Solved: Hello,I am also not sure what

Mokhalil82 · ‎01-05-2015

Hi Guys

I am slightly confused about public lan and wan ips. We have a circuit that was installed a few months ago as a backup failover but we now want to start using it so I phoned my ISP for the public range for that circuit.

Now our internal IP subnet is a 192.168.150.xx

I was expecting the ISP to provide me with one public range maybe a /30 so I can assign an public ip to my routers external interface and PAT to that address.

The ISP instead gave me a public LAN and WAN address range both of which are public IPs. Can anyone explain what these are where in my type of network will they fit it

Thanks

Peter Paluch · ‎01-05-2015

Hello,

I am also not sure what your ISP has on his mind by giving you "LAN" and "WAN" addresses. I would suppose, though, that the "WAN" address range is the one you should be using on the link toward the ISP and perhaps do NAT into this "WAN" range. The "LAN" range can be used inside your internal network if you wanted to. I suppose that the ISP has configured its routers to know that this particular "LAN" range can be reached over your "WAN" address.

If this assumption is correct then you do not actually need to use the "LAN" range as long as you perform NATting of your internal private address spaces into the "WAN" range.

To be certain, however, I would personally suggest talking to your ISP about the recommended usage.

Best regards,
Peter

View solution in original post

Jon Marshall · ‎01-05-2015

As Peter says it is worth talking to your ISP but LAN addresses are usually simply another public IP block you are free to use however you want.

You don't have to use them and you certainly don't need to allocate them to physical devices on your LAN. The ISP doesn't really care how you use them either, they will simpy route traffic to those address to your edge device (see below for more details).

They can be useful if you host a lot of servers/applications accessible from the internet for example.

It does depend on the devices you have ie.

LAN -> firewall -> ISP router

in the above you use the WAN addressing for the link between the firewall and the ISP router and then you can just use the LAN address range for NAT on your firewall. Non of the LAN IPs need to be actually assigned to any interface

LAN -> firewall -> router -> ISP router

here you have your own router on the outside of the firewall. The WAN addressing would be used between your router and the ISP router. The LAN addressing would be used for the firewall to your router connection and any spare IPs can be used for NAT (usually done on the firewall).

Note that usually the LAN addressing is a larger subnet than the WAN addressing and as you say the WAN addressing is usually a /30. So the ISP uses one of the IPs from the WAN range and you use the other.

If you have been allocated LAN addresses then the ISP will route traffic to these addresses to the WAN IP you have used so make sure you use the WAN IP on either -

a) in the first example above the outside interface of your firewall

or

b) in the second example above the outside interface of your router, the one connecting to the ISP router.

Hope that makes sense.

Jon

View solution in original post

Peter Paluch · ‎01-05-2015

Hello,

I am also not sure what your ISP has on his mind by giving you "LAN" and "WAN" addresses. I would suppose, though, that the "WAN" address range is the one you should be using on the link toward the ISP and perhaps do NAT into this "WAN" range. The "LAN" range can be used inside your internal network if you wanted to. I suppose that the ISP has configured its routers to know that this particular "LAN" range can be reached over your "WAN" address.

If this assumption is correct then you do not actually need to use the "LAN" range as long as you perform NATting of your internal private address spaces into the "WAN" range.

To be certain, however, I would personally suggest talking to your ISP about the recommended usage.

Best regards,
Peter

Mokhalil82 · ‎01-05-2015

Thanks for the info, I have a firewall, our router, then isp router. I was just after a simple /30 but they threw these public wan and LAN IPs and the issue was they couldnt explain why I have been assigned these ranges. Il bug them again tomorrow but appreciate the useful info

Thanks

Jon Marshall · ‎01-05-2015

If you have your own router then you may well want to keep the LAN addressing for use as I suggested above.

However as you say this is a backup line it sounds like you already have a working internet connection.

If so is the current connection using the same setup ie. LAN -> firewall -> router -> ISP router

If it is then it sounds like you are doing NAT on the router only and are using a private IP range between the firewall outside interface and your router LAN interface (the one facing the firewall).

Is this the case ?

Jon

Mokhalil82 · ‎01-05-2015

Hi Jon

Yes I have a primary side already setup. There I have 2 firewalls setup as a HA pair then both on their outside connect to a switch then a single link to our router. But even here we are using a private subnet from the firewalls to the router then a /28 public range on the outside of the router but only 2 ips on this /28 are being used, one for the outside interface on the router and the other is the gateway IP. So im not sure why a /28 was used here either

Jon Marshall · ‎01-05-2015

Okay, I just wanted to confirm that you were using private addressing between your firewall(s) and your router.

So in the example I gave where you had your own router if you wanted to use the LAN addressing on your firewall(s) then you would need a route on your router for the LAN IP range pointing to the private virtual IP of the firewall pair.

But I'm not suggesting you need to do this.

It could create more confusion as it sounds at the moment as if your firewalls are not doing any NAT and it is all done on the router.

You could if you wanted use the new range on your router if you needed IPs but it sounds like you already have spare IPs that you don't use.

In effect you have two different setups in terms of IP addressing ie. -

1) your current one where you only have one range and so this has to be used on the router to ISP router link hence the reason for a private IP range to the firewalls

2) the new one where you have two IP ranges where you would usually use the smaller WAN range for the router to ISP router link and then the LAN range between your firewall(s) and your router.

So i'll let you talk to the ISP as i don't want to confuse the issue and after you've talked to them if you have any more questions please feel free to come back.

Jon

Jon Marshall · ‎01-05-2015