atcomsystems.ca/forum Forums VOIP Phones & IP PBX Networking Utilizing 2 subnets on my network

I have 2 blocks of IP Addresses, on a /29 and another on a /27 subnet. I am using an Adtran Total Access 612 router that connects to my Watchguard Firewall. The /29 network is currently connected to my Watchguard’s external interface (eth0). I will be configuring an additional interface on the Watchguard for the /27 subnet of IP addresses I received from T1 provider to eth1on the Watchguard. My T1 provider has informed me that the Adtran can use more than one IP address on its Ethernet port. So in theory, I should be able to take the patch cord from the Adtran, plug it into a switch and plug one patch cord from the switch to eth0 and the other patch cord to eth1 and be able to utilize both subnet networks on my Firewall. Does this make sense?

NO.

Post WG model number. We've installed a lot of these, but need to know which one.

May also want to try the WG forum for better support.

It's a Watchguard X500

My guess is you provider did not have a contiguous block of addresses for you and wants you to assign a secondary address to your router. This happens quite frequently.

Before I replied I wanted to confirm your WG model (which seems to provide 3 ports by default, 6 max; and also wanted to make sure you were not confusing the term port as it is generically misused most often in regards to routers). Yes, in short, you can do what you want, but does it do any good? This will give you 2 wan and 1 lan connection(s), which makes no sense really, since your wan connections are to the internet via the same provider/link, providing no redundancy.

The issue at hand, is I only have 8 static IP addresses on a /29 subnet. 3 of those IP addresses are being used for routers, giving me only 5 static IP addresses to work with. I wanted to add more public IP addresses so I could configure the firewall to redirect to servers and workstations on the LAN. Thanks for your input. Any other comments?

Why not just forward specific ports to the devices behind the firewall. For instance why do you want routable IP's on some of your workstations? What is it your trying to do?

Why not use IP forwarding?

This is all being implemented to allow me access directly into the servers via Remote Desktop or Integrated Lights Out Management on my HP Servers. Also other misc things like allowing access to the in-house Instant Message server in the LAN from the outside world. I'm just out of public IP's to use.

Also, having the multiple public IP's I can assign DNS names to the public IP's so I don't have to remember the public IP address of SERVER1.

One other comment. I'm using Watchguard System manager 8.2. Which does not allow me to add multiple subnets to one ethernet port on the firewall. I could try upgrading the Watchguard System Manager to the latest version which I think is 9.1 now. That updates the firmware on the Firewall and might allow adding multiple external subnets.

Not sure about the Watchguard, but most newer firewalls should support Port Address Translation. If yours does, you could assign different ports for RDP access on each system you wanted to manage. The tell the firewall to forward requests to different servers based on the port number, even though you're connecting to a single external IP address. Same with other services.

Yes, the Watchguard does Port Address Translation. I don't like having to change the RDP port numbers on the servers. Plus I have 32 public IP Addresses on the /27 subnet that are available to me.

this doesn't sound good using RDP across public web, unless you know the source IP you will always be coming from then you allow only that. Have you looked into a Browser based VPN like SSL Explorer for example. With this you go to a web site using port 443 and once you authenticate to it you can RDP to anything you want on your trusted segment.

You have lost me completely.

Why do you have two different ranges of IP addresses? Are these coming from different internet service providers?

It's the same service provider. The number of IP addresses on a /29 subnet is 8. So I can't be allocated anymore IP Addresses on that same network. When I requested more IP Addresses, the provider gave me a range on the /27 subnet which has 32 IP Address. This link explains everything: https://www.akadia.com/services/ip_routing_on_subnets.html

I know what the /29 means. It means your subnet mask equals 11111111111111111111111111111000 binary (29 ones) or FFFFFFF8 hex or 255.255.255.248 in standard ip notation. I just never heard of a situation like this where the internet service provider gives you two different ip address ranges on a single link.

So why don't you just use the /27 subnet which contains 32 ip addresses? Is there never enough?

While you have 8 ip addresses in a /29 subnet, you have only 6 that are assignable to an interface. The first address is the network address and the last address is the broadcast address.

So if you have 3 of those addresses already assigned to routers, you only have 8 minus 3 minus 2 left.

Why do you have three routers connected to one internet connection? Is this just for experimentation? Maybe you could draw us a diagram.

I agree that naked RDP across the public internet is a BAD idea.

I normally use a Unix box as a firewall, and tunnel RDP or VNC via SSH. You need a SSH client on the remote host, and some simple configuration.

You port forward one or more local ports to one or more remote ip:port pairs via the tunnel. You can setup multiple tunnels under a single ssh session, and not have to make any configuration changes within your network.

Yes, naked RDP is not secure. I have a static IP address at home and the firewall was only going to allow that IP address into the the RDP session. I am strictly setting this up to work on the servers remotely. If something was to happen outside of normal business hours and also to perform windows updates. If I was not at home, it would be nice to have a solution where I could access the servers from any computer that had internet access securely. I'm getting some good ideas here. Does anyone have any other options. So far we got RDP over SSH and browser based VPN.

Try LogMeIn Free! I still don't get what the topic-meister is asking. Could you please draw us a picture? Why have you forsaken us?

Well, getting back to your original question; does require a bit more attention with the ISP. You will need to let them know that you want a block of public IP’s on the Lan side of your router; this will allow them to build proper routes w/in their network defining the location of your Lan-side network. It’s really pretty simple, if the ISP will allow for it.

One thing you could do here is to install one server with RDP access. Then through that RDP connection run VNC to your servers. We do that at my work (through Citrix) and it works well for us. All you have to do is load VNC Server on the systems you want to manage and VNC Viewer on the system you RDP into. Less of a security risk as you only need Internet access to the server that you use VNC viewer on.

I recommend you use at least two remote capable services in case one (usually windows TS) seizes up and wont allow connections. Then you can connect in with the other and reset it without needing slog out to the site.

I recommend you just set-up the watchguard router correctly.

Port Address Translation does not require you to change the port on the server. You are mapping external-IP port 3394 to server-interal-IP port 3389 inside the watchguard. BTW, 3389 is the standard windows RDP port. It's also recommended (by monkeysoft) to space the RDP ports 5-ports apart for whatever silly reason.

If you are worried about typing external-IP:3394 in your MSTSC connect window then all I can say is life's tough.