@ltechnology said in Dedicated Business Fiber Internet and Netgate:
Thanks for the added information.
I think what I did not communicate properly is that I don't want to put a 2nd piece of equipment (or use their provided router) as I have in the past. I have traditionally opted to purchase a Cisco router, configure and put this in place as the intermediate piece instead of giving ATT any extra money.
What I am hoping to do is integrate the functionality and routing of this Cisco piece into the front end of the Negate, eliminating the hardware.
I think that one of two options might work:
Set up the WAN port with the serial IP, and set the LAN IP (from ATT) to a virtual IP. Route the virtual IP to the LAN on configured on the Netgate.
Utilize the virtual layers now available, set up 1 virtual to handle the ATT portion, and then have it hand off to the 2nd virtual which would be my normal Netgate firewall./router configuration, using the 1st virtual as my WAN interface.
I know they are using a Fortinet Fortigate router for the provided equipment now and doing this all in that unit - so it should be workable on the Netgate as well. Strangely noone has done this - or has taken the time to post and share their efforts.
Thanks
OK I understand now.
I've never done this. I think the challenge is that the upstream device you will be directly connecting your Netgate WAN port to is in a different subnet than the static addresses you are allowed to use. You'll probably need a Netgate with an SFP port, since you'll be attaching directly to fiber (or a media converter). I can't really test this, so I can only suggest things in a "spitballing it" kind of way.
One should note that this may not be possible without getting AT&T to change some things.
First Option - Use the AT&T "WAN Information" instead of the LAN information.
Set your Netgate's WAN IP to 32.xxx.xx.224/30. Use a gateway address of 32.xxx.xx.225/30 (or possibly 226/30. I'm making an assumption about the IP of the gateway directly upstream here. It could be either one, I merely suspect it's 225/30).
Test the connection.
If AT&T does any vlan tagging or MAC address filtering / authentication, this may fail right out of the box. If this is the case, you'd need AT&T to give you a mac address that is authenticated that you could spoof on your Netgate's WAN port (not impossible you could get the address right off the AT&T Cisco router as well) and what the vlan tagging configuration is, if any.
You state you have previously purchased your own Cisco router and configured this. If that's the case, you may know the vlan tagging configuration already and know how to deal with possible mac authentication issues if they even exist.
AT&T may also expect packets to originate from you LAN block (12.xxx.xx.129/30) rather than from AT&T's own WAN block (32.xxx.xx.224/30). AT&T's equipment might reject this traffic without them changing the configuration of the upstream devices.
Downsides to this method
you may need to get AT&T to change things on their end for this to work
you will need to be able to directly accept a fiber connection (SFP port should work here)
you don't have a guarantee that the SFP port on the Netgate will be compatible with the SFP module connecting fiber to your WAN interface (it's likely it will be, but it's not assured. If it isn't you might need a media converter to convert fiber to ethernet/rj45 and use an ethernet port for WAN).
You only get one public facing IP address instead your full block of 5.
Second Option - Configure your WAN gateway to allow non-local gateway addressing.
This is similar to your previous proposal about using 32.xxx.xx.129/30 as your gateway and using 12.xxx.xx.130/29 as your WAN interface IP address.
Configure a Gateway in System -> Routing. It's IP address is 32.xxx.xx.225/30. Before saving the Gateway, click Display Advanced. At the very bottom, check the box labeled "Use non-local gateway through interface specific route." Save and Apply Changes.
Configure WAN interface to use IP address 12.xxx.xx.130/29. Select the gateway you just created for the IPv4 upstream gateway. Because you checked the box allowing a non-local gateway, this setting will be permitted as valid whereas in a default setup it would not.
This may still fail for similar reasons as the first method, relating to mac address authentication, vlan tagging issues, and source IP address issues. This is also a very non-standard configuration. 99% of the time if the gateway for your WAN interface is in a different subnet than your WAN interface's IP, it's a misconfiguration. There are a few legit instances where it's needed, it could possibly work here.
I'm not sure which I'd attempt first for certain, I might actually lean slightly towards the first method if you are good with a single WAN IP address on your Netgate. If you need to use multiple addresses in the block, it basically pushes you into the second method.
A more ideal solution might be if AT&T makes the device that is typically upstream from their Cisco router to assign 12.xxx.xx.129/30 as the inward facing IP address (instead of 32.xxx.xx.224/30). Then you'd have your full block of 5 IP addresses and a very standard WAN configuration on your Netgate. Since AT&T doesnt do it this way, I presume there are reasons why they don't, so it may not be possible or something they'd be willing to change.
