Re: Assign an Inside Router connected to the PPPoE a WAN IP Address

TheGoob · ‎04-26-2025

Hi, starting something new here and seem to be having an issue.

My FPR1010 is set in PPPoE Mode and obtains a Static WAN IP as its GW and I also have a block of 8 Static WAN IP’s (6 usable). I was trying to assign a DDWRT router to an Interface on the FPR and Inhave set the FPR Interface to Passive, Switch and tried various NAT/ ACL’s and assigned the DDWRT WAN Interface the actually x.x.x.178 WAN IP. Nothing I do will work… am I even able to assign an inside device connected to the main Router a literal WAN IP or must it be part of a LAN/vlan Network IP with NAT?

Really wanted to avoid that and simply pass through one of my WAN IP’s to the DDWRT. Not sure if I am missing something or if this simply isn’t possible.

Mai Anwar · ‎04-26-2025

i think this problem related to ISP , call your ISP and ask them if 8 Static WAN IP’s (6 usable) routed to gateway or not

TheGoob · ‎04-30-2025

My ISP no longer offers Static IP Blocks. They no longer support them. Those who have them are grandfathered in and do with them as you will. There is no help from ISP side, I can literally hear them scrolling through their paper cue cards as they give me the default responses "did you reset your modem" "is the Ethernet cable plugged in" I am like, seriously?

Surely in the wide world of Cisco people have a block of static ip's and for whatever reason need to pass through one of those IP's to an inner switch or router connected to the main/internet facing router.

I mean, I suppose I could be the first person who wants to do this..

TheGoob · ‎05-07-2025

Well it appears it can not work. I suppose I will make the VPN Router 192.168.4.1 and NAT it to x.x.x.178 then on the VPN Router create a LAN network 10.0.1.0/24 and do it that way.

TheGoob · ‎10-01-2025

So I am bringing this up again as I have had no solution, but also got busy with other things. The one thing I did do was verify I can do anything with the block assigned.

So again I am trying to figure this out. My FPR1010 is the Internet facing Router which uses the .182 as the “main” IP and GW to the Internet (.177 -.182 are usable).
My intentions here is to take one of my IP’s and “pass through” the FPR1010 to another FPR1010 and do some messing around with and not jeopardize or mess anything up with the main Internet FPR.

i know I can, on the [Main] FPR create a new Network and attach it to an Interface and do some NAT/ACL’s and then just assign the 2nd FPR a, for example, 192.168.10.2 with a 192.168.10.1 GW which would be NAT’d to x.x.x.177 (for example) but I want to bypass all that and simply assign the 2nd FPR x.x.x.177 and it’s GW would be X.x.x.182. If this is correct so far, on the main would I make its interface passive or routed? Would I still need a form of NAT or ACL? Or is this just not conventional? Or can be it, with some tweaking?

Giuseppe Larosa · ‎10-02-2025

Hello @TheGoob ,

if you want to put the second FTD in parallel with the main FTD you can working on OSI layer 2:

have a dedicated DMZ VLAN where you connect the ISP CPE LAN interface and the two FTD outside interfaces.

if you want to put the second FTD downstream the main FTD you have to use static NAT to allow for incoming sessions to it.

Edit:

reviewing the thread if you are using PPPoE for connecting to the internet the second FTD has to be placed downstream the first one because the ISP may accept only one PPPoE session so the L2 solution is not suitable for your case.

Hope to help

Giuseppe

TheGoob · ‎10-03-2025

Morning

Yeah they would not be working parallel. I just want to give the “downstream” 2nd Firewall an actual WAN IP from/ through the 1st/Primary/PPPoE Firewall and have 2nd Firewall WAN IP X.x.x.177 instead of using a LAN IP….

Giuseppe Larosa · ‎10-06-2025

Hello @TheGoob ,

>> I just want to give the “downstream” 2nd Firewall an actual WAN IP from/ through the 1st/Primary/PPPoE Firewall and have 2nd Firewall WAN IP X.x.x.177 instead of using a LAN IP

This is not possible you can however make a static NAT for internal IP address of second FTD to have the public IP address mapped to the internal IP address of the second FTD.

Hope to help

Giuseppe

TheGoob · ‎10-06-2025

Morning

Alright, I just remembered [wrongly ?] that years ago on an 891F and same block of IP's, I was able to plug in a Wireless Router to one of the Interfaces on the 891F and asign it [Wireless Router] an External WAN IP [Not the 891F GW IP] and it would take it and then on the WiFI assign a LAN Network.

I recall the 891 had the Internet as 'no ip address] and 'zone-member security INSIDE' and then an ACL for inside-to-outside and outside-to-inside such as [incoming] 'permit ip host x.x.x.177 any'. Maybe because this was a single use device connecting to the Internet and needed no NAT as it was the only IP WAN and LAN being the same? I wa sjust assuming I could do the same but ADD NAT for the new Network I'd create on the 2nd FPR.

Either way, I understand your meaning; "make a static NAT for internal IP address of second FTD to have the public IP address mapped to the internal IP address of the second FTD".