Jump to content


Photo

ISP connections with static and dhcp on the same firewall

NG Firewall CloudGen dhcp static routing circuit

  • Please log in to reply
5 replies to this topic

#1 Jonathan Klein

Jonathan Klein
  • Members
  • 33 posts

Posted 13 May 2019 - 04:34 PM

I have a NG F280 firewall. Is it possible to have both an ISP connection through DHCP and another through a static IP address? The primary traffic will be through dhcp with the static IP address as the failover IP address.

 

 



#2 Philip Pham

Philip Pham
  • Barracuda Team Members
  • 2 posts

Posted 13 May 2019 - 04:40 PM

Hi Jonathan,

 

It is certainly possible to have 2 ISP connections with your DHCP as your primary and static WAN as secondary for failover.



#3 Jonathan Klein

Jonathan Klein
  • Members
  • 33 posts

Posted 13 May 2019 - 04:44 PM

Do I need to add a gateway route for the static WAN IP address or should I use the static IP as a source-based route and a directly attached network as the static connection is a 3rd party circuit?



#4 Gavin Chappell

Gavin Chappell
  • Moderators
  • 402 posts
  • LocationNottingham, UK

Posted 13 May 2019 - 04:45 PM

Yeah, absolutely possible. I'm not in front of NG Admin right now, but the parts I can think of that you would need are......

 

In the "Network" node on the configuration tree:

  • A correctly configured DHCP connection with the "own routing table", "use assigned IP" and "create default route" options enabled
  • A "directly attached network" route for the network holding your static IP (i.e. 1.2.3.0/29)
  • A correctly configured source-based routing entry for the static network, with the default route via the ISP gateway

In the virtual server configuration

  • A valid IP for the statically assigned network

In the Forwarding Firewall configuration

  • A Connection Object configured with the Translation Source IP configured for "Network Interface; dhcp" and then the failover policy configured for "Network Interface; p2" (or whatever the correct network port is for your static ISP).
  • You could also use "Explicit IP" for the failover, with the static IP address you assigned to the virtual server
  • You then use this Connection Object as the connection object assigned to any Internet-bound traffic

The end result you're looking for is that when the NG receives traffic which is leaving your internal network for the Internet, the Forwarding Firewall will first source NAT it to DHCP and try the connection, then if it fails, SNAT it to the static IP instead.



#5 Jonathan Klein

Jonathan Klein
  • Members
  • 33 posts

Posted 13 May 2019 - 05:18 PM

Do I need to add a directly attached route or gateway route in the routing table in the Network Node of the Box's configuration tree?



#6 Gavin Chappell

Gavin Chappell
  • Moderators
  • 402 posts
  • LocationNottingham, UK

Posted 13 May 2019 - 05:35 PM

A directly attached route should be sufficient (which will inform the firewall which interface the gateway IP is available on), and then the source-based routing takes care of the default route for traffic with the source IP set to the static IP address (which forwarded traffic will if you have the connection object I mentioned and your outbound connections are SNATed to that IP address)