Solved: SRP 500 series

Mahmoud El-sharif · ‎06-11-2013

i have a Pre-WiMax 2 Mb link (tagged ethernet frames) from service provider on RJ-45 cable and the SP give us /29 public IPs range

one of them as our default gateway so i have 5 available real IPs to use in my network

my objective now is :

assign one of those real IPs to the WAN port on my router and make this port support tagged ethernet by assigning a tagging 802.1q to this interface (or sub-interface)

use DHCP for users in wireless and wired LAN interface

use NAT to convert from DHCP private range IPs to the public IP assigned to the WAN interface

the rest of my public IP range if possible give them to any internal server to make them public and routable (can be accessed from any where)

i chose SRP521W as my first choice if not applicable i will go with SRP541W, is this applicable??/?

and what is the differnt btw SRP521W and SRP521W -U versions

thanks in advance

Andrew Hickman · ‎06-11-2013

Hi Mahmoud,

Last question first - SRP521-U has more memory than the SRP521 and is able to run the latest 1.2.x firmware. The SRP521 can only run release 1.1 firmware. For your application here, I would recommend the SRP521-U (or the SPR541).

First question - has your SP provided you with just a /29 subnet for use in your private network, or a /29 for use behind the modem? Put another way, does your WAN IP address have to come from this pool, or is it separately assigned? The answer to this will define the most appropriate solution for you.

If you just have that block of /29 addresses to use, then I would recommend you use the hardware DMZ option. This allows you to use one of the /29 as the WAN IP for the router (used for NAT for the private clients) and the others for your DMZ hosts that must be connected via LAN port 4.

If you have a separate address for the WAN and you can use the whole /29 internally, then you could create a separate local VLAN for this subnet and use the NAT bypass feature.

To terminate your tagged frames from the SP, just add a new sub interface on the WAN port using the appropriate tag index and address this interface appropriately for the SP connection. You can leave the address on the main interface (VLAN 0) in the default DHCP mode. If you are concerned about the DHCP requests it will send (untagged) towards the SP, you can set a static IP address that doesn't conflict with your addressing. You can't delete the main interface.

Having created that WAN sub interface, either enable the hardware DMZ and create public IP address mappings for the /29, or create a new VLAN and NAT bypass rule for it. If you would like to control the traffic that can access the publically addressed hosts in this VLAN, then you may use the advanced firewall rules to do this.

All of your hosts in the default private subnets will use NAT by default and will be able to communicate with the public hosts via the SRP WAN interface.

All of the above is detailed in the SRP500 Adminstrators Guide.

Hope that helps,

Andy

View solution in original post

Andrew Hickman · ‎06-11-2013

Hi Mahmoud,

Last question first - SRP521-U has more memory than the SRP521 and is able to run the latest 1.2.x firmware. The SRP521 can only run release 1.1 firmware. For your application here, I would recommend the SRP521-U (or the SPR541).

First question - has your SP provided you with just a /29 subnet for use in your private network, or a /29 for use behind the modem? Put another way, does your WAN IP address have to come from this pool, or is it separately assigned? The answer to this will define the most appropriate solution for you.

If you just have that block of /29 addresses to use, then I would recommend you use the hardware DMZ option. This allows you to use one of the /29 as the WAN IP for the router (used for NAT for the private clients) and the others for your DMZ hosts that must be connected via LAN port 4.

If you have a separate address for the WAN and you can use the whole /29 internally, then you could create a separate local VLAN for this subnet and use the NAT bypass feature.

To terminate your tagged frames from the SP, just add a new sub interface on the WAN port using the appropriate tag index and address this interface appropriately for the SP connection. You can leave the address on the main interface (VLAN 0) in the default DHCP mode. If you are concerned about the DHCP requests it will send (untagged) towards the SP, you can set a static IP address that doesn't conflict with your addressing. You can't delete the main interface.

Having created that WAN sub interface, either enable the hardware DMZ and create public IP address mappings for the /29, or create a new VLAN and NAT bypass rule for it. If you would like to control the traffic that can access the publically addressed hosts in this VLAN, then you may use the advanced firewall rules to do this.

All of your hosts in the default private subnets will use NAT by default and will be able to communicate with the public hosts via the SRP WAN interface.

All of the above is detailed in the SRP500 Adminstrators Guide.

Hope that helps,

Andy

Mahmoud El-sharif · ‎06-11-2013

First of all thanks for your fast and prompt response

answer for the first question is NO, those IPs are static real IPs for internet (my WAN IPs are coming from this pool)

i will use one of those real IPs as my Internet IP

the rest of my public IPs range will be assigned to internet servers

kindly check the attached topology

Thanks again for your help and support

Andrew Hickman · ‎06-11-2013

OK - perfect. You should just use the hardware DMZ feature for this arrangement then.

Regards,

Andy

Mahmoud El-sharif · ‎06-12-2013

Hi Andy,

Thanks alot for your help and support ,I really appreciate it