Provider-independent Public IP

pmrowiecpmrowiec
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hello everyone,
I have problem with directly setting source IP in global DNAT action for users of Any-Trusted, specified range or alias.

eth0 - EXTERNAL - 148.X.X.X/30
eth1 - VLAN100 - OPTIONAL - 195.X.X.X/24 (provider-independent pool, ISP know it)
VLAN110 - TRUSTED - 10.X.X.X/24 (my services)

SNAT Action works fine when I declare secondary IP address for VLAN 100 (then I can use this address directly from SNAT action) for example:
VLAN110:
195.X.X.254/24 as primary IP
195.X.X.20/32 as secondary IP
Policy:
From: External
To: 195.X.X.20 -> 10.X.X.X

But I can't figure out how to declare global DNAT action.
My target is VLAN110 -> EXTERNAL (195.X.X.13)

I have been trying also global DNAT action VLAN110 -> 195.X.X.13, but still users have src IP 148.X.X.X.

Only when I use option "Set source IP" in policy properties src IP for traffic from this policy show 195.X.X.13

Do you have any ideas how to achieve this target (set source IP in global DNAT as IP address from VLAN100 pool) ?

Comments

  • Bruce_BriggsBruce_Briggs

    Why have 195.X.X.X/24 defined to VLAN100 instead of to External?

  • pmrowiecpmrowiec
    edited February 2021

    I know it's quite weird.
    This is some kind of MPLS. This is logical point-to-point connection with owner of 195.X.X.X/24 pool. Few of addresses of this pool are direct DNS server, mail server localised in owner infrastructure

    For example mail server policy is
    From: Any-External
    To: 195.X.X.50

  • Bruce_BriggsBruce_Briggs

    Since 195.X.X.X/24 is not on external, I don't see how to get an IP addr from it using a standard DNAT entry without using Set source IP.

    Next question - why do you want to use an IP addr from this pool for outgoing from VLAN110 ?

  • pmrowiecpmrowiec

    I tried:
    Any-Trusted -> Any-External (195.X.X.13)
    Any-Trusted -> eth0 (195.X.X.13)
    Any-Trusted -> 195.X.X.13

    Doesn't work. Only when I set 195.X.X.X as source IP in policy it works as intended.

    Client demands it. Overall there's about 30 VLAN which should be works like that.
    At this moment it works like this on Juniper using virtual routers

  • Bruce_BriggsBruce_Briggs

    Consider opening a support incident to see if this is possible, and if so, how.

  • pmrowiecpmrowiec

    I created support case, but I only get links to KB.
    Thanks for your willingness to help

  • Bruce_BriggsBruce_Briggs

    If the support rep is not being helpful, ask for your case to be escalated.

  • schwickyschwicky

    Maybe support could help you in the meantime but that's how I do it with PI or PA space:
    set the 195.X.X.13/24 as secondary address on VLAN 100 and in NAT - dynamic nat add an entry with
    From: any-truster
    to: any
    [X] set source ip: 195.x.x.13
    and move that rule up in the list to be above the default rules for natting 10./8

Sign In to comment.