How do I use network package with 5 Static IP address

[Vis1/0N]

Signed up with Vodacom microwave and the package comes with 5 static IP address. My requirements is to be able to open up ports, and have a static public IP address for web services. The installation was completed just at close of business yesterday so I was not able to get the technical questions in with the installer.

I see on the WAN information page there are 6 entries, 2 of which are showing connected. (Disconnected is TR069_VOIP_INTERNET_R_ADSL_8/35, .._ADSL_VID_835, ..._GE_VID_, ..._RADIO_VID_) with the connected items being TR069_R_GE_VID_ and VOIP_INTERNET_R_GE_VID_. The MAC items range from [xx:xx:xx:xx:xx]:94 to :99.

I see that NAT is disabled on TR069_R_GE_VID_ and enabled on the VOIP_INTERNET_R_GE_VID_. These two connected items have different IP address, but they are not public IP address.

I am new to this, how would I use a system where the router device receives multiple WAN IP address? And they offered 1 or 5 static IP address, I see that the 2 connected are on the 10. subnets with different gateways and are not on a public accessible.

 

[syntax]

IT really depends how they do things.
One way would be the ISP assigns you a /29 public range. This has 6 usable public IP's. They have this range on the network between their router and yours, they will use one of them for their side, the other 5 are yours.

Your router will have one of these IP's on its interface, the other 4 are on the network.
IF you want to use the other 4 public IP's you have 2 options. Put other devices on that subnet physically, or NAT on the router to a device internally. You can do static 1-1 nats or you can do port translations.

It really depends, if you want help or advice you can DM me so you dont have to share your public IP's on a forum

 

[web_dude]

- Connect your computer with LAN cable to your Vodacom Microwave on the port for the CPE (Router) assigned.
- put one of the IP assigned on your Network Card. Make sure the IP, subnets and Gateways are correct.
- DNS, put any dns. 8.8.8.8 (google) or 9.9.9.9 are good.
- do you have internet? do a couple of speedtests to check your speeds. (I suggest to do a couple of pings and traceroutes to different servers/url to check the traffic)
- and check that the outgoing IP is the one that you are using (on the speedtest should show).
- if all good, then change your IP to another one that was assigned to you and repeat the process. The Subnet and Gateway will not change.

- if all is good, your IPs are working, then you can use all those ones.
- Now the tricky part is how to use them:
- you can get a small 8 port gigabit switch and split them to different routers
- you can also connect a good decent firewall and some of them can accept more than 1 WAN IP address on the same WAN PORT, so you can redirected incoming traffic as you want.
- I wouldn't fiddle much trying to get outgoing traffic via different IP's. but it is up to you depending on your firewall device and your network knowledge.

 

[Vis1/0N]

I am still awaiting the setup confirmation and support contact information that they said will be sent. When they offered 1 or 5 static IP (free) I asked them to advise the difference, and why is it free? Did not get an explanation, it was pushed through.

I see this example https://www.draytek.co.uk/support/guides/kb-nat-wanipalias that explains it perfectly - but in our instance the router supplied is DN8245W2-7T Home Gateway - very barebones for a business package, slow interface and low on features. Still feeling my way around, and I still do not have confirmation of my assigned IP's.

 

[web_dude]

If the router supplied is already in place and configured, maybe you just need to plug your computer to the network ports and you will be up & running and you can check what is your Public IP assigned.
Many business grade connections comes with 5 Public IP's. if you have servers infrastructure providing services over the internet, you can make use of them. one as main connection, another one for VPN, another one for web services, etc. but if your network is not too complicated and not providing services over the internet, a plain flat network with 1 public IP should do just fine. different ports can be opened for different services using the same public IP.
and depending of your needs and budget, you could get rid of that Draytek router and replace it with a proper firewall with security and traffic inspection. but again, depends of your needs.

 

[syntax]

I am still awaiting the setup confirmation and support contact information that they said will be sent. When they offered 1 or 5 static IP (free) I asked them to advise the difference, and why is it free? Did not get an explanation, it was pushed through.

I see this example https://www.draytek.co.uk/support/guides/kb-nat-wanipalias that explains it perfectly - but in our instance the router supplied is DN8245W2-7T Home Gateway - very barebones for a business package, slow interface and low on features. Still feeling my way around, and I still do not have confirmation of my assigned IP's.

Just look for a NAT menu, sometimes they reword it as server menu or something similar.
you can then map the services or IP's to an internal service

 

[ubercal]

Every router/firewall does it slightly different.Best is to check the documentation relevant to your router.Either way you generally bind the ip range (ie the 5 ips to the wan interface) , and then play around with the NAT settings.

 

[syntax]

Every router/firewall does it slightly different.Best is to check the documentation relevant to your router.Either way you generally bind the ip range (ie the 5 ips to the wan interface) , and then play around with the NAT settings.

I know its a wording technicality, but the IP's arent bound to the interface typically. An IP is put in the same subnet as the adjacent ISP router, and then the CPE responds to ARP requests for the other IP's in that subnet because it has a NAT configuration for them.
alternatively the range is routed to the CPE WAN interface where it wouldnt have an IP on the same range

 

[Vis1/0N]

and depending of your needs and budget, you could get rid of that Draytek router and replace it with a proper firewall with security and traffic inspection. but again, depends of your needs.

I don't have the Draytek router (which seems to solve the issue as I understand). The DN8245W2-7T Home Gateway which seems to lack many features. As for budget etc - 0, everything is a big grudge purchase, which is why they did not procure fibre.

Probable will have to use the one IP.

 

[syntax]

I don't have the Draytek router (which seems to solve the issue as I understand). The DN8245W2-7T Home Gateway which seems to lack many features. As for budget etc - 0, everything is a big grudge purchase, which is why they did not procure fibre.

Probable will have to use the one IP.

Cant find a manual for this, if you post some screen shots of the menu can talk you through what to do

 

[ubercal]

I don't have the Draytek router (which seems to solve the issue as I understand). The DN8245W2-7T Home Gateway which seems to lack many features. As for budget etc - 0, everything is a big grudge purchase, which is why they did not procure fibre.

Probable will have to use the one IP.

Most likely , the budget routes dont have the "advanced" features.I remmember the one of those popular unifi gateway devices (I think it was the Dream Machine didnt have this feature)

 

[ubercal]

I know its a wording technicality, but the IP's arent bound to the interface typically. An IP is put in the same subnet as the adjacent ISP router, and then the CPE responds to ARP requests for the other IP's in that subnet because it has a NAT configuration for them.
alternatively the range is routed to the CPE WAN interface where it wouldnt have an IP on the same range

yeah true.I remmember on the cisco routers you set 1 IP on the wan interface , and then you create a pool of useable ips that can be used.You then do port forwarding/Nat and specify the IP that you want to use.

 

[web_dude]

yeah true.I remmember on the cisco routers you set 1 IP on the wan interface , and then you create a pool of useable ips that can be used.You then do port forwarding/Nat and specify the IP that you want to use.

on Sonicwall you can put one IP on the WAN and then you can add more IP's on top. and then you just do your configuration and port forwarding/NAT and all that.

 

[syntax]

on Sonicwall you can put one IP on the WAN and then you can add more IP's on top. and then you just do your configuration and port forwarding/NAT and all that.

More IPs for sure, but I think it might have an issue with IP's in the same subnet as additional secondary IP's on the same interface (I know for some vendors, you cant have any overlapping IP subnets on different interfaces, which makes sense as you could introduce asymetric traffic and have issues with uRPF). I havent been hands on for a few years, but this was the case for most vendors I worked on as it doesnt really make sense to do it this way instead of via policy, NAT and ARP.

 

[ubercal]

on Sonicwall you can put one IP on the WAN and then you can add more IP's on top. and then you just do your configuration and port forwarding/NAT and all that.

yip , i used to work with sonicwalls long ago and you could do that.Just cant remmember exactly how it was implemented.I think you had to create a IP Range object , but not bind it to the interface.All the config was done on the NAT rules.

 

[syntax]

yip , i used to work with sonicwalls long ago and you could do that.Just cant remmember exactly how it was implemented.I think you had to create a IP Range object , but not bind it to the interface.All the config was done on the NAT rules.

Yeah that makes sense. The NAT for local subnets means the firewall will respond to ARP requests and then process accordingly

 

[Vis1/0N]

I opened up the rdp port to my laptop and tried the public ip that shows up in the browser and it works. So tried the 80/443 and it does not.

I find this thread https://mybroadband.co.za/forum/thr...word-for-vodacom-huawei-gateway.822695/page-5 so basically indicates that the router may be locked from the advanced functions. TR069_R_GE_VID_ seems the the most relevant. There is only quickstart guides on the internet and seems other info is available to customer/partner accounts.

I hope I can get support from Vodacom for admin access to the router. This is a business package but from the thread it seems to not expect much help from Vodacom. Still awaiting the installation status complete change - the installation tech said account and support details would be sent to us once done,

 

[syntax]

I opened up the rdp port to my laptop and tried the public ip that shows up in the browser and it works. So tried the 80/443 and it does not.

I find this thread https://mybroadband.co.za/forum/thr...word-for-vodacom-huawei-gateway.822695/page-5 so basically indicates that the router may be locked from the advanced functions. TR069_R_GE_VID_ seems the the most relevant. There is only quickstart guides on the internet and seems other info is available to customer/partner accounts.

I hope I can get support from Vodacom for admin access to the router. This is a business package but from the thread it seems to not expect much help from Vodacom. Still awaiting the installation status complete change - the installation tech said account and support details would be sent to us once done,

Is your laptop listening on port 443 / 80?

 

[Vis1/0N]

Is your laptop listening on port 443 / 80?

3389, opened it on the router. Cannot open 443/80 on the supplied router. Once I get the account number I will try support, and then come back here if needed.

On the previous ISP we had no issues, until they closed and moved the customer base to another supplier. Who have us behind NAT with no static IP, and only promises. To mitigate I had to setup a WG VPS on AWS to tunnel the 80/443 traffic. Broke my ssl/tls certificate renewals though, and AWS also blocks 25 and refused to unblock on my new account.

Was hoping Vodacom would be up and running but it took 6 weeks just to install and am still awaiting account code before I can access portal/support.

 

[r00igev@@r]

Good luck and if you come right with support buy a lotto ticket.