Results 1 to 8 of 8
  1. #1
    Newbie
    Join Date
    Aug 2018
    Posts
    2

    Default Multiple WAN IPs on same Subnet

    Hello, All.

    My first post of many I hope, both to answer and to ask questions.

    My first question is pretty clear in the subject, can I have two (or more) external ports configured from the same subnet on a single device?

    An example would be: -

    External Port 1 = 10.0.0.1 /255.255.0.0
    External Port 2 = 10.0.0.2 /255.255.0.0
    External Port 3 = 10.0.0.3 /255.255.0.0

    and so on.

    On the internal side of things, there would be the same number of internal ports as external, each internal port would have to be isolated from all the other ports except for the external port that would be bring traffic to the specified internal port.

    My goal is to use one instance of Untangle in a VMware based environment to manage all of our external addresses, one for email, one for web servers, one for vpn and so on.

    I tried to do this but it didn't work (I assume it was a user error with error code ID10T.... lol)

    Thanks

    Jevon

  2. #2
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    643

    Default

    Aside from the comment that that is a bad way to structure a routed network....

    To route out multiple external interfaces on the same subnet you will need to make static routes in untangle - did you do that? That isn't an "untangle thing", really that is basic routing/networking and would have to be done on any router.

    Otherwise Untangle will see 3 options on the same subnet to shove the external data, and will just put all traffic on the first qualified entry in the dynamic routing table - likely the lowest IP address.

    Obviously to have the data coming IN on the correct external interface you will also need proper routing on the network upstream of Untangle as well...

  3. #3
    Newbie
    Join Date
    Aug 2018
    Posts
    2

    Default

    Hello,
    Thanks for your response. I have not set this up yet and wanted to know if the Untangle NG Firewall could manage this kind of setup. I was aware of the need to create static routes, but as I have not started to set this up, mainly due to the untangle firewall not allowing me to save a config that has two external NIC ports with the same subnet (or at least I think this is why it will not commit the change).

    I guess this is not going to be a worth while endeavor, from the sounds of it. The end goal is to attempt to consolidate a lot of virtual firewalls into a single virtual appliance.

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,184

    Default

    Different WANs cannot have IPs the same sub-net . Multiple IPs of the same subnet are added to aliases field of the WAN interface. Use NAT rules to have specific LAN networks exit using specific WAN IPs.
    f1assistance likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    643

    Default

    Yeah, but couldn't you put a 255.255.255.255 subnet on the WAN interfaces and then make static routing rules to get the traffic moving out the right NIC?

    I'm not saying that is a GOOD idea, was just thinking out loud that technically one may be able to do what the OP asked.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,643

    Default

    Quote Originally Posted by JasonJoel View Post
    Yeah, but couldn't you put a 255.255.255.255 subnet on the WAN interfaces and then make static routing rules to get the traffic moving out the right NIC?

    I'm not saying that is a GOOD idea, was just thinking out loud that technically one may be able to do what the OP asked.
    If you do that, the interface will not have any ability to talk to anything. Only 1 IP address is valid in a /32, so what other address would you communicate with? You'd need a /30, and another address, and I don't think the ISP is going to carve up their provided ranges.

    This configuration is FUBAR, it just isn't compatible with the way TCP/IP works.

    You put aliases on a single interface to handle a given IP network, that's how that works. If you need more bandwidth than you can get out of a single interface you team adapters, Untangle cannot do this bit though. But that's how all of this is accomplished, regardless of what equipment is used. But regardless under no circumstances can a router be connected twice to the same IP network, that's an IP conflict.
    Last edited by sky-knight; 08-09-2018 at 09:02 AM.
    dollopofdaisey likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    643

    Default

    You're right... I should have engaged brain before mouth. lol.

    Of course what I said will not work. I know better. I was thinking of 2 different things at the same time, and ended up with an answer that made no sense...
    Last edited by JasonJoel; 08-09-2018 at 09:21 AM.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,643

    Default

    Quote Originally Posted by JasonJoel View Post
    You're right... I should have engaged brain before mouth. lol.

    Of course what I said will not work. I know better. I was thinking of 2 different things at the same time, and ended up with an answer that made no sense...
    I do wonder though, on a purely theoretical level.

    Say you had three WAN interfaces all attached to the same IP range, and configured to a specific gateway. Assuming the unit routed normally (Big assumption, I assume dragons here), you could specify a route based on interface instead of address and maybe make this work? But you can't do that with a GUI, this is the sort of work you'd use a Cisco for.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2