Static IPs and firewalls on Fusion service

[Richard]

hi,

The issues people are reporting here do not affect the Legacy DSL platform.

So is this a *different* issue?

viewtopic.php?f=10&t=241

Perhaps I'm misreading it, but that seems like it's for the Legacy DSL ... no?

It'd be nice to see a recommended linux/freebsd DHCP config for use with Sonic ... I'll keep looking for one.

[kgc]

I believe the user on the thread is on the Fusion platform. As for config using DHCP, you shouldn't need one at all beyond telling your system to use DHCP. That is distribution specific but should be very easy to figure out.

My freebsd firewall/nat/server at home happens to use this on the public interface:

ifconfig_rl0="DHCP"

[Richard]

I believe the user on the thread is on the Fusion platform.

Thanks for clearing that up.

[enclade]

So glad to see that I'm not alone here. I went through many hours pulling my hair out trying to get my clients new fusion service up and running. I have a Cisco ASA with a handful of servers using 1:1 NAT (not working) and a bunch of others configured for PAT on the ASA's outside interface (working). I've been able to prove to myself that Sonic is not forwarding traffic to some of my static IP's, but wasn't able to get Sonic to agree. Apparently the Cisco ASA only performs a gratuitous ARP for the IP associated with a physical interface, so looks liek Sonic is not sending my 1:1 NAT traffic to my bridged modem. I knew there was some unusual configuration on Sonic's end due to the default gateway for my static block being outside of what would normally be considered my subnet, but find it hard to believe there isn't a solution available from Sonic to handle this quite standard configuration. Sonic, can you guys simply add fixed ARP entries on your end to help resolve this issue. My client is about to throw in the towel and move back to AT&T?

[enclade]

Yes, Sonic added a static MAC address for each of my IP's and the problem is solved! Thank you!

[ulf]

Chez,

On Fusion connections, our DSLAMs perform secured ARP to prevent IP misuse. On static IP Fusion circuits, the only way our DSLAM learns an IP/MAC combo is by ARP being generated from either above (our aggregation router ARPs for one of your IPs, and the DSLAM snoops the reply), or below (a host on your network generates an ARP request for it's gateway). Given your description, I'd guess that your firewall isn't generating an ARP request for each of it's 1-1 static NAT IPs on boot, or when those hosts generate traffic. If you can figure out how to configure your firewall to do so, everything should work. You may be able to use arping on your m0n0wall to force an ARP request to be sent to test/verify this.

Ok first of all: *facepalm* That is really screwed. I am sorry, but having a firewall doing multiple IPs with the same MAC is normal today. Plus your description above does not seem to hold up. As I am currently trying to ping my external IP I am trying to reach, i.e. your upstream router should be arping for it right now and my ScreenOS firewall would reply to that ARP request, it is still not working for me. This is a very broken implementation to me and I can't use the IPs I am paying $20/month extra.

[Richard]

@enclade, re:

Yes, Sonic added a static MAC address for each of my IP's and the problem is solved! Thank you!

i've now become a Sonic 'Legacy' DSL customer. i've set up 1:1 NAT with multiple IPs across my /29.

despite the assurances above that this is a Fusion-only issue, I'm seeing regular/repeatable discsonnects after ~ 30secs-5mins of usage.

an arping restores the connection immediately.

i've installed a once-per-minute arping script cron job, and my connection is staying up; turn off the job, disconnect reoccurs.

so i've a workaround, but it's clearly a hack.

i've contacted Sonic, and they're 'looking into it'. could you please expand detail on what you had Sonic do for you with static MACs, so that I can suggest trying the same?

thanks!

[Robotech]

Hey - so I have a P-663HN-51 Zyxel bonded modem on Fusion- and I would like to enable one to one nat -

I have setup up port forwarding - but I have a few Linux box's and have to change my ssh ports so I can forward them to different internal IP's - if I could set up one to one nat successfully - then each one could have a public IP - etc etc.

Truthfully I change my ssh ports from default - but I am still stuck on the concept of how to enable a true one to one nat setup -

Any advise? I am on MAC encapsulation mode with 1 static IP - I have 4 others to use... I have full cone nat enabled and I have tried with the firewall on and off. I am sure that I am missing something....

Under NAT I have my port forwarding setup under: "NAT -- Virtual Servers Setup" - I dont really want to use a true / full bridged setup - all tho I could I suppose...

There has to be an answer to this - something like this :http://www.zyxeltech.de/snotezw5_362/app/multi_nat.htm -- See how this device has a one to one nat selection?

Again I realize that I could go drop a grand and get a Sonic wall firewall that does one to one nat and do this with my modem in bridge mode - but dude - there must be a way....

:)

Thanks for any advise anyone can provide!

:)

[kgc]

but dude - there must be a way....

The most obvious thing to do is to promote one of your linux servers to also act as a your firewall/NAT router.

[Robotech]

but dude - there must be a way....

The most obvious thing to do is to promote one of your linux servers to also act as a your firewall/NAT router.

So - actually I found a more elegant way:

If you add a second PVC and place that in bridged mode - then you can specify a static IP address on a device on your network - and as long as it is plugged into the modem's Ethernet you can have a bridged and NAT'ed setup.

I do have a concern about security in terms of having a bridged and NAT'ed setup on the same wire -

Any one have any thoughts about that?

:)