topic Re: ClusterXL with two public IP ranges in General Topics

ClusterXL with two public IP ranges

Vladimir — Sun, 28 Apr 2019 13:54:25 GMT

I can use your advise on this subject.

Scenario:

Client getting a /30 and /24 IP ranges from ISP.

ISP expects connectivity between themselves and a client over /30 network.

ISP will be forwarding /24 traffic to the single IP in the /30 network.

ISP does not provide routing equipment.

Client does not have an L3 device between cluster and ISP.

What is the appropriate configuration for the cluster and its members to accommodate this scenario?

I am trying to avoid the use of the manual Proxy ARP and rely on Static NAT for the hosts in DMZs.

Thank you,

Vladimir

Re: ClusterXL with two public IP ranges

PhoneBoy — Sun, 28 Apr 2019 16:50:23 GMT

Since ClusterXL does not support one interface being in two different subnets, you might have to connect two physical interfaces to that network segment (one for the /24, the other on /30).
You might need to use private IPs for the interfaces in the /30 segment and make the ClusterXL IP on that interface something in the /30.

Re: ClusterXL with two public IP ranges

Vladimir — Sun, 28 Apr 2019 17:07:57 GMT

"Since ClusterXL does not support one interface being in two different subnets, you might have to connect two physical interfaces to that network segment (one for the /24, the other on /30)."

It there a reason for the physical interfaces of the cluster members on these two network to reside on the same L2 segment?

It seems that if they are on a different L2 segment or the same one, the cluster will have to undertake some roundabout internal routing to forward packets between these two networks.

"You might need to use private IPs for the interfaces in the /30 segment and make the ClusterXL IP on that interface something in the /30."

What about using public IPs from /24 for physical interfaces while using single IP from /30 for external VIP?

Would this permit the inbound and outbound routing for both public ranges? Is so, what additional configuration parameters may be required to differentiate it from common single public VIP when used with RFC 1918 addresses on physical interfaces?

Re: ClusterXL with two public IP ranges

Wolfgang — Sun, 28 Apr 2019 18:47:14 GMT

Vladimir,

as Dameon wrote, I think the best way is to use two IPs for the physical interfaces outside on it‘s own private network. One of the IPs from your /30 network should be the cluster VIP.

If you need the addresses from the /24 - pool for real hosts you can deploy a new cluster interface for this subnet and attache it to an switch.

If doing only NAT with this pool you can use it in your rulebase. As you wrote, the ISP is routing this network from external to one of the addresses from /30 pool. You don‘t need any proxy ARP for NAT like this.

your question...

<<<< What about using public IPs from /24 for physical interfaces while using single IP from /30 for external VIP? <>>>>

I think it‘s better to have the /24 subnet separate from the other IPs, the routing and NAT is clearly.

Wolfgang

Re: ClusterXL with two public IP ranges

Vladimir — Sun, 28 Apr 2019 20:30:50 GMT

Thank you @Wolfgang.

I was not sure, for some reason, that the cluster will source the outbound traffic from otherwise arbitrary IP addresses from its external interfaces.

I have just tested it on a single gateway and it does seem to work as you and @PhoneBoy have described:

Host on internal private network statically NAed to the public IP from the range NOT assigned to any of the interfaces or defined in topology is being routed out with the XLATE of the defined public IP out of its external interface.

So long as ISP will be forwarding the traffic to /24 in question, this should work for Static NAT purposes.

The only deviation from norm is that the cluster's portals will be accessible by the IP from /30 range, but the hosts behind it by IPs from /24.

Re: ClusterXL with two public IP ranges

Lari_Luoma — Mon, 29 Apr 2019 00:08:43 GMT

Hi!

I'm not 100% sure if I fully understood your question, but there is a way to configure cluster members with different IP ranges:

See sk32073 for configuration instructions.

I configured this last fall for a client who got had only one public IP-address from the ISP.

Re: ClusterXL with two public IP ranges

Wolfgang — Mon, 29 Apr 2019 18:34:29 GMT

Vladimir,

you ˋre right.

we had a similar configuration at one of our customer sites. They are using a smaller subnet /29 for internet access and two other /26 subnets for a lot of published webservices and . The /26 are all statically NATed and the IP for remote access ( MobileAccessPortal and VPN) is from /29 subnet.

regards

Wolfgang

Re: ClusterXL with two public IP ranges

Vladimir — Mon, 29 Apr 2019 18:44:06 GMT

Thank you @Lari_Luoma , the question was really in regards to the gateway NATing to the IPs that do not belong to the ranges the interfaces are in.

I am routinely using it in cases of overlapping VPN domains, but was not sure if it'll work for the normal traffic.

Looks like it does.

Regards,

Vladimir

Re: ClusterXL with two public IP ranges

kamaladmire1 — Mon, 19 Jun 2023 13:19:54 GMT

Hi Lari,

hope you doing well, I have a question same as you mentioned for customer with 1 Public IP, in my case I have 2 Public IP avaliable and other 4 IP's being used 1 for Default Gateway and other 3 for Public Facing services.

I have tried configure Cluster with RFC 1918 FW-1 10.10.10.1/24 and FW-2 10.10.10.2/24 and VIP as Public IP 80.90.239.147/24 (this is dummy Publci IP)

deafult route on both members

set static-route 80.90.239.144/29 nexthop gateway logical eth8 on

set static-route default nexthop gateway address 80.90.239.145 on

did set the arp for both private IPs as

FW-1

add arp static ipv4-address 10.10.10.2 macaddress 00:1C:E2:D1:1A:A5

FW-2

add arp static ipv4-address 10.10.10.1 macaddress 00:1C:E1:D2:19:C1

can not route the traffic and internet didnt work good thing was I didnt get any warrning when policy installed.

any sugesstion...

Thanks

Re: ClusterXL with two public IP ranges

Lari_Luoma — Tue, 20 Jun 2023 02:49:58 GMT

All steps you should need are documented in ClusterXL Admin Guide.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-CXLG/Cluster-IP-addresses-on-different-subnets.htm

If you still won't get it working, I recommend you open a TAC case for further troubleshooting and debugging.

Re: ClusterXL with two public IP ranges

Wolfgang — Tue, 20 Jun 2023 05:01:30 GMT

@kamaladmire1 following the given information you have configured different IP subnet for your public IP

80.90.239.147/24 your public IP

80.90.239.144/29 your default route

Re: ClusterXL with two public IP ranges

kamaladmire1 — Tue, 20 Jun 2023 12:47:56 GMT

sorry that was a typo when writing to you it is on 80.90.239.147/29