Re: RV340: routing WAN traffic to LAN Public IP

cyboargenterprises · ‎07-03-2019

I have a static public IP from my ISP, which lives on the RV340 LAN. The RV340 connects to the ISP using DHCP, but the ISP has set up routing protocols such that the internet traffic can be routed to the static IP. I have verified this to work correctly using the ISP provided router, as well as an RV130. However, these have throughput limitations (I am on 1 Gbps fiber), so I want to use the RV340.

Here's the configuration:

Static IP; 67.xxx.xxx.5

Mask: 255.255.255.252

Gateway: 67.xxx.xxx.6

For the ISP router, I set up a VLAN with net address 67.xxx.xxx.4/30, gateway 67.xxx.xxx.6. The static IP 67.xxx.xxx.5 "lives" behind this router. When the ISP router connects to the internet, all outbound traffic looks like it comes from my 67.xxx.xxx.5 static IP. Inbound traffic to my SMTP, SSH, and IMAP server was routed correctly. Ping and traceroute also worked as expected. My only complaint is that I get 300 Mbps.

I configured the RV130W in a similar fashion, with NAT turned off and achieved the proper results. However, throughput is only 200 Mbps. With NAT turned on, the RV130W provides its maximum 850 Mbps, but my static IP is no longer usable.

So, I upgraded to a RV340, thinking that this would solve the throughput issue. Indeed, in DHCP mode, the RV340 provides 925 Mbps on a routine basis. So I configured VLAN1 to have the network address of 67.xxx.xxx.4/30, with its own address of 67.xxx.xxx.6. There are no private IPs configured, and NAT is disables. When I connect to an external site via my static IP of 67.xxx.xxx.5 it appears as though the connection is coming from the static IP, just as it should. However, traffic from the external site to the static IP just times out. I cannot connect to my servers, and ping and traceroute just timeout at the final hop. It appears as thought the RV340 is not routing the WAN traffic to the LAN public IP.

Also note that I have properly configured single port forwarding for all the services I require.

So my question is, do I need to make a manual, static route entry? Intuition tells me no... but I could be in error.

Any insight would be greatly appreciated. By the way, the RV340 is running the latest firmware rev.

Mathias Garcia · ‎07-08-2019

Hi,

I'm having trouble understanding your exact setup.

Could you provide a simple drawing of your environment. With sanitized IP's.

Why are you using VLAN1 for public/internet side, normally you would use one of the WAN ports.

Also you say that you have statis public IP but also that you get IP via DHCP?

You also say that you have no private IP's configured, but normally you would have a private IP on the inside.

Or some other public ip range on inside.

cyboargenterprises · ‎07-08-2019

@Mathias Garcia wrote:
Hi,

I'm having trouble understanding your exact setup.
Could you provide a simple drawing of your environment. With sanitized IP's.

Why are you using VLAN1 for public/internet side, normally you would use one of the WAN ports.
Also you say that you have statis public IP but also that you get IP via DHCP?
You also say that you have no private IP's configured, but normally you would have a private IP on the inside.
Or some other public ip range on inside.

Normally, you are correct. However, with Centurylink's latest GPON implementation, static IPs are routed very differently than what was done in the past. Rather than use the aggregator to route the static IPs, CLT has left this to the end user to do. They provide a block of IPs, in my case two, one of which is the actual static IP, the other serves as the router/gateway IP. It forms its own public subnet: xxx.xxx.xxx.4/30. The static IP is xxx.xxx.xxx.5, and the router/gateway IP is xxx.xxx.xxx.6.

My RV340 WAN (NAT is disabled) port is directly connected to the ONT (converts optical to ethernet). On the other end of the ONT is the aggregator, which CLT calls CBRAS. The aggregator then provides a public IP to the RV340 via DHCP (which is not my static IP). The RV340 then routes the traffice to VLAN1 which has the router/gateway IP, set up to route traffic to xxx.xxx.xxx.4/30, and is assigned the static IP xxx.xxx.xxx.6. Behind the RV340 is an RV134, connected to the RV340 VLAN1, via its WAN port. The RV134 WAN is assigned the static IP of xxx.xxx.xxx.5, my actual static IP. The private IPs are assigned to the RV134 LAN.

The RV340 routes the outbound traffic to the ONT (IPoE) as though it is coming from my public static IP. The aggregator recognizes the MAC address of the ONT and routes the outbound traffic so it looks like it comes from the public IP xxx.xxx.xxx.5, and not the DHCP delivered public IP assigned to the RV340 WAN port. Similarly, CLT's routing tables are set up such that when inbound traffic from the Internet is sent to my public static IP, it properly routes the traffic to the ONT, which is then routed from the ONT to the RV340 and on to the RV134 for proper port forwarding to the private LAN. It is this final step that was not working. Packets would get into the RV340, but fail to route to the static IP.

I have since figured out the issue, with help from Cisco tech support. I was erroneously using port forwarding, when I should have bee using only firewall access rules. Once I made this correction, everything worked as it should. But now I need two routers, instead of one... oh well.

Picture attached.

Mathias Garcia · ‎07-09-2019

Ok, I understand.
Well it's good that you got it working at least.

Rustin B · ‎09-14-2021

If you can elaborate fully on the solution it would be appreciated.

I have Centurylink fiber with a static IP and CBRAS and have not been able to get the static IP work work with my RV340. I need to have a working site to site VPN.