10-06-2021 04:42 AM
In a previous company we had the physical interface of our Firewall configured with a /30 subnet to the ISP router.
Quite a standard setup obviously.
There was also a second /29 public subnet assinged to us, and we could assign these as NAT addresses on the same Firewall.
This all worked ok and we could connect to the /29 NAT addresses and subsequent endpoints (usually web services) without a problem.
However, i'm now curious how this actually worked?
There was no other configuration made on the Firewall on our sde, no BGP, no reference to the /29, no routing, no physical/logical interface for this subnet anywhere.
The only thing I remember is that (I think) I had to enable Proxy ARP on the Firewall to make it work.
From the ISP side how was this likely working?
Presumably this /29 subnet must have existed as a logical interface on the ISP router?
Was Proxy ARP the reason we were then able to answer to the requests?
Or actually was there no logical interface at all, and BGP had the destination for the /29 routed to our Firewall?
I'd never thought about how it worked in detail until recently as we're currently asking a new ISP to add a /29 to our standard /30 and they are indicating it's problematic.
I know it may be a bit vague - I can draw up a quick diagram if needed.
Many thanks.
Mike
Solved! Go to Solution.
10-06-2021 01:19 PM - edited 10-06-2021 01:20 PM
Yes they would have used one of the IPs as a secondary IP.
If they used a route instead then no it does not need to exist on a physical interface, you can just create NAT statements as before and it will work fine because they are simply routing all traffic to any IPs in that subnet to your firewall.
Not sure I follow the last part about the next hop bit, perhaps you can clarify ?
Jon
10-06-2021 12:34 PM
If you had to enable proxy arp then the ISP would have had an IP from that subnet assigned to an interface on their router.
The other way would be for the ISP to simply add a route on their router for the /29 pointing to the /30 IP at your end.
I prefer the second approach.
Jon
10-06-2021 01:00 PM
10-06-2021 01:19 PM - edited 10-06-2021 01:20 PM
Yes they would have used one of the IPs as a secondary IP.
If they used a route instead then no it does not need to exist on a physical interface, you can just create NAT statements as before and it will work fine because they are simply routing all traffic to any IPs in that subnet to your firewall.
Not sure I follow the last part about the next hop bit, perhaps you can clarify ?
Jon
10-06-2021 01:34 PM
10-06-2021 01:47 PM - edited 10-06-2021 01:48 PM
Yes all NAT would work fine.
If you mapped an internal IP to one of the /29 IPs then for outbound traffic the firewall translates the internal IP to one of the /29 IPs, consults the routing table for the next hop IP which is the ISP /30 IP and forwards the traffic on.
The inbound traffic gets to the ISP router which then consults it's routing table for the next hop IP of the /29 subnet which is your firewall's /30 IP and forwards the traffic to your firewall which then translates the /29 back to the internal IP and forwards it on.
Jon
10-06-2021 02:04 PM
10-07-2021 02:16 AM - edited 10-07-2021 02:18 AM
Yes, if you needed another device in the /29 subnet then you would need to use the secondary IP addressing solution.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide