My routing knowledge is a little rusty. I have a fibre internet connection hooked up like this:
The managed switch breaks out VLANS for transparent lan service that is also through the ISP's box. I think that's mostly irrelevant for this problem, so I've left it out of the diagrams.
I have two /29 subnets (using example addresses from RFC5735):
- 192.0.2.144/29 (.144-151) - the main one. Our gateway is 192.0.2.145, and the firewall's main address is 192.0.2.146.
- 203.0.113.88/29 (.88-.95) - second subnet that has no gateway and is routed by the ISP to the first one (I think, this is the part where I get confused).
The firewall has all the usable IP addresses of both subnets added to it's WAN interface, and does NAT to various servers.
Now I want to add a separate network with it's own firewall, outside of our firewall, and it needs it's own public IP address, like this:
I am not using 203.0.113.94 yet, so I was going to remove it from the additional addresses on the existing firewall and give it to the new firewall...but that won't work will it? It has no gateway on its subnet.
Or I could rearrange things and give it one of the 192.0.2.144/29 addresses. Would that work properly and let both networks function properly? Is there a better way to do this?
I could attach the new firewall to the existing one if it could still get a real public IP, not NAT - but I don't know if there is any way to do that with the watchguard firewall. It would probably require further subnetting, and I'm almost out of IP addresses already.
The new network is to be our test lab (so I can finally stop testing things in production!). I don't want the two network to ever be able to speak to each other because it will have the same internal subnet and clones of production machines. I need the new firewall to have a public IP address, without any NAT.
I think your best bet is going to be to contact your ISP and clarify exactly what they are giving you with the 203.0.113.88/29 block. There is no reason for things to be complicated by the uncertainty about these IP addresses.
The most ideal scenario is for you to connect a second firewall to that switch and give it one of the IPs on the 203.0.113.88/29 network with a default gateway on the same network.
how can your ISP route the 203.0.113.88/29 within your network? Somehow I doubt that's the case.
If you are not fully using your 192.0.2.144/29 (or the 203.0.113.88/29) network, you should be able to put an interface on your switch with on of the ip address on that range. I would recommend using 2 IP addresses (if available) - So for example:
Switch1:
Interface FaX/X (your new firewall connects here)
Ip address 192.0.2.147 255.255.255.252 !
Then on your new firewall you would put
Interface X/X 192.0.2.148 255.255.255.252
This would clarify your need for a default gateway, you could also put the /29 mask on it and use the same gateway that is currently in use on your switch.
so for example (lets say you are using vlan 20 on your switch)
Vlan 20 ip address 192.0.2.145 255.255.255.248
interface FaX/X (your new firewall connects here) switchport access vlan 20
on your new firewall
ip address 192.0.2.147 255.255.255.248
Regarding the no-communication rule you would either need a seperate subnet or an ACL on your switch.
Hope this helps
Assigning the lab firewall an address within 192.0.2.144/29 or 203.0.113.88/29 wouldn't work unless it's behind whatever device acts as the gateway for that address space because whatever device has that broadcast address is going to respond to ARP requests.
You would want to assign the address upstream of your Watchdog firewall or, rather than have the Watchdog advertise the /29 network you can break that /29 up into /30's. Assign a /30 to one firewall and another /30 to the new lab firewall if you don't need all 8 host addresses within the /29 on one firewall.
I don't know the specifics of your firewall, but this is how I would do it with just about any business-grade firewall, two firewalls being unnecessary:
Put the
203.0.113.88/29
network on your first firewall, on a separate interface (or sub-interface if you can use VLANs), and have the firewall protect the networks from each other. Just assign the firewall interface an address from the network block, and that will be the gateway for the network. You will need a default route from the network to the WAN interface of the firewall (or the ISP router address), and you are done.NAT really has nothing to do with firewalls; firewalls are usually just a convenient place to NAT. You don't need to NAT on the network if you don't want to, and I wouldn't with public addresses.
If your ISP is routing both of those scopes to your current firewall, you should be able to set up your desired config with no additional software, depending on your Watchguard model. Watchguard is real good at handling these sorts of issues. It sounds like you may have a bad configuration with regard to the 192 or 203 network, at least in terms of using it as a public network. You should have at least one year of support on the appliance and if not pay for another it is well worth their guidance in setting up this config for you. But first get them to confirm that your current model firewall can handle the config and the traffic load you may expect from both networks.
Regarding your ISP, it sounds like they are just dumping the second network scope on top of the first. Whoever provisioned the service, probably was not able at that time to config both endpoints at your facility and left it as it is now. Getting that cleared up from them would help a lot. It would help you to discuss your config with Watchguard. I personally would use just one firewall, for a number of reasons, electrical load for one, but service contracts and other recurring costs and support needs is another reason. Unless you truly have another issue, like if your development projects require resets of the unit for some reason, i.e. developing network management software. Or if the current unit is undersized for the job of supporting load of both networks. Take these issues into consideration.