Yet another comcast ENS question......

Smoblikat

Limp Gawd
Joined
May 28, 2020
Messages
161
Hello all, this time I dont necessarily have a "problem" in the sense that things might be working correctly, I just have no idea how to make them do what I want :D

Im setting up the comcast fiber network between all my sites, I spoke to an engineer today about best practices in regards to MTUs and port speed, so my inter site stuff should be fine, and I am able to get to the internet just fine on the P2P IP block comcast gave me (a /30 block), but now I am trying to wrap my head around getting the public /28 block routable for externally facing servers, actual IPs are different.

P2P IP range - 1.1.1.0/30 - Port 1 - WAN port
Public IP range - 2.2.2.0/28 - Port 2 - Set as DMZ in GUI (I dont think it matters)
Firewall - Fortigate 201E

Currently I took the first address in the public range and made it the IP of an interface, comcast mentioned that most customers just assign their servers one of the public IPs (a lot easier than doing all of this PLUS NATting to the internal servers) and I have 2 firewall policies that allow traffic (limited to the /28 subnet) from port 2 to port 1 (no NAT) and from port 1 to port 2 (also no NAT), this gets my test servers out on the internet, and I can ping each server from the other servers (testing with 2 servers currently, one is a quick dokuwiki I spun up just to get somthing listening on port 80), but I cant seem to get my regular machines talking to the external servers. Has anyone set up a comcast ENS network from scratch before? Running a traceroute to the external server results in it dying after my first internal gateway (there should be a series of 0.0.0.0/0 static routes that would lead this request to the comcast gateway, which then should theoretically make it back to me), im just starting the process of making this work, so before I get too deep into things, I wanted to put some of the things im going to try next and see if anyone else has any ideas:

Static route pointing 2.2.2.0/28 to the 1.1.1.0/30 interface (comcast said they automatically route all of our public IPs to the IP of our WAN interface on their end)
Secondary IP address on the physical WAN port for the 2.2.2.0/28 network (currently the 2.2.2.1 gateway is on a different physical port)
Im sending the IPs out without NAT, so I dont think I need to worry about externally NATing as all IPs should be publicly routable, but I might look into this as well

Sorry if this makes no sense, I just started working on this and I wanted to do a quick "mind dump" in the hopes ANYONE would know how to accomplish this :D

Ive heard that using a second router (or even an unmanaged switch.....dont ask) in between the comcast ciena switch and my main firewall would work, but I dont have an actual router and I would be more inclined to make this work all on one single device anyway, if nothing more than for the experience. Fortunately I do have a backup plan to make all of these problems go away, but im hoping to not have to use that if I dont have to....

Thanks in advance!
Smoblikat
 

Ehren8879

Supreme [H]ardness
Joined
Sep 24, 2004
Messages
4,334
Assume this:
port 1 configured as 1.1.1.2/30 on your router (comcast's side is 1.1.1.1/30)
port 2 configured as 2.2.2.1/28 on your router

set a static default route on your router to 1.1.1.1/30 (comcast's side of the connection)


a device connected to port two would use address (for example) 2.2.2.2/28 with a gateway of 2.2.2.1

this device will send its internet bound traffic to 2.2.2.1 (your router). Your router will then forward this traffic to 1.1.1.1 (comcast's router) and internet magic should happen.
 

Smoblikat

Limp Gawd
Joined
May 28, 2020
Messages
161
Assume this:
port 1 configured as 1.1.1.2/30 on your router (comcast's side is 1.1.1.1/30)
port 2 configured as 2.2.2.1/28 on your router

set a static default route on your router to 1.1.1.1/30 (comcast's side of the connection)


a device connected to port two would use address (for example) 2.2.2.2/28 with a gateway of 2.2.2.1

this device will send its internet bound traffic to 2.2.2.1 (your router). Your router will then forward this traffic to 1.1.1.1 (comcast's router) and internet magic should happen.

Thats exactly the scenario I have, and I *might* have solved the issue already? Problem #1 was I was testing against the wrong server IP (MY BAD!) but the next problem I discovered is that I cant route to the 2.2.2.0/28 subnet if im physically on my fiber network, but if I plug directly into the comcast modem thats running our current coax connection, I can instantly navigate to 2.2.2.2:80 (the test wiki im using). I assume this is due to me not having explicit policies allowing me to route to it internally, which my firewall is probobly trying to do automagically seeing as the gateway is a local port. Thanks for the input, as soon as I saw that you recommended the same setup I was already running, I knew the issue was somthing "stupid" like a wrong IP or not routing on the fiber network.......though I dont specifically know why it wouldnt just go out the WAN port and route right back in, but whatever, that can be addressed in time......now I need to migrate some of my virtual switches/VMs on my ESXI server....which never ends well :(

Thanks again for the help, im sure ill have some follow up problems on this question, so stay tuned if youre so inclined :p
 
Top