1. Home
  2. Networking Firewalls
  3. IP addessing of external interface

IP addessing of external interface

Hi all,

My question is about the IP addressing of an external interface of a firewall. It is obvious to use public IP addresses on the external interface. However, I need to know why? That is, what would happen if I were to use a subnet from private IP address space on the external side of the firewall? This question comes from the requirement of having two ISP connections on the external side of my firewall, which has got only one NIC for the external side. I have got two public IP address subnets assigned by two different ISP. One solution would be to use those public IP addresses on the external side, in which case the NIC of my firewall use is going to have a secondary IP address. However, if I were to use a subnet from private IP address space, and do the NAT on the firewall (Checkpoint Express by the way) for the public IP addresses, I would only need one IP address on the external interface of the firewall. So, what do you suggest/think for the IP addressing of the external interface?

Thanks!

Reply to
kiwi
Loading thread data ...

If the external side is the internet, you'll simply end up with not globally routeable packets, and even when providing a wrong but routeable address your ISP would filter it out either.

man IP-based loadbalancing

Reply to
Sebastian Gottschalk

You won't have Internet. Packets with private IP addresses MUST NOT be routed over public networks.

I'd suggest to get a second router and have either connected to one ISP.

[...]

Back to the drawing board.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

I see all of your points. As a basic rule, the private addresses are not routed. However, my firewall is going to do NAT to set the source address of the outgoing packets to a public IP, which is routable on the Internet. So, I still do not see the why it fails when I use private IP addressing between my firewall's external interface and ISP's routers's interface facing to my firewall!

Thanks!

Ansgar -59cobalt- Wiechers wrote:

Reply to
kiwi

Ah, finally a clearer description of what you mean. Still it's lacking details.

Reply to
Sebastian Gottschalk

I guess the following diagram and question summarizes my question (please forget about two separate ISP connections mentioned in my original message):

Internal LAN | ----- | (F1) Firewall (F2) | ----- | (R1) Router (R2)|

------> Internet

Internal IP space 192.168.10.x/24 F1 - Firewall's internal interface: 192.168.10.1 F2 - Firewall's external interface: ? R1 - Router's internal interface: ? R2 - Router's external interface, which I am not interested in Firewall: Checkpoint express, doing NAT (both hide and static NAT). It maps Internal LAN to a block of ISP assigned public IP addresses.

Question: If I were to use a private IP subnet (let's say

192.168.11.0/24) for the network between Firewall and the Router, namely for the F2 and R1 interfaces, what would happen? Am I going to use Internet connection for incoming or outgoing or both? Any reasoning for your comment?

Thanks!

Sebastian Gottschalk wrote:

Reply to
kiwi

It would work the same way as before assuming that the router is properly configured to do the NAT magic as well.

In any case I wonder what the router is actually supposed to do there if it's only forwarding anyway...

I'm still thinking about why you're asking that...

Reply to
Sebastian Gottschalk

You would need an extra NAT router.

Yours, VB.

Reply to
Volker Birk

If your provider supports that: fine. If not, his router won't send any packets to your router, thus devoiding you of Internet connectivity.

Even if your ISP were to support private IPs (which would be okay if his network is not public) *his* router would have to do the NATing, in which case you wouldn't need a public address at all.

What are you trying to achieve anyway? (besides shooting yourself in the foot I mean)

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Media or link-layer conversion?

Reply to
Walter Roberson

It is an SDSL router, which connects us to our ISP.

Walter Robers> >

Reply to
kiwi

friend,

But u have to define a stastaic path for it,,,,,,,,, try it,,,,

Reply to
Jharnet

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.