Solved: BGP / Second Public Subnet / Proxy ARP

Mike D · ‎10-06-2021

In a previous company we had the physical interface of our Firewall configured with a /30 subnet to the ISP router.

Quite a standard setup obviously.

There was also a second /29 public subnet assinged to us, and we could assign these as NAT addresses on the same Firewall.

This all worked ok and we could connect to the /29 NAT addresses and subsequent endpoints (usually web services) without a problem.

However, i'm now curious how this actually worked?

There was no other configuration made on the Firewall on our sde, no BGP, no reference to the /29, no routing, no physical/logical interface for this subnet anywhere.

The only thing I remember is that (I think) I had to enable Proxy ARP on the Firewall to make it work.

From the ISP side how was this likely working?

Presumably this /29 subnet must have existed as a logical interface on the ISP router?

Was Proxy ARP the reason we were then able to answer to the requests?

Or actually was there no logical interface at all, and BGP had the destination for the /29 routed to our Firewall?

I'd never thought about how it worked in detail until recently as we're currently asking a new ISP to add a /29 to our standard /30 and they are indicating it's problematic.

I know it may be a bit vague - I can draw up a quick diagram if needed.

Many thanks.

Mike

Jon Marshall · ‎10-06-2021

Yes they would have used one of the IPs as a secondary IP.

If they used a route instead then no it does not need to exist on a physical interface, you can just create NAT statements as before and it will work fine because they are simply routing all traffic to any IPs in that subnet to your firewall.

Not sure I follow the last part about the next hop bit, perhaps you can clarify ?

Jon

View solution in original post

Jon Marshall · ‎10-06-2021

If you had to enable proxy arp then the ISP would have had an IP from that subnet assigned to an interface on their router.

The other way would be for the ISP to simply add a route on their router for the /29 pointing to the /30 IP at your end.

I prefer the second approach.

Jon

Mike D · ‎10-06-2021

Thanks Jon.
For the Proxy ARP example - if it was working this way then presumably they must have had the /29 as a secondary address on the physical interface we were connecting to?

As I can confirm we only had one physical connection to the ISP router - and sub-interfaces or VLANs were not configured.

In terms of the alternative example you gave where they've instead added a route for the /29 pointed to the /30 on our side.

Would this method then require the /29 subnet to exist on an interface behind the /30 on our device?

If so, then this was not the case. We had no interface or routing config for the /29 anywhere.

Instead we were able to assign NAT addresses - and confirm connectivity - for the /29 within the same interface/network-segment as the /30.

And I assume the NAT addresses would not be accessible within this segment if the routing indicated the subnet existed one further hop along?

... Which maybe leads back to the Proxy ARP theory being correct ...

Mike

Jon Marshall · ‎10-06-2021

Yes they would have used one of the IPs as a secondary IP.

If they used a route instead then no it does not need to exist on a physical interface, you can just create NAT statements as before and it will work fine because they are simply routing all traffic to any IPs in that subnet to your firewall.

Not sure I follow the last part about the next hop bit, perhaps you can clarify ?

Jon

Mike D · ‎10-06-2021

Ok, then in this case perhaps the /29 subnet was actually just routed to our /30 and Firewall.

I can see how inbound connections to the NAT addresses should work correctly - and they did.

However, what I don't understand in this example is would Static 1-1 NAT still work for the /29 addresses? Including the outbound address?

Given the physical interface of the Firewall and default-gateway are within the /30, would the Static NAT for the /29 be presented as the outbound public address?

Thanks again.

Mike

Jon Marshall · ‎10-06-2021

Yes all NAT would work fine.

If you mapped an internal IP to one of the /29 IPs then for outbound traffic the firewall translates the internal IP to one of the /29 IPs, consults the routing table for the next hop IP which is the ISP /30 IP and forwards the traffic on.

The inbound traffic gets to the ISP router which then consults it's routing table for the next hop IP of the /29 subnet which is your firewall's /30 IP and forwards the traffic to your firewall which then translates the /29 back to the internal IP and forwards it on.

Jon

Mike D · ‎10-06-2021

Ok that's explained it for me, thanks for your help Jon.

What I'll do is ask the new ISP we have now, just to route the /29 to our Firewall via the /30 and then I'll test that NAT is accessible.

One final question to complicate matters is that we have a second physical device that ideally also needs to reside within the public subnet - alongside the Firewall.

Obviously as it's a /30 this is not possible. And I presumably can't assign it one of the /29 addresses as they will be routed to the Firewall.

So in this case the only option would be for the ISP to use a secondary address on its interface for the /29? This would be the only way I can then assign a /29 address to this second physical device?

Alternatively I realise I could sit the second physical device behind the Firewall and use Static NAT. However, I'd prefer not to have it behind the Firewall if avoidable.

Mike

Jon Marshall · ‎10-07-2021

Yes, if you needed another device in the /29 subnet then you would need to use the secondary IP addressing solution.

Jon