Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Untanglit
    Join Date
    May 2021
    Posts
    21

    Default Internal to External Routing

    I have some questions regarding how to set up routing within Untangle properly. This is the situation (all IP addresses have been changed to non-routable address for privacy):

    My ISP has assigned me a block of External IP address 10.10.10.240/29 therefore:
    10.10.10.240 is my network address.
    10.10.10.247 is my external broadcast address.
    10.10.10.241 to 246 are my available external IP addresses.

    They have also provided me with my Next Hop Address: 10.0.0.185/31
    with the gateway as 10.0.0.184

    They have told me to assign 10.0.0.185 to my external interface and use 10.0.0.184 as the gateway for it. (Is this correct?)

    When accessing the internet from my internal network, it appears to the outside world that all the traffic is coming from 10.0.0.185; instead of from the External addresses, I should be using 10.10.10.241 to 246.

    Further, in my internal network, I have multiple VLANs.

    When setting up the routing, I would like:
    All traffic from Untagged Internal Interface to go out from IP: 10.10.10.241
    All traffic from Tagged VLAN 1 to go out from IP: 10.10.10.242
    All traffic from Tagged VLAN 2 to go out from IP: 10.10.10.243
    All traffic from Tagged VLAN 3 to go out from IP: 10.10.10.244
    etc.

    I believe that I need to combine Manual Routes and NAT Rules, but I am not sure what is the best method to accomplish this.

    Thanks for any advice.
    Basic Network.png

  2. #2
    Master Untangler
    Join Date
    Oct 2013
    Posts
    261

    Default

    In a nutshell, you'd want to setup 10.0.0.185/31 as your WAN interface address and mask with the default-gateway set to 10.0.0.184. Don't forget to input the primary and secondary DNS addresses.

    Under Alias, that is where you'll need to put the IP address block your ISP gave you, which is 10.10.10.240/29.

    Next, in NAT Rules, you'll need to add a rule for each VLAN you want NATted to a specific address in the 10.10.10.241 to 246 range.

    For example, 1st rule would have the following:
    Source address: 192.168.0.1/29
    NAT Type: Custom*
    New Source: 10.10.10.241

    ...and so on.

    *Note: Setting NAT Type to Auto will instead make traffic from the 192.168.0.1/29 network use the WAN interface IP address (10.0.0.185) as source... which is typically default behavior.
    Last edited by oj88; 05-25-2021 at 06:48 PM.
    jcoffin likes this.

  3. #3
    Untanglit
    Join Date
    May 2021
    Posts
    21

    Default

    I had used this type of NAT set up at our previous location with a different firewall, but in that case, the firewall was behind a router, and our External IPs were all from the same subnet.

    In this case, since they are giving us an entire network subnet and not putting us behind a router, the external IPs are not within the same subnet as the External interface. That made me think that somehow I needed to add manual routes, but your answer indicates that this can all be done in the same way, just using NAT rules and no manual routes are necessary.

    Thank you for your response.

  4. #4
    Untanglit
    Join Date
    May 2021
    Posts
    21

    Default

    Here is a follow-up question:

    What if I wanted to assign some of my External IPs to a device without it going through NAT? Using my original example above, could I have 10.10.10.240/29 assigned to an internal interface. For that interface, Untagle would be in Bridge mode, while on a separate internal interface Untangle would be in NAT mode.

    Is that possible?

  5. #5
    Master Untangler
    Join Date
    Oct 2013
    Posts
    261

    Default

    Quote Originally Posted by JCBond View Post
    Here is a follow-up question:

    What if I wanted to assign some of my External IPs to a device without it going through NAT? Using my original example above, could I have 10.10.10.240/29 assigned to an internal interface. For that interface, Untagle would be in Bridge mode, while on a separate internal interface Untangle would be in NAT mode.

    Is that possible?
    The right way to accomplish what you want is to do 1:1 NAT.... in that, an internal host (through NAT Rules) would be assigned one of the external IP addresses in the 10.10.10.241 to 246 range.

    Besides, Untangle can either be set to bridge or router mode, not both at the same time.

  6. #6
    Untanglit
    Join Date
    May 2021
    Posts
    21

    Default

    Thank you for your response.

    I had seen that restriction on other firewalls. They also could only be set to Bridge or Router mode, but not both. I was hoping that Untangle was different.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,234

    Default

    Let me simply all the documentation... also, I suggest you throw away the very idea of 1:1 NAT, because it's deceptive to what's actually going on.

    An Untangle router has interfaces, these interfaces have one or more IP addresses on them. The 2nd address onward on any given interface is configured as an alias.

    Port forward rules are used to forward traffic from an Untangle IP address to any other IP address. These are generally used to move traffic from a public network to a private one, but they can be used for far more. There is nothing stopping you from forwarding traffic impacting on one of your ISP provided IPs and forwarding it off to Google, or AWS, or whatever. Just as there's nothing stopping you from grabbing traffic on the way out of Untangle to the world and forwarding it to a local address. The point is, Port Forward rules handle what happens when traffic lands on an IP address Untangle owns.

    Finally, there are NAT policies. These rules define what address selected traffic is translated to on the way out of the network. They can be used to make a single internal device use a special public address, or an entire range of IPs use that address. By default, all devices will use the primary IP address on the interface the translation happens on. Again by default this is only WAN interfaces, IE your Internet connections. But, there's nothing stopping you from changing this, or expanding it to handle translating interior traffic too.

    All of that boils down to the simplest answer of:

    Aliases put IP addresses on Untangle.
    Port Forwards handle traffic inbound to the internal network from the world.
    NAT Rules determine what address the world sees for traffic leaving the network.

    Also, it's objectively false that Untangle cannot bridge and route at the same time. There is no such thing as bridge mode, or router mode... I HATE those descriptors too... All that switch does during install is configure the Internal interface. Router mode installs get an addressed internal, bridge mode installs get a bridged internal.

    These "modes" are nothing more than relationships between interfaces. It is important to note however that packets traversing a bridge aren't subject to NAT. So they won't be influenced by Port Forward rules, or NAT policies.

    If you want to apply public addresses to interior devices you simply need to bridge an interface to External, and assign the addresses in question directly on the devices themselves, assuming you have layer 2 sorted out to actually get them connected. And yes, you very much can have an interface bridged to External, while Internal is static and routing for other devices. You CAN DO BOTH.
    oj88 likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untanglit
    Join Date
    May 2021
    Posts
    21

    Default

    Quote Originally Posted by sky-knight View Post
    If you want to apply public addresses to interior devices you simply need to bridge an interface to External, and assign the addresses in question directly on the devices themselves, assuming you have layer 2 sorted out to actually get them connected. And yes, you very much can have an interface bridged to External, while Internal is static and routing for other devices. You CAN DO BOTH.
    Will this traffic still be inspected and subject to other security measures? Or will this be just that a bridge that bypasses Untangle completly.

  9. #9
    Untanglit
    Join Date
    May 2021
    Posts
    21

    Default

    This is an example of what I was thinking.
    Basic Network.png

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,234

    Default

    Double NAT causes issues... so for your sake I'm going to hope that ISP router is being replaced, and / or doesn't really exist and that 10. network is actually public addresses.

    But yes, that configuration can work, it requires 3 interfaces OR just two... the interior one is just running off VLANs.

    To answer your earlier question, if the traffic transits Untangle it's inspected! It doesn't matter if it's routed or bridged... it's inspected. That is, unless you made bypass rules to stop it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2