Those two have static WAN IPs because we have port forwarding for different applications requiring the different networks.  One is for application and email servers, other is for VoIP.

A possible solution is to use private addressing between your 2800 and the 800 and Sonicwall and move all the NAT to the 2800.

You can still do port forwarding, you would just do it on the 2800 instead as well as doing NAT for the internal clients when they access the internet.

As long as the internal LANs are using different IP subnets this could work for you and you don't waste any public IPs.

Jon

Jon,

I thought of that as well.  However, the problem we run into is that our VoIP requires port forwarding on a range of ports that actually overlap those on a couple of our different applications on the other LAN.  So, if we use private IPs after the 2800 WAN port, we run into the VoIP dropping packets, thus causing issues with the phones due to packets coming in the WAN on say, 210.200.200.174:20200 being used for both VoIP and application server (neither of which are configurable), and it won't be able to handle the traffic correctly.

We attempted the above in the past and ran into too many problems.  We are leaning towards purchasing and using an EtherSwitch card, as this should work since they act like traditional switches and just forward traffic (correct me if I am wrong).

However, the problem we run into is that our VoIP requires port forwarding on a range of ports that actually overlap those on a couple of our different applications on the other LAN.

I don't follow.

Each LAN gets its own public IP so there should be no overlapping.

Are you saying the two LANs use the same private IPs ?

Jon

By overlapping ports I mean application ports.  IE VoIP requires port forwarding for ports 12k-22k.  One of our other applications on the other LAN requires ports 15-17k.  That it what I mean by overlapping ports, not the physical interfaces on the router.

Right but each LAN gets it's own public IP on the 2800 so there is no overlapping.

You would readdress the outside interfaces of the 800 and the Sonicwall to use private addressing and then use their previous public IPs on the 2800 to do the port forwarding.

The only way this wouldn't work is if the LANs used the same private IP range.

Jon

Can't assign the public IPs to the two ethernet interfaces on the 2800 because they are within the same subnet, a /29 network assigned by the ISP.

I'm not explaining myself very well.

You don't need to assign the public IPs to any interface, you just use them in your NAT statements.

If they are from the same subnet as the outside interface IP the router uses proxy arp to respond to arp requests for those IPs from the upstream device.

This is how routers and firewalls allow you to use public IPs for NAT without assigning them to any physical IPs.

Your LAN interfaces on the 2800 and the 800 and Sonicwall use private addressing.

Jon

Jon, thanks for the input.  I see what you mean now.  Our initial thoughts were to keep the 2800 for just WAN conversion to ethernet and let the other two routers continue to do what they are currently doing.

In the setup you are proposing, wouldn't that cause double NATing between the 2800 and the secondary router?

You wouldn't need to NAT on the 800 or Sonicwall, just allow the ports through as they will already be translated to the correct IP.

For internal users going to the internet I assume you use the same IP that is currently assigned to the 800 and Sonicwall ?

If so this could also be done with the same IPs on the 2800.

In effect all traffic between the 800, Sonicwall and 2800 LAN intefaces is private addressing both ways in terms of the LAN IPs.

That said if you prefer the IRB solution then go with that.

Like I say I don't have much experience with that but I know Rick does so it might work for you.

Rick said he wouldn't normally endorse it so I'd be interested to hear why to be honest but I'm not saying that because I think my solution is better because it might well not be.

Jon

Jon, thanks for all the information.  I will definitely have to give it a try. Beyond the 800 is just a PBX server.  Beyond the SonicWall is our corporate network, including a vlan for the VoIP phones.

The whole IRB and bridging was the only thing I found to be able to make the ethernet ports act similar to traditional switch ports.  My co-worker actually just found and ordered a cheap EtherSwitch WIC and we are going to give that a whirl.  Since this is in house we are using it for just as much as a learning experience as to resolve some of our other issues.

IF my understanding is correct about the EtherSwitch, it will just passively flow traffic like a traditional switch port, so we will see how that setup works as well.

Do you mean a switch module for the 2800 ?

If so this wouldn't work as far as i can see.

I think what you are proposing is to connect the 800 and Sonicwall to the switch and then they could be on the same subnet as the WAN interface.

But they wouldn't be because the WAN port is a routed port so the subnet for the public IPs exists between the WAN port on your 2800 and the upstream device.

Jon

Makes sense.  Still trying to get a handle configuring for WAN connections.  I do appreciate your help, Jon.  I will update you when I get a chance to give it a try, or more than likely ask more questions.