Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tom_Heesmans
Contributor
Jump to solution

How come multiple public IP's aren't working?

I have a 2 units in a cluster with 3 public IP's. 1 on each member and a cluster IP. I'm using R80.10.

The IP range is a /28 so I've added the IP's as a /28. However I'm unable to connect to another IP in the same range from the internet to internal .I've setup my NAT rules and to test if the ISP is routing everything correctly, I've also setup a NAT rule from internal to external using the same public IP that I'm trying to connect to. All is working fine.

When adding the public IP as an alias on the interface it starts working, however an alias is not supported on ClusterXL is what I'm reading in sk89980.

Also when I add the additional IP as an alias on the second unit all the connection from internet to internal will stop working after a few hours. My guess: ARP entry in the modem, everything starts working again when I remove the alias from the second unit. However if I leave it this way it isn't fully HA right?

I've enabled vmac but same issue remains.

So in short, my questions are:

- Why can't I just connect to the additional public IP's from my subnet when I using the /28 on my WAN interface?

- How can I get this setup to remain stable and still be HA?

Thnx.

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

If the OP is using R80.10 on the gateway he can take advantage of automatic proxy ARP for manual NAT rules, using this new feature that is not enabled by default:  sk114395: Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

4 Replies
Vladimir
Champion
Champion

Do not create manual NAT rules for the object on the internal network that you are trying to get to from the Internet.

Specify public IP in the NAT tab of the object's properties. This will create NAT rule automatically as well as corresponding automatic ARP proxy records on cluster members.

All you have to do then is to create access rule allowing traffic to and from the internal object and the Internet.

Verify that "Automatic ARP configuration" is enabled in Global Properties:

Additionally, make sure that your upstream router has a route for the entire /28 subnet pointing to the cluster's vIP. 

Timothy_Hall
Champion
Champion

If the OP is using R80.10 on the gateway he can take advantage of automatic proxy ARP for manual NAT rules, using this new feature that is not enabled by default:  sk114395: Automatic creation of Proxy ARP for Manual NAT rules on Security Gateway R80.10

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Tom_Heesmans
Contributor

I will also surely give this a go. Thanks for the information, this really helps.

0 Kudos
Tom_Heesmans
Contributor

Thanks for this. That seemed to do the trick.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events