cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Public IP Alias on WAN interface

SOLVED
Getting noticed

Public IP Alias on WAN interface

Dear Colleagues,

 

I've got a customer operating a Sophos FW, we are going to replace this one with a MX84 soon.

On the current FW config there is 5 public IPs configured on the WAN interface : 1 for the interface itself and 4 as alias IPs.

 

Each IP is reachable from outside. My customer asks if it's possible to reproduce that layout on the MX. I said it's not but I'd like to be sure.

 

EDIT : I think about NAT 1:1 or 1:many feature to solve this problem...

 

Many thanks,

Franck.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Public IP Alias on WAN interface

Yeah, I would also look into the 1:1 NAT and 1:Many NAT for this, but it depends on what you want to do. Outgoing the MX will only use the two primary IP addresses (one on each uplink). But incoming you can use NAT to forward certain addresses to certain internal IP's.

View solution in original post

3 REPLIES 3
Highlighted
Kind of a big deal

Re: Public IP Alias on WAN interface

Yeah, I would also look into the 1:1 NAT and 1:Many NAT for this, but it depends on what you want to do. Outgoing the MX will only use the two primary IP addresses (one on each uplink). But incoming you can use NAT to forward certain addresses to certain internal IP's.

View solution in original post

Kind of a big deal

Re: Public IP Alias on WAN interface

We have a third-party security appliance(Kharon), with its own network, and an MX attached to its second LAN port. The MX has its own stack and, at present, has a Z3C attached to a port on the MX.

 

The WAN port on Kharon connects to a modem in PPPoE/MPoA mode. In order to access the WEB GUI on the modem, we need additional ports on the connection to the modem (additional alt-addresses on the eth0 port do not cut it). So by configuring a Pseudo-Ethernet port, we have an additional WAN port, peth0. Multiple Pseudo-Ethernet ports are possible, in some respects it is like have a virtual switch on the WAN uplink. The glue that ties this all together is a Masquerade NAT rule. It is easier to set up than to describe.

 

Now, the clever bit, if I connect my phone to the Z3C's WiFi, I can get through both the intervening MX and Kharon and access the web GUI on the modem, which has previously been impossible.

 

I wouldn't have written all this if Kharon was expensive. But it isn't; it comes in various flavours and a top of the line product has 8 x 10G SFP+ ports and dual power supplies. It might be simpler to install a device like Kharon that would be up and working almost immediately, then spend time trying to get what you need working on the MX. In actual fact, I have taken the opportunity to offload all the risky IoT stuff, Guest WiFi, AV, and Multicast TV streaming which Meraki does not handle, and IPv6 is being implemented.

 

Pseudo Ethernet means different things to to different brands and OS, so take care. The OS on Kharon is derived from a branch of VyattaOS.

 

By taking this approach we did not have to dump Meraki based solutions, we use the synergy.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Getting noticed

Re: Public IP Alias on WAN interface

Many thanks guys, unfortunately, there is no budget for additional equipment.

 

Once again, many thanks I'll propose that to my customer !

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.