cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2064
Views
0
Helpful
2
Replies

SRP547W, How to use multiple WAN IPs for port forwarding?

tim.obrien.42
Level 1
Level 1

Hi folks,

We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...

What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...

Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.

We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:

a.b.c.208     Network Address (/29 subnet)

a.b.c.209     ISP Gateway

a.b.c.210     IP1

a.b.c.211     IP2

a.b.c.212     IP3

a.b.c.213     IP4

a.b.c.214     IP5

a.b.c.215     Broadcast Address

On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1

VLAN ID:               4088 (Uneditable)

Connection Type:       Static IP

Internet IP Address:   a.b.c.210

Subnet Mask:           255.255.255.248

Default Gateway:       a.b.c.209

The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2

VLAN ID:               4000 (Chosen arbitrarily)

Connection Type:       Static IP

Internet IP Address:   a.b.c.211

Subnet Mask:           255.255.255.248

Default Gateway:       a.b.c.209

When we try to do so however we get:

Fail!

Conflict with Ether_WAN2 interface address type

I should mention at this point that we're running on firmware version 1.02.01 (023).

Any suggestions on how we can proceed?

Is there a CLI or other method of configuration that might work if the web interface won't?

Thanks,

Tim.

2 Replies 2

Andrew Hickman
Cisco Employee
Cisco Employee

Hi Tim,

Creating a new VLAN interface will form a new broadcast domain hence the reason for the error.  All of your addresses must be managed within the same layer 2 network (i.e. the main WAN interface).

You could try the following:

Go to Network Setup > DMZ > Software DMZ and create public to private addressing mappings for your addresses and servers.  This will forward all traffic to the selected IP addresses to your hosts.  As you probably only wish to allow certain ports through to your hosts, restrict access accordingly using the Advanced Firewall rules.

Regards,

Andy

OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.

As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.

VLAN ID:               4088 (Uneditable)

Connection Type:       Static IP

Internet IP Address:   a.b.c.210

Subnet Mask:           255.255.255.248

Default Gateway:       a.b.c.209

We'd now like to expose a server function on IP2, let's say LAN details for this server are:

VLAN:                  3000

VLAN IP Range:         192.168.1.1/24

Server IP:             192.168.1.10

Server Port:           80

So first we turn on Software DMZ:

Status:                Enabled

Public IP:             a.b.c.211

Private IP:            192.168.1.10

WAN Interface:         Ether_WAN2

My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?

Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.

In Interface (WAN):    All

Out Interface (LAN):   VLAN.3000

Source IP:             0.0.0.0

Source Subnet:         0.0.0.0

Destination IP:        192.168.1.10

Destination Subnet:    255.255.255.255

Protocol:              TCP

Source Port:           Any

Destination Port:      Single:80

Action:                Permit

Schedule:              Everyday

Times:                 24 Hours

Still no dice. What am I missing?

Cheers,

Tim.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: