howto define private IP range on USG interface

Options
NoE
NoE Posts: 30  Freshman Member
First Anniversary 10 Comments Friend Collector
edited May 2022 in Security
Hello,
I have 2nd ISP for small part of computers in our company.
I have a subnet reserved for us from this ISP, but the IPs from the private subnet used in our company must be static - so no DHCP.
To be clear, the ISP provides us not with public IPs but wit already created privat IP subnet - (192.168.94.0/24)
I am ready to configure one USGFlex port which would cover the whole subnet, but how can I define its range?
Would it be enough just to configure the dedicate USG interface with an IP from the dedicated subnet and that's it?
Cheers,
Dusan




Accepted Solution

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hi @NoE,
    Here another proposal, using proxy arp for traffic forward between ge11 & ge12.

    1. Setup interface ge12 as wan interface to ISP2
    ip: 192.168.94.2
    mask:255.255.255.0
    gw: 192.168.94.1
    type: external
    zone: WAN
    add proxy-arp, ip range:192.168.94.4-192.168.94.254


    2. Setup interface ge11 as internal
    ip: 192.168.94.4
    mask: 255.255.255.0
    type: internal
    zone: LAN2  (go to object > Zone to create this user configuration zone first)
    Enable DHCP server or not(configuration static IP for clients)
    clients ip range: 192.168.94.5 - 192.168.94.254
    mask: 255.255.255.0
    gw for client: 192.168.94.4

    3. Setup policy route for these clients go through ISP 2 link with original 192.168.94.X IP.
     

    4. Setup WAN trunk for company PCs go to Internet through main ISP link
    (1)Go to Network > Interface > Trunk.
    (2)Add user configuration trunk, name as "MAIN-ISP" for example.

    (3)select the trunk as default WAN trunk


    5. Setup firewall rules for access control.
    Go to Security Policy > Policy Control. Add policies:
    (1)For some shared stuff within 192.168.94.0 network should be visible (i.e. routed via USG) to all the PCs inside our company (so also for those using main ISP)
    -> add LAN to LAN2, source: LAN_SUBNET, destination: (IP address object for the shared stuff), action: allow
    (2)For some PCs within 192.168.94.0 network should be accessible by admins of our special provider - that is why their demand to have firmly defined IPs of those PCs.
    -> add WAN to LAN2, source: ISP admins IP or any, destination: clients IPs need to access, action: allow
    (3)For clients in private subnet 192.168.94.x to ISP2 link
    -> add LAN2 to WAN, source: any, destination: any, action: allow

«13

All Replies

  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Hello,

    I thought about it little bit more and perhaps this cannot be done like this - I can make IP/MAC binding for those PCs, then I can use DHCP server on that particular port. But I am not sure whether or not can I set the IP/MAC binding beforehand, so the DHCP server would assign IPs based on IP/MAC binding map.

    Anybody with the same or similar challenge, who has resolved it somehow?

    Cheers,
    NoE
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @NoE
    not sure I understand your scenario;  a sketch with ip's might help. 

    Not so clear the IP subnet provided by ISP: 192.168.94.0/24... is this the same subnet of your clients?
    GW IP?

    I'm thinking about  policy routes or  bridging wan to lan, but a clarification of your configuration would be useful

    Fred
  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited May 2022
    Options
    thanks for your interest in this challenge :-)
    yes, this is quite peculiar situation of ISP.
    It provides us practically with the GW/router which resides in our rack. The GW IP is 192.168.94.1.
    So the whole network provided (192.169.94.0/24) is a private one.
    We have another (main) ISP which provides classical stuff - public IPs, GW - which I configured within USG Flex 700 - Interfaces with DHCP ...etc ...behind which majority of our PCs resides (all works nice).
    However, some of our PCs must be within the private network of special ISP (legal reasons). Now they are, but I need to operate this connection via USG as "second ISP", because:
    1. some shared stuff within 192.168.94.0 network should be visible (i.e. routed via USG) to all the PCs inside our company (so also for those using main ISP)
    2. some PCs within 192.168.94.0 network should be accessible by admins of our special provider - that is why their demand to have firmly defined IPs of those PCs.

    Configuration I intend to have:
    1. interface ge12 where second ISP is configured  (and GW 192.168.94.1 is connected there)
    2. interface ge11 (IP:192.168.94.2) where switch for PCs of 192.168.94.0 networkis connected

    So the most simple way for me would be to define interface ge11 on USG with IP range 192.168.94.0/24 and connect it to the switch where all those "special" PCs are connected. However, I think, this is not possible to do on USG (I was not able to find such an option for the USG interface).
    Another option I was thinking of was
    1. DHCP on ge11 (IP:192.168.94.2) with IP pool 192.168.94.(3 till 200) with IP/MAC binding - I have MACs of those special PCs, so I could make a IP/MAC binding map and voila :-) .... but this did not work so far, perhaps I omit something.
    2. And yet another option would be some NAT - configure ge11 with DHCP, then investigate which IPs those special PCs got, then create IP/MAC binding map on ge11, and finally make NAT, so the admin of our special ISP could reach those PCs like "from outside".
    Best regards,
    NoE

  • WJS
    WJS Posts: 130  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Make ge11 / ge12 as the same Port Group.
    And using Policy Based routing to determine outbound traffic .

    (Just thinking :) , for you reference.)
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @NoE

    do you thimk a bridge interface could help you?

    i'm thinkink something like this:

    Ge11 as WAN2 static ip 0.0.0.0
    GE12 as LAN2 static ip 0.0.0.0



    add new bridge interface "br1"
    as external
    zone WAN
    members: WAN2 - LAN2
    IP 192.168.94.2/24
    GW 192.168.94.1

    In this way  clients connected at LAN2 port would be in the same subnet as the wan2 and wouldn't be natted.
    Obviously you could define dhcp (if needed)  and security policy etc...

    If all your clients are connected to the same switch you could segregate traffic with vlans

    Fred


  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited May 2022
    Options
    well I like it - it is simple and seems to be a solution!
    I will try this approach and will let you know then.
    Just a question - so for the WAN port on USG, where the GW 192.168.94.1 will be plugged, the address 0.0.0.0 will do the trick? Meaning: not interfering with actual GW's IP and allowing the traffic from LAN2 via its GW?
    Thanks a lot for your interest!
    Cheers,
    NoE

  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    WJS said:
    Make ge11 / ge12 as the same Port Group.
    And using Policy Based routing to determine outbound traffic .

    (Just thinking :) , for you reference.)

    Hi @WJS
    thanks for this proposal....while thinking, this could be also a solution.
    Thanks for your interest!
    Cheers,
    NoE
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    NoE said:

    Just a question - so for the WAN port on USG, where the GW 192.168.94.1 will be plugged, the address 0.0.0.0 will do the trick? Meaning: not interfering with actual GW's IP and allowing the traffic from LAN2 via its GW?

    Yes, set static ip 0.0.0.0 in both pots; bridge interface allows the USG to be transparent and clients can also take IPs from external DHCP if it exists. Obviously clients in 192.168.94.XXX subnet can reach  other zones only if their GW is set as USG IP (it doesn't afflict access from external )
    If you want to segregate outbound traffic from LAN1 to internet, configure a policy route.

    Hope this can help
  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hi @NoE,
    Here another proposal, using proxy arp for traffic forward between ge11 & ge12.

    1. Setup interface ge12 as wan interface to ISP2
    ip: 192.168.94.2
    mask:255.255.255.0
    gw: 192.168.94.1
    type: external
    zone: WAN
    add proxy-arp, ip range:192.168.94.4-192.168.94.254


    2. Setup interface ge11 as internal
    ip: 192.168.94.4
    mask: 255.255.255.0
    type: internal
    zone: LAN2  (go to object > Zone to create this user configuration zone first)
    Enable DHCP server or not(configuration static IP for clients)
    clients ip range: 192.168.94.5 - 192.168.94.254
    mask: 255.255.255.0
    gw for client: 192.168.94.4

    3. Setup policy route for these clients go through ISP 2 link with original 192.168.94.X IP.
     

    4. Setup WAN trunk for company PCs go to Internet through main ISP link
    (1)Go to Network > Interface > Trunk.
    (2)Add user configuration trunk, name as "MAIN-ISP" for example.

    (3)select the trunk as default WAN trunk


    5. Setup firewall rules for access control.
    Go to Security Policy > Policy Control. Add policies:
    (1)For some shared stuff within 192.168.94.0 network should be visible (i.e. routed via USG) to all the PCs inside our company (so also for those using main ISP)
    -> add LAN to LAN2, source: LAN_SUBNET, destination: (IP address object for the shared stuff), action: allow
    (2)For some PCs within 192.168.94.0 network should be accessible by admins of our special provider - that is why their demand to have firmly defined IPs of those PCs.
    -> add WAN to LAN2, source: ISP admins IP or any, destination: clients IPs need to access, action: allow
    (3)For clients in private subnet 192.168.94.x to ISP2 link
    -> add LAN2 to WAN, source: any, destination: any, action: allow

  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    wow, thank you!
    I have no experience with ARP, but I will pay closer look to your proposal.
    Special thanks for proposal regarding my points 1)shared stuff 2)admins access
    I will have a downtime window for these works next Monday, so I will now study all the proposals, then I will try them on Monday and - of course - I will share my results/progress!
    Cheers,
    NoE

Security Highlight