Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Feb 2017
    Posts
    3

    Default Multi WAN interaces that utilize the same gateway - HELP

    Hello,

    I'm setting up a server at a colo and I'm having some issues. I was given a block of 10 IP addresses, all sequential. I have multiple VMs that I'm trying to designate individual IPs to for the sake of keeping things separated in a sense. With that said, I'm passing traffic through Untangle. I already have an external WAN interface that is utilizing the gateway that my block of IPs share. So when I go to add another external WAN interface and use the same gateway, I get an error that there is a conflict between the two interfaces. Now I've tried to do some google searching and I've stumbled across a couple different threads about this, and without suggesting that it can or can't be done, what can I do?

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    I don't work with Vlans, so this is just a quick suggestion for you to figure out if it applies.

    I assume you are adding the WAN interfaces in the VM for NGFW? Don't do that.

    • In one NGFW external interface, add nine 'IPv4 Aliases'; for the netmask, I assume you were given a /28. Then 1:1 NAT might get you to the other VM's
    • Another thought is ten NGFW instances.
    • or, NGFW in bridge mode.
    Last edited by Jim.Alles; 02-20-2017 at 04:57 AM. Reason: for the dots

  3. #3
    Newbie
    Join Date
    Feb 2017
    Posts
    3

    Default

    Correct me if I'm wrong, as I very well could be but if I have one external interface with the IP of ###.###.###.75 and the gateway of ###.###.###.1 associated with VM1, and I want to add the next IP in my block and associate it with VM2, I would simply add an alias to the already existing external interface? If so, I'm confused as that external interface has a defined address already. Wouldn't adding an alias simply redirect the second IP back to that of the first? i.e. second ip ###.###.###.76 added as an alias to the interface addressed with ###.###.###.75? Let me know if I'm correct in my thinking or not. Certainly appreciate the help!

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    Aliases are on the NGFW interface, it doesn't direct anything anywhere.

    NAT does. your VMn have inside addresses.

  5. #5
    Newbie
    Join Date
    Feb 2017
    Posts
    3

    Default

    So you are suggesting to add aliases not within Untangle, but from the interface adapter within my VM environment (VMware vSphere client)? Sorry for the 50 questions, I'm just having a hard time visualizing where to put the aliases. Thanks again
    Last edited by tscaf; 02-20-2017 at 05:15 AM.

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    In one NGFW external interface, add nine 'IPv4 Aliases';
    I can't give you a tutorial on this forum here.

    put NGFW in bridge mode, give it one of the ten IP's and be done with it.
    That is probably the most elegant solution for this case.
    If you think I got Grumpy

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    It looks like Jim cleared this up, but just to be clear.

    You cannot have multiple interfaces on any router aimed at the same network, therefore you'll never use more than one interface with the same gateway. This is TCP/IP 101, not a limitation of Untangle. To have multiple interfaces pointed at the same network you need adapter teaming, Untangle doesn't support this. But the key to remember is that even with a router that supports adapter teaming, you still only have 1 logical interface per network.

    Jim was correct to suggest that you use aliases. If you want your network to be routed, then the devices behind Untangle get different addresses than what are publicly available, and you configure aliases on external so Untangle owns the public addresses you need. Then you use port forwards to handing incoming traffic, and NAT policies to handle outgoing traffic.

    You can also do as Jim suggested and make Untangle a bridge, in this case every device would simply have a public address, and Untangle filters traffic because the traffic must transit Untangle to get to the internet facing equipment. You can think of Untangle as a smart switch of sorts, that inspects traffic. This configuration requires a bit more work because you need to define firewall rules to block all ingress traffic, and then make pass rules for your public services.

    Which configuration you'd use depends on your goals. If you have a public address for all systems, and this isn't likely to change any time soon, then the bridge configuration would be simplest.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2