Hello all, this time I dont necessarily have a "problem" in the sense that things might be working correctly, I just have no idea how to make them do what I want
Im setting up the comcast fiber network between all my sites, I spoke to an engineer today about best practices in regards to MTUs and port speed, so my inter site stuff should be fine, and I am able to get to the internet just fine on the P2P IP block comcast gave me (a /30 block), but now I am trying to wrap my head around getting the public /28 block routable for externally facing servers, actual IPs are different.
P2P IP range - 1.1.1.0/30 - Port 1 - WAN port
Public IP range - 2.2.2.0/28 - Port 2 - Set as DMZ in GUI (I dont think it matters)
Firewall - Fortigate 201E
Currently I took the first address in the public range and made it the IP of an interface, comcast mentioned that most customers just assign their servers one of the public IPs (a lot easier than doing all of this PLUS NATting to the internal servers) and I have 2 firewall policies that allow traffic (limited to the /28 subnet) from port 2 to port 1 (no NAT) and from port 1 to port 2 (also no NAT), this gets my test servers out on the internet, and I can ping each server from the other servers (testing with 2 servers currently, one is a quick dokuwiki I spun up just to get somthing listening on port 80), but I cant seem to get my regular machines talking to the external servers. Has anyone set up a comcast ENS network from scratch before? Running a traceroute to the external server results in it dying after my first internal gateway (there should be a series of 0.0.0.0/0 static routes that would lead this request to the comcast gateway, which then should theoretically make it back to me), im just starting the process of making this work, so before I get too deep into things, I wanted to put some of the things im going to try next and see if anyone else has any ideas:
Static route pointing 2.2.2.0/28 to the 1.1.1.0/30 interface (comcast said they automatically route all of our public IPs to the IP of our WAN interface on their end)
Secondary IP address on the physical WAN port for the 2.2.2.0/28 network (currently the 2.2.2.1 gateway is on a different physical port)
Im sending the IPs out without NAT, so I dont think I need to worry about externally NATing as all IPs should be publicly routable, but I might look into this as well
Sorry if this makes no sense, I just started working on this and I wanted to do a quick "mind dump" in the hopes ANYONE would know how to accomplish this
Ive heard that using a second router (or even an unmanaged switch.....dont ask) in between the comcast ciena switch and my main firewall would work, but I dont have an actual router and I would be more inclined to make this work all on one single device anyway, if nothing more than for the experience. Fortunately I do have a backup plan to make all of these problems go away, but im hoping to not have to use that if I dont have to....
Thanks in advance!
Smoblikat
Im setting up the comcast fiber network between all my sites, I spoke to an engineer today about best practices in regards to MTUs and port speed, so my inter site stuff should be fine, and I am able to get to the internet just fine on the P2P IP block comcast gave me (a /30 block), but now I am trying to wrap my head around getting the public /28 block routable for externally facing servers, actual IPs are different.
P2P IP range - 1.1.1.0/30 - Port 1 - WAN port
Public IP range - 2.2.2.0/28 - Port 2 - Set as DMZ in GUI (I dont think it matters)
Firewall - Fortigate 201E
Currently I took the first address in the public range and made it the IP of an interface, comcast mentioned that most customers just assign their servers one of the public IPs (a lot easier than doing all of this PLUS NATting to the internal servers) and I have 2 firewall policies that allow traffic (limited to the /28 subnet) from port 2 to port 1 (no NAT) and from port 1 to port 2 (also no NAT), this gets my test servers out on the internet, and I can ping each server from the other servers (testing with 2 servers currently, one is a quick dokuwiki I spun up just to get somthing listening on port 80), but I cant seem to get my regular machines talking to the external servers. Has anyone set up a comcast ENS network from scratch before? Running a traceroute to the external server results in it dying after my first internal gateway (there should be a series of 0.0.0.0/0 static routes that would lead this request to the comcast gateway, which then should theoretically make it back to me), im just starting the process of making this work, so before I get too deep into things, I wanted to put some of the things im going to try next and see if anyone else has any ideas:
Static route pointing 2.2.2.0/28 to the 1.1.1.0/30 interface (comcast said they automatically route all of our public IPs to the IP of our WAN interface on their end)
Secondary IP address on the physical WAN port for the 2.2.2.0/28 network (currently the 2.2.2.1 gateway is on a different physical port)
Im sending the IPs out without NAT, so I dont think I need to worry about externally NATing as all IPs should be publicly routable, but I might look into this as well
Sorry if this makes no sense, I just started working on this and I wanted to do a quick "mind dump" in the hopes ANYONE would know how to accomplish this
Ive heard that using a second router (or even an unmanaged switch.....dont ask) in between the comcast ciena switch and my main firewall would work, but I dont have an actual router and I would be more inclined to make this work all on one single device anyway, if nothing more than for the experience. Fortunately I do have a backup plan to make all of these problems go away, but im hoping to not have to use that if I dont have to....
Thanks in advance!
Smoblikat