Two WAN's One Router Same Subnet

N3O

Member
Joined
Feb 12, 2008
Messages
16
Hi there!

I have a simple query and I used to know this but havent been in the game for a while. I have a Billion Firewall with dual Wan's. My company recently got a fibre connection and from this, the ISP split this up into 2 x Cisco's, each configured with a different static IP.

So we want to use the one for internet and the other for mail. So lets say the IP's are:

41.150.150.50 (Cisco A)
41.150.150.60 (Cisco B)

If I log onto the Cisco's, Cisco A has the following config for its own WAN:

IP - 41.150.150.50
Subnet - 255.255.255.248
Gateway - 41.100.101.101

Cisco B looks like this:

IP - 41.150.150.60
Subnet - 255.255.255.248
Gateway - 41.160.160.3

Obviosly all these IP's are fake :p. Ok, so I ran cables from each Cisco and plugged them into my WAN ports on the Billion. The Billion's LAN ip is standard 192.168.1.254.

Wan1 config:
41.150.150.61
255.255.255.248
41.150.150.60

Wan2 config:
41.150.150.61
255.255.255.248
41.150.150.60

When I look at the status of the router, it shows Wan1 "Configured with Static IP" and shows connected with the details.

Wan2 also shows "Configured with Static IP" but shows "No Link". Now I KNOW the cable works as well as the port (brand new firewall out the box and tested the WAN's since I have the exact same unit but its WAN2 doesnt work).

Why no link? If you need to know why Im setting it up like this - Im port forwarding all mail related protocols to my exchange box (192.168.1.7) from WAN2 and all internet related protocols to my proxy server (192.168.1.8).

Any ideas why it shows no connection? I'm gathering it has something to do with the fact that they are on the same subnet - another firewall guy that had a linux firewall with 4 wan ports said he wanted to put the two cables onto their own switch and then run a cable from that switch to a WAN port on the firewall and configure it which gateway to use.

Im not familiar with Linux all that much and runing a Microsoft infrastructure.

Any help! THANKS!
 

ponder

Honorary Master
Joined
Jan 22, 2005
Messages
90,949
So we want to use the one for internet and the other for mail. So lets say the IP's are:

41.150.150.50 (Cisco A)
41.150.150.60 (Cisco B)

If I log onto the Cisco's, Cisco A has the following config for its own WAN:

IP - 41.150.150.50
Subnet - 255.255.255.248
Gateway - 41.100.101.101

Cisco B looks like this:

IP - 41.150.150.60
Subnet - 255.255.255.248
Gateway - 41.160.160.3

I've had a few beers but that simply does not compute for me.

If you are gonna make up fake addresses & subnets at least make them represent the real config. You can just shift address ranges to achieve this.
 
Last edited:

N3O

Member
Joined
Feb 12, 2008
Messages
16
Umm..you sure you only had beers? lol.

They DO represent my config. Im trying to give an idea of the issue at hand - both static IP's are on the same range (41.150.150.xxx), but on the cisco's they are pointing to different gateways (but the same DNS's). The subnets are exactly as posted...
 

Pada

Executive Member
Joined
Feb 18, 2009
Messages
8,187
+1 to what ponder said.

You can't just post gateways that doesn't fall within the subnets.
eg. if you have an IP address of 10.0.0.2, subnet mask 255.255.255.0, then you can't have a gateway in 192.168.0.x range - it has to be in the 10.0.0.x range!

I'm not sure why you're bothering with Billion hardware? Either stick with Cisco or MikroTik, or use Linux hardware, unless that Billion router supports: VLAN's, packet marking, multiple routing tables, stateful packet inspection & Layer 7 packet filtering.
My guess is that you haven't set the default gateways correctly on your PC's which would mean that with the port forwarding the packets would arrive at the servers correctly, but then the server won't be able to reply correctly.

Oh and I forgot to mention that Neotel is useless with configuring their Neotel broadband connection. My office has 2 fiber connections with Neotel: 1 to their data center and 1 for our Internet + VOIP.
It took them about 3 weeks to configure it, and our VOIP didn't work because they incorrectly configured their SIP server.

They also gave us a Cisco router with like a 41.164.12.x IP address, but our WAN IP addresses are actually in a different range 41.164.7.x, so we let those WAN IP addresses terminate on our MikroTik RB1100.
We then assign 1 LAN address on the RB1100, so that all our servers just points to a single gateway. The RB1100 then does dst-nat (port forward) from the WAN addresses to the specific services. Since all 4 or 5 of our WAN IP addresses that we have through the Cisco router goes through the same gateway, it makes it much easier to configure. I really won't recommend port forwarding from the Cisco to the Billion, and then again from the Billion to your internal servers, because that is how your network sounds.

I would suggest that you use like Microsoft Visio and draw up a network diagram with realistic IP addresses. Please state the WAN & LAN ones on each end of the routers.
You're welcome to translate the IP address from your real public IP to a private IP, like 41.160.123.123 to like 10.0.0.123, but then please just make sure that the subnets & gateways are correctly translated too!
 
Last edited:

Rudimental

Expert Member
Joined
Jan 6, 2009
Messages
1,457
Wan1 config:
41.150.150.61
255.255.255.248
41.150.150.60

Wan2 config:
41.150.150.61
255.255.255.248
41.150.150.60

Shouldn't one of these be 41.150.150.50? Or did I miss something completely?
 

Mier

Expert Member
Joined
Mar 30, 2007
Messages
1,326
You cannot have two ports on the same router in the same subnet.

Assuming Wan1 connects to CiscoA and Wan2 connects to CiscoB, the WAN ports must be:
Wan1 config:
41.150.150.51
255.255.255.248
41.150.150.50

Wan2 config:
41.150.150.61
255.255.255.248
41.150.150.60
 

ponder

Honorary Master
Joined
Jan 22, 2005
Messages
90,949
Umm..you sure you only had beers? lol.

Yes, my editing left a 'but' in place that should not have been there.

Looking at it this morning it still does not compute for me. Some really basic things that jump out at me which others have mentioned.

EDIT: Did not notice the changes you made, was looking at the info I quoted.
 
Last edited:

N3O

Member
Joined
Feb 12, 2008
Messages
16
Argh - I replied this AM at like 2AM and it seems it never went through!

To make what seems to be a very long story short: The IP's are fake but they represent exactly what I have - Two cisco routers, two static IP blocks (from 41.150.150.50 - 55 and 41.150.150.60 - 65), but each one of them on the cisco's pointing to a different gateway. I didnt make that up, they actually ARE. And sorry Rudimental, I did make a typo, WAN1's gateway on my firewall is .50 and WAN2's is .60.

Mier - thanks, I gathered as much hence my query. But your proposed configuration is..er..exactly what mine is?

Pada - what can I say...in all the static IP configs I've seen the gateways usually lie on a different range. And who said anything about PC gateways? thats not the issue here. The pc's point to ONE gateway which is the firewall (well, not actually the PC's, I dont like rolling out gateways on my networks, I rather control access thourgh proxies or GPO's).

But thats beside the point. Point is - I want internet to come in on WAN1 and point to the Proxy. I have it like this and works like a charm. I want mail to come in on WAN2 and point to my exchange. Problem is that WAN2 shows no connection even though the cable works and so does the physical port.

Remember people please as well - the IP's on the WANs are not my configuration that I thumbsucked, they are the available static IP's and its set up in excacty the way the ISP confimred it to be working. Either way, I have the EXAXCT SAME firewal with a different ISP's IP and the configuration is exactly the same as on this one. im trying to figure out how Im going to get that traffic split the way I want it done (email and internet).

Everthing WORKS - router feeding the proxy, pc's on the domain srfing fine, et. But I cannot simulatiously plug the lines in as it shows no connection on the WAN. I have set the port fordings for specifically WAN1 (internet etc) and WAN (Mail).

so simple diagram is:

Fibre --> Cisco (A) 41.160.185.50 (VLAN) --> 41.160.185.51 (WAN1) Billion Firewall 192.168.254 (LAN) --> Servers
Fibre --> Cisco (B) 41.160.185.60 (VLAN) --> 41.160.185.61 (WAN2) Billion Firewall 192.168.254 (LAN) --> Servers


But the WAN2 shows no connection. How will I get the Mail on WAN2 to my server? My MX is going to point to 41.160.185.61 (or rather hostname with that IP, before someone complains that MX cant point to an IP).
 

TheGuy

Expert Member
Joined
Sep 14, 2009
Messages
2,971
2 things

1. Is the Billion router not configured for Fail over? IOW if connection one goes down only then will connection 2 come up.
2. You can always plug R1 into WAN2 to see if it comes up otherwise the WAN 2 port might be faulty.
 

Mier

Expert Member
Joined
Mar 30, 2007
Messages
1,326
Argh - I replied this AM at like 2AM and it seems it never went through!

To make what seems to be a very long story short: The IP's are fake but they represent exactly what I have - Two cisco routers, two static IP blocks (from 41.150.150.50 - 55 and 41.150.150.60 - 65), but each one of them on the cisco's pointing to a different gateway. I didnt make that up, they actually ARE. And sorry Rudimental, I did make a typo, WAN1's gateway on my firewall is .50 and WAN2's is .60.

Mier - thanks, I gathered as much hence my query. But your proposed configuration is..er..exactly what mine is?

Pada - what can I say...in all the static IP configs I've seen the gateways usually lie on a different range. And who said anything about PC gateways? thats not the issue here. The pc's point to ONE gateway which is the firewall (well, not actually the PC's, I dont like rolling out gateways on my networks, I rather control access thourgh proxies or GPO's).

But thats beside the point. Point is - I want internet to come in on WAN1 and point to the Proxy. I have it like this and works like a charm. I want mail to come in on WAN2 and point to my exchange. Problem is that WAN2 shows no connection even though the cable works and so does the physical port.

Remember people please as well - the IP's on the WANs are not my configuration that I thumbsucked, they are the available static IP's and its set up in excacty the way the ISP confimred it to be working. Either way, I have the EXAXCT SAME firewal with a different ISP's IP and the configuration is exactly the same as on this one. im trying to figure out how Im going to get that traffic split the way I want it done (email and internet).

Everthing WORKS - router feeding the proxy, pc's on the domain srfing fine, et. But I cannot simulatiously plug the lines in as it shows no connection on the WAN. I have set the port fordings for specifically WAN1 (internet etc) and WAN (Mail).

so simple diagram is:

Fibre --> Cisco (A) 41.160.185.50 (VLAN) --> 41.160.185.51 (WAN1) Billion Firewall 192.168.254 (LAN) --> Servers
Fibre --> Cisco (B) 41.160.185.60 (VLAN) --> 41.160.185.61 (WAN2) Billion Firewall 192.168.254 (LAN) --> Servers


But the WAN2 shows no connection. How will I get the Mail on WAN2 to my server? My MX is going to point to 41.160.185.61 (or rather hostname with that IP, before someone complains that MX cant point to an IP).

Actually this is your config in the OP
Wan1 config:
41.150.150.61
255.255.255.248
41.150.150.60

Wan2 config:
41.150.150.61
255.255.255.248
41.150.150.60

Hence the reason for my comment to make WAN1 .51 (IP) and .50 (GW) ;)

Now you're mentioning:
Fibre --> Cisco (A) 41.160.185.50 (VLAN) --> 41.160.185.51 (WAN1) Billion Firewall 192.168.254 (LAN) --> Servers
Fibre --> Cisco (B) 41.160.185.60 (VLAN) --> 41.160.185.61 (WAN2) Billion Firewall 192.168.254 (LAN) --> Servers

Does this mean the Cisco are doing VLAN tagging (802.1q) ? Because this will again change everything. :confused:
 

N3O

Member
Joined
Feb 12, 2008
Messages
16
Its configured for failover by default - it has the option between that and load balance. Does that mean WAN2 wont show unless WAN1 fails? How come it gives the option to port forward from a selection of WAN1, WAN2 or the WAN aliases?

Funnily enough - the reason we have the exact same second firewall is because the first one's WAN2 is faulty. This is a brand new router and I did test WAN2..first thing I did due to the the other firewall having tat issue.

What now? Im thinking of plugging R2 into exchange box's 2nd NIC...
 

Mier

Expert Member
Joined
Mar 30, 2007
Messages
1,326
BTW. Does Wan2 come up when the Wan1 cable is unplugged (i.e Wan2 connected to Cisco A) ?

Does Wan1 stay up when it's plugged into CiscoB ? (Perhaps the CiscoB port is in shutdown)
 

Rudimental

Expert Member
Joined
Jan 6, 2009
Messages
1,457
I was going to suggest a separate Firewall for each Cisco, which in my mind makes things a lot simpler.
 

N3O

Member
Joined
Feb 12, 2008
Messages
16
Ok never mind got it working - I got the login details for the Cisco's and saw that the guys that configured them from Neotel never added the WAN port to the VLAN (on Cisco2) PLUS they had the VLAN set to LAN and not WAN.

I changed those and voila - both WAN's on my Billion show connected and I can ping the public IP's (well, they're NOW public lol). I also checked that one has to set protocol binding on the WAN's to enable them to act independantly from eachother rather than failover or load balance.

Everything is up now so going to point the MX and I should be golden. Thanks for everyone's interest and sorry for the confusion - but the WAN's ARE really set up that way (with the gateways outside their subnet) and the statics are on the same subnet but being seperated due to the different gateways. Works almost like multiple PPPoE sessions that may get the same static IP but they're accessed via different gateways..

Cheers!
 
Top