Dear Colleagues,
I've got a customer operating a Sophos FW, we are going to replace this one with a MX84 soon.
On the current FW config there is 5 public IPs configured on the WAN interface : 1 for the interface itself and 4 as alias IPs.
Each IP is reachable from outside. My customer asks if it's possible to reproduce that layout on the MX. I said it's not but I'd like to be sure.
EDIT : I think about NAT 1:1 or 1:many feature to solve this problem...
Many thanks,
Franck.
Solved! Go to solution.
Yeah, I would also look into the 1:1 NAT and 1:Many NAT for this, but it depends on what you want to do. Outgoing the MX will only use the two primary IP addresses (one on each uplink). But incoming you can use NAT to forward certain addresses to certain internal IP's.
Yeah, I would also look into the 1:1 NAT and 1:Many NAT for this, but it depends on what you want to do. Outgoing the MX will only use the two primary IP addresses (one on each uplink). But incoming you can use NAT to forward certain addresses to certain internal IP's.
We have a third-party security appliance(Kharon), with its own network, and an MX attached to its second LAN port. The MX has its own stack and, at present, has a Z3C attached to a port on the MX.
The WAN port on Kharon connects to a modem in PPPoE/MPoA mode. In order to access the WEB GUI on the modem, we need additional ports on the connection to the modem (additional alt-addresses on the eth0 port do not cut it). So by configuring a Pseudo-Ethernet port, we have an additional WAN port, peth0. Multiple Pseudo-Ethernet ports are possible, in some respects it is like have a virtual switch on the WAN uplink. The glue that ties this all together is a Masquerade NAT rule. It is easier to set up than to describe.
Now, the clever bit, if I connect my phone to the Z3C's WiFi, I can get through both the intervening MX and Kharon and access the web GUI on the modem, which has previously been impossible.
I wouldn't have written all this if Kharon was expensive. But it isn't; it comes in various flavours and a top of the line product has 8 x 10G SFP+ ports and dual power supplies. It might be simpler to install a device like Kharon that would be up and working almost immediately, then spend time trying to get what you need working on the MX. In actual fact, I have taken the opportunity to offload all the risky IoT stuff, Guest WiFi, AV, and Multicast TV streaming which Meraki does not handle, and IPv6 is being implemented.
Pseudo Ethernet means different things to to different brands and OS, so take care. The OS on Kharon is derived from a branch of VyattaOS.
By taking this approach we did not have to dump Meraki based solutions, we use the synergy.
Many thanks guys, unfortunately, there is no budget for additional equipment.
Once again, many thanks I'll propose that to my customer !
Sorry to have to put new life in this thread but I do have the same problem and 1:Many NAT is not the solution.
My scenario is that I have on the Sophos firewall certain internal vlans masquerading out as specific external IPs e.g. internal vlan 1.2.3.x looks like 300.100.100.1 and vlan 1.2.4.x looks like 300.100.100.2 where 300.100.100.1 and 2 are additional public IPs ... this is just a representation, 300.x is just a # 🙂
Then in our cloud systems we use these IPs to help with traffic filtering without having to do VPNs.
Is there another way besides the two external interfaces to have masquerading of these Public IPs?
thx
MP