Using Uverse Static IPs with Untangle

[copper21]

Hello all,

Thank you in advance for any assistance/posts that you may provide.

I currently have ATT Uverse internet with 5 static IPs assigned. My IPs are XX.XXX.XXX.233 - 237. From what I have gathered on reading other posts is that Uverse works quite differently with regards to how I can use my static IPs. Like most business class routers, I believe that Untangle can connect to the modem via the external NIC and then assign aliases and get all of the static IPs.

Given that I am a residental cutomer, I have a 2Wire router that will only assign 1 static ip per MAC address. I am guessing that I cant use my static IPs without adding more NICs to my Untnagle server. So I added 2 NICs to my untangle server hoping that I could use a couple of my static IPs. My plan with the 2 extra NICs are to assign one to my mail server and the other to my web server. My question is how to set that up?

Right now my external NIC is set up with one of the static IPs, XXX.XXX.XXX.233. It has a netmask of 255.255.255.248 (29) with the gateway set at XXX.XXX.XXX.238, this is what it is as Uvserse assigns more than just 5 static IPs, but only the 5 are useable. All of the Xs are the same numbers. All works great. I have set my Uverse router to DMZ plus mode, wich sends the external NIC right to the internet without a firewall. I have untangle set up in router mode without DHCP as I have a domain controller taking care of DNS and DHCP.

My internal NIC is set static to 10.2.100.1 /255.255.255.0 (24).

Now I have a DMZ and eth03 NIC ready to be used. I am able to get a static IP from my Uverse router because each of these NICs have a MAC address. I have assigned XXX.XXX.XXX.234 to the DMZ NIC for now.

What should I set the DMX NIC to be? static, dynamic, or bridge. I should note that the Uverse router also makes me us DHCP for getting the static ip. I have set up the DMZ to be dynamic and it seems to connect okay, but what

What I really want to do is make all traffic on XXX.XXX.XXX.234 go to 10.2.100.26 on my internal network (mailserver). What is the best way to achieve this?

Thank you for any help, I hope there is enough information here.

[johnsonx42]

Are you really sure it has to be setup this way? It seems ridiculous, and I don't know if Untangle will even work configured like this.

All that should be required is to set your primary public IP address on your EXT interface, and then add the additional IP addresses as Aliases (in your case XXX.XXX.XXX.234/32). There's no reason I can fathom to have multiple NICs for extra addresses in the same subnet.

Either way, regardless of how you get the public IP's setup, the 1:1 NAT configuration is the same:

For inbound traffic, you need a Port Forward rule (advanced mode): Destination Address XXX.XXX.XXX.234, New Destination 10.20.100.26

For outbound traffic, you need a NAT Rule on the Internal Interface: Address 10.2.100.26 / 32, Source Address XXX.XXX.XXX.234.

After you setup the outbound NAT rule, use an ip address checking site like www.whatismyipaddress.com from a browser on the mailserver to verify it sees the desired IP.

However I really recommend you try setting all the IP's on the EXT interface and disconnect your extra NICs. It really should work that way, and really may not work the way you have it setup.

[copper21]

Thank you for your reply!

Yes, I have to set it up this way...ridiculous I know. I have searched many forums and it seems that for every static IP I need, I have to have a MAC address. I also have searched and there is no easy way to set the Uverse RG to "Bridge" all of the IPs.

The worst part is that my mail server and web server are virtual, so I cant add them physically to the Uverse RG to just set it up that way.

What I gathered from your response is that I should dump Uverse and get a real ISP; I agree, but that is not an option for me right now. So my question now...Is there even a way to set this up using Untangle and Uverse's 1 IP for 1 MAC?

I appreciate your advice,

Brian

[sky-knight]

No, the Linux core that Untangle lives on won't allow you to MAC spoof aliases. Trust me, I've tried... COX gave me a song and dance about needing to do the same thing.

Also, adding more NICs to Untangle doesn't help. You can't have a router "routing" into the same IP range more than once.

If your ISP is truly stuck to the concept of 1 MAC per IP address, you're SOL on having them all on Untangle. That said, I haven't found a case where this situation is actually real.

If you have a device "assigning" addresses those addresses aren't static. Those are IP reservations, not the same thing.

[johnsonx42]

ah, yes, I see, crazy stuff: http://www.ka9q.net/Uverse/static-ip.html. apparently it's not the UVerse service itself that creates this situation, but their crazy Residential Gateway 'router' device. they've made their device so secure that it doesn't work!

all I can think of to try is to bridge the DMZ interface to the External interface, and connect the DMZ interface to a separate swich. then in your VM host, you'll need a dedicated interface for the VM public-facing network interfaces (i.e. the web server and mail server) which will also be connected to the DMZ switch. then the VM's should be able to pull public IP's from the Uverse RG DHCP server through the untangle bridge.

after that it may still not work, because untangle isn't a true layer-2 bridge, so the RG may go ape$hit when it starts looking at the bridged packets.

at that point you can just throw in the towel and plug the public interface of your VM host into the RG, and let Untangle handle just the private LAN.

[sky-knight]

That is the only approach you can use to be fair.

If DMZ is bridged to external, you're extending the IP space the ISP provides beyond Untangle to devices attached to DMZ's switch.

External is then free to use DHCP to pull one address, and devices on DMZ are free to pull others. Worst case scenario you'll have to bypass DHCP broadcasts coming from the DMZ interface. I think this is already the case, but be prepared to try it anyway.

And for the record, Untangle is a true layer-2 bridge, on a Linux level. Where things break is when packets transit the UVM, that's where the funky layer 3 over layer 2 weirdness happens. So if the traffic is bypassed, you can safely consider Untangle a true bridge.

[johnsonx42]

agreed on the last point sky, but of course if all the traffic through the DMZ is bypassed around the UVM, then little is gained by having it transit untangle at all and he may as well plug the DMZ switch straight into the Uverse RG.

[copper21]

Thank you guys for all of the advice, I really do appreciate it. I am sure that I will do some testing with the methods you guys prescribed. I will let you know how it goes. I just may have to call ATT to see if there is a workaround.

I do live in a larger metro area, so there might be some other options out there as I really do want static ips for my different machines.

Thanks again.

[sky-knight]

agreed on the last point sky, but of course if all the traffic through the DMZ is bypassed around the UVM, then little is gained by having it transit untangle at all and he may as well plug the DMZ switch straight into the Uverse RG.

He wouldn't have to bypass everything, just DHCP. The DHCP process will use the MAC address of the interface receiving the address, not Untangle so it should work.

Once the addresses are assigned traffic should flow, unless that router violates RFCs. And if it does that, it's time for a new router / new ISP.

[johnsonx42]

... unless that router violates RFCs.

I'm pretty sure that's where things are at. From what I read, if that router sees packets that came through the UVM with the source machine's layer 3 but Untangle's layer 2, it's going to freak. (at least that's my understanding of how untangle's bridging through the UVM works - the original layer 2 gets destroyed, and the packet gets re-built by the outbound interface... right?)

It'll be very interesting to see what the result of copper21's efforts here.