cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

How come multiple public IP's aren't working?

Jump to solution

I have a 2 units in a cluster with 3 public IP's. 1 on each member and a cluster IP. I'm using R80.10.

The IP range is a /28 so I've added the IP's as a /28. However I'm unable to connect to another IP in the same range from the internet to internal .I've setup my NAT rules and to test if the ISP is routing everything correctly, I've also setup a NAT rule from internal to external using the same public IP that I'm trying to connect to. All is working fine.

When adding the public IP as an alias on the interface it starts working, however an alias is not supported on ClusterXL is what I'm reading in sk89980.

Also when I add the additional IP as an alias on the second unit all the connection from internet to internal will stop working after a few hours. My guess: ARP entry in the modem, everything starts working again when I remove the alias from the second unit. However if I leave it this way it isn't fully HA right?

I've enabled vmac but same issue remains.

So in short, my questions are:

- Why can't I just connect to the additional public IP's from my subnet when I using the /28 on my WAN interface?

- How can I get this setup to remain stable and still be HA?

Thnx.

0 Kudos
1 Solution

Accepted Solutions

Re: How come multiple public IP's aren't working?

Jump to solution

If the OP is using R80.10 on the gateway he can take advantage of automatic proxy ARP for manual NAT rules, using this new feature that is not enabled by default:  sk114395: Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
4 Replies
Vladimir
Pearl

Re: How come multiple public IP's aren't working?

Jump to solution

Do not create manual NAT rules for the object on the internal network that you are trying to get to from the Internet.

Specify public IP in the NAT tab of the object's properties. This will create NAT rule automatically as well as corresponding automatic ARP proxy records on cluster members.

All you have to do then is to create access rule allowing traffic to and from the internal object and the Internet.

Verify that "Automatic ARP configuration" is enabled in Global Properties:

Additionally, make sure that your upstream router has a route for the entire /28 subnet pointing to the cluster's vIP. 

Re: How come multiple public IP's aren't working?

Jump to solution

If the OP is using R80.10 on the gateway he can take advantage of automatic proxy ARP for manual NAT rules, using this new feature that is not enabled by default:  sk114395: Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: How come multiple public IP's aren't working?

Jump to solution

I will also surely give this a go. Thanks for the information, this really helps.

0 Kudos
Highlighted

Re: How come multiple public IP's aren't working?

Jump to solution

Thanks for this. That seemed to do the trick.