No internet on specific subnet 192.85.65.X
Hi,
We have a strange problem with our T70. When I create a lan on subnet 192.85.65.X/24 I cannot connect to the internet. I can ping my WAN of my firewall but nothing further. Ping internally no problem. I have no extra rules and the device is already reset.
When i change the subnet to 192.168.0.X/24 or 10.0.0.X/24 everything works.
The T70 is on the latest firmware.
0
Sign In to comment.
Comments
you need to add a new dynamic NAT config:
192.85.65.0/24 – Any External
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_dynamic_firewall_add_c.html
Thank you! Problem solved.
Your subnet is a public IP range, not private, which is why you had to add your entry. You should NOT be using a public range internally. That is why private ranges were created!
NetRange: 192.85.0.0 - 192.85.255.255
CIDR: 192.85.0.0/16
NetName: ESLAC-EDS
NetHandle: NET-192-85-0-0-1
Parent: NET192 (NET-192-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Enterprise Services Latin America Corporation (ESLAC)
RegDate: 1991-01-09
Updated: 2017-06-07
Ref: https://rdap.arin.net/registry/ip/192.85.0.0
OrgName: Enterprise Services Latin America Corporation
OrgId: ESLAC
Address: 3000 Hanover St
City: Palo Alto
StateProv: CA
PostalCode: 94304
Country: US
RegDate: 2018-05-17
Updated: 2019-01-18
Ref: https://rdap.arin.net/registry/entity/ESLAC
OrgAbuseHandle: DSIRCC-ARIN
OrgAbuseName: DXC Security Incident Response Control Centre
OrgAbusePhone: +1-703-245-9675
OrgAbuseEmail: abuse@dxc.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/DSIRCC-ARIN
OrgTechHandle: ESIPA-ARIN
OrgTechName: ES IPADDR
OrgTechPhone: +1-800-524-7638
OrgTechEmail: jpape@dxc.com
OrgTechRef: https://rdap.arin.net/registry/entity/ESIPA-ARIN
OrgNOCHandle: ESIPA-ARIN
OrgNOCName: ES IPADDR
OrgNOCPhone: +1-800-524-7638
OrgNOCEmail: jpape@dxc.com
OrgNOCRef: https://rdap.arin.net/registry/entity/ESIPA-ARIN
Gregg Hill
There is nothing inherently wrong with using public IP addrs behind a firewall.
At my earlier site, we had a class B subnet, and we did use public IP addrs behind the firewall as there was no real need not to since we had plenty of public IP addrs.
The issue here is that either
1) this public subnet does not belong to this site and this the site should really be using a private subnet, not this public one
or
2) the ISP has not set up their ISP device to forward packets for that public subnet to the firewall external interface IP addr
Bruce,
There are times when just because one CAN do something, one should NOT do it. This is one of those times. Private IP ranges were created for a reason and they work perfectly behind firewalls and cannot cause issues with public networks.
To each his own, I guess!
The OP may have other issues, but why NOT start off right? Or, there are pieces of the puzzle I don't know about yet.
Gregg
Gregg Hill
Public IP addrs also work perfectly behind firewalls IF the ISP has set up their routes correctly AND the site actually has ownership of the public IP addrs.
I worked at an EDU site which had early Internet access, and we were assigned a /16 subnet.
Life it totally different now, so most sites need to use private IP addrs behind a firewall or NAT device, only because there are way more devices needing an IP addr than there are public IP addrs for those internal devices.
Should a site have significant public IP addrs, there is no reason why they can not use real public IP addrs behind their firewall. It really works. And, note that the Dynamic NAT entries are only for the private IP addr ranges - which implies that public IP addrs work just fine from behind a firewall - as has been my experience for many many years.
If you insist that one should not, please post a link which indicates this. Otherwise, it is just an opinion.
Bruce,
I am not saying that it cannot be done or has not been done. I am saying that it just does not make much sense to do so today.
Two of your statements pretty much sum up the reasons not to use public IPs on a private LAN in today's world.
1) "Life it totally different now"
2) "Should a site have significant public IP addrs"
Yes, when I started 20 years ago, some places had public IPs. I worked at a company that had 16(?), then we ran out. Rather than pay for more, I switched to NAT on private IPs, dropped their multiple public IPs down to one static, and saved them a bunch of money. So, saving money is one benefit, and never having to worry about running out of LAN IPs is a huge benefit.
It makes almost no sense to use public IPs on a LAN today, especially if one does not own those IPs. It just leads to possible future problems. It's kind of like naming one's internal Active Directory domain with a .local suffix. Yes, it can be done, and worked fine until Macs were introduced to AD domains. I think I read that the .local domain is now being considered as made a public domain.
Mathieu wants a 192.85.65.X/24 subnet. He cannot be the owner of that subnet publicly, because the 192.85.0.0/16 belongs to someone else. Why create confusion?
If the intent is to have those unique second and third octets, a better subnet would be 10.85.65.0/24. That way, he gets the range he needs, he gets those unique second and third octets, and he has ZERO chance of the LAN IPs interfering with any public IP address.
Gregg
Gregg Hill