Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

ClusterXL with two public IP ranges

I can use your advise on this subject.

Scenario:

Client getting a /30 and /24 IP ranges from ISP.

ISP expects connectivity between themselves and a client over /30 network.

ISP will be forwarding /24 traffic to the single IP in the /30 network.

ISP does not provide routing equipment.

Client does not have an L3 device between cluster and ISP.

What is the appropriate configuration for the cluster and its members to accommodate this scenario?

I am trying to avoid the use of the manual Proxy ARP and rely on Static NAT for the hosts in DMZs.

two-public-ranges-draw.io.png 

Thank you,

Vladimir

11 Replies
PhoneBoy
Admin
Admin

Since ClusterXL does not support one interface being in two different subnets, you might have to connect two physical interfaces to that network segment (one for the /24, the other on /30).
You might need to use private IPs for the interfaces in the /30 segment and make the ClusterXL IP on that interface something in the /30.
0 Kudos
Vladimir
Champion
Champion

"Since ClusterXL does not support one interface being in two different subnets, you might have to connect two physical interfaces to that network segment (one for the /24, the other on /30)."

 

It there a reason for the physical interfaces of the cluster members on these two network to reside on the same L2 segment?

It seems that if they are on a different L2 segment or the same one, the cluster will have to undertake some roundabout internal routing to forward packets between these two networks.

 

"You might need to use private IPs for the interfaces in the /30 segment and make the ClusterXL IP on that interface something in the /30."

 

What about using public IPs from /24 for physical interfaces while using single IP from /30 for external VIP?

Would this permit the inbound and outbound routing for both public ranges? Is so, what additional configuration parameters may be required to differentiate it from common single public VIP when used with RFC 1918 addresses on physical interfaces?

 

0 Kudos
Wolfgang
Authority
Authority

Vladimir,

as Dameon wrote, I think the best way is to use two IPs for the physical interfaces outside on it‘s own private network. One of the IPs from your /30 network should be the cluster VIP.

If you need the addresses from the /24 - pool for real hosts you can deploy a new cluster interface for this subnet and attache it to an switch.

If doing only NAT with this pool you can use it in your rulebase. As you wrote, the ISP is routing this network from external to one of the addresses from /30 pool. You don‘t need any proxy ARP for NAT like this.

your question...

<<<< What about using public IPs from /24 for physical interfaces while using single IP from /30 for external VIP? <>>>>

I think it‘s better to have the /24 subnet separate from the other IPs, the routing and NAT is clearly. 

Wolfgang

Vladimir
Champion
Champion

Thank you @Wolfgang.

I was not sure, for some reason, that the cluster will source the outbound traffic from otherwise arbitrary IP addresses from its external interfaces.

I have just tested it on a single gateway and it does seem to work as you and @PhoneBoy have described:

Host on internal private network statically NAed to the public IP from the range NOT assigned to any of the interfaces or defined in topology is being routed out with the XLATE of the defined public IP out of its external interface.

So long as ISP will be forwarding the traffic to /24 in question, this should work for Static NAT purposes.

The only deviation from norm is that the cluster's portals will be accessible by the IP from /30 range, but the hosts behind it by IPs from /24.

0 Kudos
Wolfgang
Authority
Authority

Vladimir,

you ˋre right.

we had a similar configuration at one of our customer sites. They are using a smaller subnet /29 for internet access and two other /26 subnets for a lot of published webservices and . The /26 are all statically NATed and the IP for remote access ( MobileAccessPortal and VPN) is from /29 subnet.

regards

Wolfgang

Lari_Luoma
Ambassador Ambassador
Ambassador

Hi!

I'm not 100% sure if I fully understood your question, but there is a way to configure cluster members with different IP ranges:

See sk32073 for configuration instructions.

I configured this last fall for a client who got had only one public IP-address from the ISP.

 

 

 

0 Kudos
Vladimir
Champion
Champion

Thank you @Lari_Luoma , the question was really in regards to the gateway NATing to the IPs that do not belong to the ranges the interfaces are in.

I am routinely using it in cases of overlapping VPN domains, but was not sure if it'll work for the normal traffic.

Looks like it does.

Regards,

Vladimir

kamaladmire1
Participant
Participant

Hi Lari, 

hope you doing well, I have a question same as you mentioned for customer with 1 Public IP, in my case I have 2 Public IP avaliable and other 4 IP's being used 1 for Default Gateway and other 3 for Public Facing services. 

I have tried configure Cluster with RFC 1918 FW-1 10.10.10.1/24 and FW-2 10.10.10.2/24 and VIP as Public IP 80.90.239.147/24 (this is dummy Publci IP)

deafult route on both members

set static-route 80.90.239.144/29 nexthop gateway logical eth8 on

set static-route default nexthop gateway address 80.90.239.145 on

 

did set the arp for both private IPs  as 

FW-1

add arp static ipv4-address 10.10.10.2 macaddress 00:1C:E2:D1:1A:A5

 

FW-2

add arp static ipv4-address 10.10.10.1 macaddress 00:1C:E1:D2:19:C1

 

can not route the traffic and internet didnt work  good thing was I didnt get any warrning when policy installed. 

any sugesstion...

 

Thanks 

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

All steps you should need are documented in ClusterXL Admin Guide.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-...

If you still won't get it working, I recommend you open a TAC case for further troubleshooting and debugging.

0 Kudos
Wolfgang
Authority
Authority

@kamaladmire1 following the given information you have configured different IP subnet for your public IP

 80.90.239.147/24 your public IP 

80.90.239.144/29 your default route

0 Kudos
kamaladmire1
Participant
Participant

sorry that was a typo when writing to you it is on 80.90.239.147/29

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events