Using different Public IP for Multiple Vlans



  • Hello,

    We have a business center with multiple vlans and a range of 32 public IPs. There is also another internet connection for failover.

    We don't have enough interfaces to configure each public IP individually and we want to assign one public IP to each Vlans.

    What i tried to do until now:

    • Configured one WAN with a public ip in the 32 range. One of the IP in that range is managed by our ISP and is the gateway.

    • Configured another public IP as a VIP "IP alias".

    • Tried to configure outbound NAT for a test LAN with that VIP configured and using the WAN's gateway.

    But i can't get out to the internet, much less determine if the right public IP is used.

    Can someone help me on this ?

    I would also want to know if it is possible to make a gateway group for simple failover with this kind of configuration ?

    Thanks a lot,



  • Your post confused me a bit, because outbound nat is not "gateway" based.

    Am I correct in assuming that

    • you have a WAN interface with a public ip
    • you have a TestLAN interface with a private ip
    • you want traffic from the TestLAN towards internet to be originating as if it was the Public VIP?

    Outbound NAT rule like this should do the trick:

    • Interface: WAN
    • Source: subnet(s) behind the TestLAN (eg 192.168.1.0/24)
    • Translation: your VIP
    • everything else left on default

    Can't comment on the failover, sorry.


  • Netgate

    Failover from what to what?  MultiWAN?  NAT is independent of MultiWAN.  You would define the outbound NAT behavior of each interface.  MultiWAN routing determines which interface is used for the traffic.  Your NAT rules determine how it's natted on the way out that interface.

    Say you have WAN1 and WAN2 and you create a failover gateway group and route all TestLAN traffic out the gateway group.

    Create two outbound NAT rules for TestLAN's network - one for each interface.  Give each one the NAT characteristics you want when that interface is chosen by the routing table.

    You obviously can't have one circuit's public VIP move to another circuit unless you're advertising your own IP space with BGP, etc so both circuits have routes to your IPs.



  • @_Cyph3r_:

    Your post confused me a bit, because outbound nat is not "gateway" based.

    Am I correct in assuming that

    • you have a WAN interface with a public ip
    • you have a TestLAN interface with a private ip
    • you want traffic from the TestLAN towards internet to be originating as if it was the Public VIP?

    Outbound NAT rule like this should do the trick:

    • Interface: WAN
    • Source: subnet(s) behind the TestLAN (eg 192.168.1.0/24)
    • Translation: your VIP
    • everything else left on default

    Can't comment on the failover, sorry.

    Thank you for your answer Cypher.

    Here is what i did this far:

    VIP - IP alias - This ip is in the same range as the WAN ip.

    Outbound NAT rule:

    Interface: The interface mentioned above in the VIP conf.
    Subnet: TEST_LAN subnet
    Translation: The VIP mentioned above
    Static Port: No

    Did the same for the ISAKMP one (just changed the translation in fact) but Static Port is at Yes.

    Firwall rule:

    Protocol: any
    source: Test_LAN subnet
    destination: any
    gateway: The gateway of the WAN mentionned above.

    So now i can ping 8.8.8.8 or www.google.com but, i can't access http://www.google.com or any other website in a browser from the LAN.

    Also tried with another browser, no luck there.

    @Derelict: Thank you for your answer Derelict, if i understand well, i just have to configure an outbound NAT rule for each WAN interface on the TEST_LAN and when failover happens, it will just use the one corresponding to the actual WAN ?

    Thanks.

    EDIT: We tried some other protocols, SSH work.

    I tried adding some outbound NAT rules stating that the target ports is 80 and another for 443, didn't work.

    Also tried the same two rules with the static port options activated, didn't work either.

    It's strange, it seems to fail to map some ports, but 30022 (the modified ssh port we use) worked.