howto define private IP range on USG interface
Freshman Member
Hello,
I have 2nd ISP for small part of computers in our company.
I have a subnet reserved for us from this ISP, but the IPs from the private subnet used in our company must be static - so no DHCP.
To be clear, the ISP provides us not with public IPs but wit already created privat IP subnet - (192.168.94.0/24)
I am ready to configure one USGFlex port which would cover the whole subnet, but how can I define its range?
Would it be enough just to configure the dedicate USG interface with an IP from the dedicated subnet and that's it?
Cheers,
Dusan
0
Accepted Solution
-
Hi @NoE,
Here another proposal, using proxy arp for traffic forward between ge11 & ge12.
1. Setup interface ge12 as wan interface to ISP2
ip: 192.168.94.2
mask:255.255.255.0
gw: 192.168.94.1
type: external
zone: WAN
add proxy-arp, ip range:192.168.94.4-192.168.94.254
2. Setup interface ge11 as internal
ip: 192.168.94.4
mask: 255.255.255.0
type: internal
zone: LAN2 (go to object > Zone to create this user configuration zone first)
Enable DHCP server or not(configuration static IP for clients)
clients ip range: 192.168.94.5 - 192.168.94.254
mask: 255.255.255.0
gw for client: 192.168.94.4
3. Setup policy route for these clients go through ISP 2 link with original 192.168.94.X IP.
4. Setup WAN trunk for company PCs go to Internet through main ISP link
(1)Go to Network > Interface > Trunk.
(2)Add user configuration trunk, name as "MAIN-ISP" for example.
(3)select the trunk as default WAN trunk
5. Setup firewall rules for access control.
Go to Security Policy > Policy Control. Add policies:
(1)For some shared stuff within 192.168.94.0 network should be visible (i.e. routed via USG) to all the PCs inside our company (so also for those using main ISP)
-> add LAN to LAN2, source: LAN_SUBNET, destination: (IP address object for the shared stuff), action: allow
(2)For some PCs within 192.168.94.0 network should be accessible by admins of our special provider - that is why their demand to have firmly defined IPs of those PCs.
-> add WAN to LAN2, source: ISP admins IP or any, destination: clients IPs need to access, action: allow
(3)For clients in private subnet 192.168.94.x to ISP2 link
-> add LAN2 to WAN, source: any, destination: any, action: allow
1
Master Member
All Replies
-
Hello,I thought about it little bit more and perhaps this cannot be done like this - I can make IP/MAC binding for those PCs, then I can use DHCP server on that particular port. But I am not sure whether or not can I set the IP/MAC binding beforehand, so the DHCP server would assign IPs based on IP/MAC binding map.Anybody with the same or similar challenge, who has resolved it somehow?Cheers,NoE0
-
Hi @NoEnot sure I understand your scenario; a sketch with ip's might help.
Not so clear the IP subnet provided by ISP: 192.168.94.0/24... is this the same subnet of your clients?
GW IP?I'm thinking about policy routes or bridging wan to lan, but a clarification of your configuration would be useful
Fred0 -
Hi @Fred_77thanks for your interest in this challenge :-)yes, this is quite peculiar situation of ISP.It provides us practically with the GW/router which resides in our rack. The GW IP is 192.168.94.1.So the whole network provided (192.169.94.0/24) is a private one.We have another (main) ISP which provides classical stuff - public IPs, GW - which I configured within USG Flex 700 - Interfaces with DHCP ...etc ...behind which majority of our PCs resides (all works nice).However, some of our PCs must be within the private network of special ISP (legal reasons). Now they are, but I need to operate this connection via USG as "second ISP", because:
- some shared stuff within 192.168.94.0 network should be visible (i.e. routed via USG) to all the PCs inside our company (so also for those using main ISP)
- some PCs within 192.168.94.0 network should be accessible by admins of our special provider - that is why their demand to have firmly defined IPs of those PCs.
Configuration I intend to have:- interface ge12 where second ISP is configured (and GW 192.168.94.1 is connected there)
- interface ge11 (IP:192.168.94.2) where switch for PCs of 192.168.94.0 networkis connected
So the most simple way for me would be to define interface ge11 on USG with IP range 192.168.94.0/24 and connect it to the switch where all those "special" PCs are connected. However, I think, this is not possible to do on USG (I was not able to find such an option for the USG interface).Another option I was thinking of was- DHCP on ge11 (IP:192.168.94.2) with IP pool 192.168.94.(3 till 200) with IP/MAC binding - I have MACs of those special PCs, so I could make a IP/MAC binding map and voila :-) .... but this did not work so far, perhaps I omit something.
- And yet another option would be some NAT - configure ge11 with DHCP, then investigate which IPs those special PCs got, then create IP/MAC binding map on ge11, and finally make NAT, so the admin of our special ISP could reach those PCs like "from outside".
Best regards,NoE
0 -
Make ge11 / ge12 as the same Port Group.
And using Policy Based routing to determine outbound traffic .
(Just thinking
, for you reference.) 0 -
Hi @NoE
do you thimk a bridge interface could help you?
i'm thinkink something like this:
Ge11 as WAN2 static ip 0.0.0.0
GE12 as LAN2 static ip 0.0.0.0
add new bridge interface "br1"
as external
zone WAN
members: WAN2 - LAN2
IP 192.168.94.2/24
GW 192.168.94.1
In this way clients connected at LAN2 port would be in the same subnet as the wan2 and wouldn't be natted.
Obviously you could define dhcp (if needed) and security policy etc...
If all your clients are connected to the same switch you could segregate traffic with vlans
Fred
1 -
Hi @Fred_77well I like it - it is simple and seems to be a solution!I will try this approach and will let you know then.Just a question - so for the WAN port on USG, where the GW 192.168.94.1 will be plugged, the address 0.0.0.0 will do the trick? Meaning: not interfering with actual GW's IP and allowing the traffic from LAN2 via its GW?Thanks a lot for your interest!Cheers,NoE
0 -
Yes, set static ip 0.0.0.0 in both pots; bridge interface allows the USG to be transparent and clients can also take IPs from external DHCP if it exists. Obviously clients in 192.168.94.XXX subnet can reach other zones only if their GW is set as USG IP (it doesn't afflict access from external )NoE said:Just a question - so for the WAN port on USG, where the GW 192.168.94.1 will be plugged, the address 0.0.0.0 will do the trick? Meaning: not interfering with actual GW's IP and allowing the traffic from LAN2 via its GW?If you want to segregate outbound traffic from LAN1 to internet, configure a policy route.
Hope this can help1 -
Hi @NoE,
Here another proposal, using proxy arp for traffic forward between ge11 & ge12.
1. Setup interface ge12 as wan interface to ISP2
ip: 192.168.94.2
mask:255.255.255.0
gw: 192.168.94.1
type: external
zone: WAN
add proxy-arp, ip range:192.168.94.4-192.168.94.254
2. Setup interface ge11 as internal
ip: 192.168.94.4
mask: 255.255.255.0
type: internal
zone: LAN2 (go to object > Zone to create this user configuration zone first)
Enable DHCP server or not(configuration static IP for clients)
clients ip range: 192.168.94.5 - 192.168.94.254
mask: 255.255.255.0
gw for client: 192.168.94.4
3. Setup policy route for these clients go through ISP 2 link with original 192.168.94.X IP.
4. Setup WAN trunk for company PCs go to Internet through main ISP link
(1)Go to Network > Interface > Trunk.
(2)Add user configuration trunk, name as "MAIN-ISP" for example.
(3)select the trunk as default WAN trunk
5. Setup firewall rules for access control.
Go to Security Policy > Policy Control. Add policies:
(1)For some shared stuff within 192.168.94.0 network should be visible (i.e. routed via USG) to all the PCs inside our company (so also for those using main ISP)
-> add LAN to LAN2, source: LAN_SUBNET, destination: (IP address object for the shared stuff), action: allow
(2)For some PCs within 192.168.94.0 network should be accessible by admins of our special provider - that is why their demand to have firmly defined IPs of those PCs.
-> add WAN to LAN2, source: ISP admins IP or any, destination: clients IPs need to access, action: allow
(3)For clients in private subnet 192.168.94.x to ISP2 link
-> add LAN2 to WAN, source: any, destination: any, action: allow
1 -
Hi @zyman2008wow, thank you!I have no experience with ARP, but I will pay closer look to your proposal.Special thanks for proposal regarding my points 1)shared stuff 2)admins accessI will have a downtime window for these works next Monday, so I will now study all the proposals, then I will try them on Monday and - of course - I will share my results/progress!Cheers,NoE
0
Ally Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight
