192.168.13.1 are only used between the outside server NIC and the inside of the router and then out to the world on x.x.x.133

Just getting to this and I'll let you know how it goes.

Take care!

Adding a second external IP

Comments