Multiple WAN IPs with an actiontec mi424wr

[Mushkins]

Long story short, we've got a new vendor at work supporting our cisco phone systems and they want their own monitoring/VPN device placed on our network. My first thought was "cool, whatever, i'll toss it behind the firewall and give it an IP outside of our DHCP pool, set up the appropriate firewall exceptions for whatever protocols they need to get into it and call it a day.

Well no, apparently it *needs* to have its own, dedicated static public IP. Whatever, I have four extras leased from Verizon not being used.

The catch is our edge router is an Actiontec mi424wr, which is apparently the de-facto SOHO FiOS router, and a whole day of googling how to make it play nice with multiple public IPs hasnt gotten me more than a handful of posts instructing the OP to essentially "replace it with a real router."

For such a prevalent piece of equipment and how popular FiOS and static IPs are for businesses I can't imagine this device truly doesn't support it. Has anyone worked this one out before?

 

[drebo]

What they mean is that you will need to place the device into a bridge and install your NAT devices behind it.

The Actiontec by itself cannot both handle NAT and routed IP addresses.

 

[Mushkins]

What they mean is that you will need to place the device into a bridge and install your NAT devices behind it.

The Actiontec by itself cannot both handle NAT and routed IP addresses.

Perhaps some more insight into the topology will clarify:

Verizon FiOS (5 static IPs, 1 used) ---> Actiontec mi424wr ----> Sonicwall NSA 240 ---> Cisco UC560 ---> Cisco ESW520 switches ---> Cisco desktop phones ----> User PCs

The UC560 is acting as our DHCP server, File server/DC/etc are all behind those switches as well just without a phone between them. This network was more or less dumped in my lap after nearly half a dozen hands duct taped it together over the years, so what little documentation I have is mostly outdated or flat out inaccurate.

Since their device is being used to VPN into the phones and the UC560 in order to monitor and service them, I figured the best approach would be to keep the device attached somewhere internally just like any other NATted device so it can actually talk to the UC560 and phones, and open the proper ports/routes in the Sonicwall so it can communicate with their servers.

They say I can do it one of two ways: like my example or dump it in the DMZ. Either way, it *must* have its own dedicated public IP. I would think any of those five public IPs would be routed to, well, our router by Verizon, and its then up to the edge router to say "traffic to .51 goes to this VPN box, traffic to .50 gets passed on to the sonicwall" The question is how to make that second public IP actually point to the router, and then on to their VPN device.

I'd like to think i'm over-thinking this, the router will just pass it all on to the sonicwall where I can set up a static route from .51 to the VPN box and all is jolly, but i'm getting the vibe that there's a step in the router config to tell the internet "hey guys, send that .51 traffic to me too" instead of it just going nowhere.

 

[Mushkins]

Ok, so I either figured this out or i'm totally off-base.

I configured a port on the sonicwall to be a DMZ, which the VPN device will be connected to. The sonicwall will give the VPN device an internal IP address outside the regular DHCP pool but on the same network.

I then configured static NAT on the router to send all traffic destined for the .51 public IP on to the internal IP the sonicwall is giving the VPN device. Once its passed on, the sonicwall should know where to put it.

But the question still remains, the WAN IP of the router is our public .50 address. How is traffic sent to .51 going to know that it's *really* going to our edge router (actually at .50), unless Verizon is responsible for that?

 

[drebo]

So your Actiontec isn't doing NAT?

If that's the case, all you had to do was plug the VPN appliance into another Ethernet port on the actiontec and assign it a static IP within your 5 usable block.

In response to your question: ARP.

 

[Mushkins]

So your Actiontec isn't doing NAT?

If that's the case, all you had to do was plug the VPN appliance into another Ethernet port on the actiontec and assign it a static IP within your 5 usable block.

In response to your question: ARP.

If it is, it shouldn't be. It seems like whoever designed this network was just clicking buttons half the time, and dissecting it is a challenge when its a production environment where I cant really play with it to see whats going on.

We'll plug and play and see what happens, thanks for the second set of eyes.

 

[Mushkins]

So they finally sent out the device, and that didn't work out so well. Apparently the Actiontec *is* doing NAT, and so is the sonicwall, and so is the UC560. What a clusterfuck.

Just plugging the device into the Actiontec is a no-go, and with the Actiontec doing NAT, there's no way I can get the sonicwall to pick up on the external IP. Looks like the only way to make it work is to reconfigure the Actiontec to strictly be a bridge and let the Sonicwall be both firewall and router, but I have no idea how to configure routing properly on a Sonicwall.

And of course, I cant do this during the day because it's going to take the whole network down the second I start changing configurations. Fun stuff.

 

[kevnich2]

So they finally sent out the device, and that didn't work out so well. Apparently the Actiontec *is* doing NAT, and so is the sonicwall, and so is the UC560. What a clusterfuck.

Just plugging the device into the Actiontec is a no-go, and with the Actiontec doing NAT, there's no way I can get the sonicwall to pick up on the external IP. Looks like the only way to make it work is to reconfigure the Actiontec to strictly be a bridge and let the Sonicwall be both firewall and router, but I have no idea how to configure routing properly on a Sonicwall.

And of course, I cant do this during the day because it's going to take the whole network down the second I start changing configurations. Fun stuff.

More than likely the sonicwall is already doing routing. The actiontec is routing, the sonicwall is routing. I doubt very much the UC560 is doing any routing. The UC560, if configured properly is just a server sitting on your network. Bridge the actiontec and configure the sonicwall's WAN interface with one of your public IP's, subnet mask and default gateway and that should do it. If you look in the sonicwall config right now, what do the WAN and LAN interfaces say for their IP configuration?

 

[Enigma102083]

As others have said, the actiontec needs to be in bridge mode then you assign your static after plugging in the device into a network port.

 

[Mushkins]

Had to wait until after hours to take everything apart last night.

The actiontec is now in bridge mode for real, no more double NAT between the router and the sonicwall. Changed the sonicwall WAN port to the previously configured public IP, gateway & verizon DNS, and plugged the VPN device right into an empty LAN port on the Actiontec. Everything's working now, except our guest wireless was also configured through the Actiontec so I need to reconfigure it through the sonicwall and a standalone AP, but that's a different issue entirely. My site-to-site VPN apparently survived this nightmare too somehow

Thanks for the help!