Our ISP assigned us 16 public IP addresses that we want to assign to hosts behind a Watchguard firebox x750e.
The IP addresses are:
x.x.x.176/28
of which x.x.x.177 is the gateway.
The hosts will be running software that needs to be directly assigned the public IP address so 1:1 NAT is not an option.
I found this document that gives examples on how to assign public IP addresses to hosts behind the firewall, using an optional interface:
http://www.watchguard.com/help/configuration-examples/public_IP_behind_XTM_configuration_example_(en-US).pdf
However, I can't implement scenario 1 as it won't allow me to use the same subnet on both interfaces.
As for scenario 2, splitting the address range into 2 subnets will decrease the usable hosts on the optional interface to 5 (8 – network – broadcast – optional interface ip).
I'm convinced that there must be a better way to address this problem and maximize the number of usable IP addresses but I'm not very familiar with this specific firewall.
Are there any suggestions on how to keep the hosts behind the firewall with public IP addresses while maximizing the usable IP addresses?
thanks
Best Answer
You should be able to use Drop-In mode and Secondary Networks to allow your public and private ip addresses to both be used on each of the interfaces. You can then do any NAT that's needed for the private ip addresses and no NAT for the public ip addresses. The private ip address you configure for each Firebox interface will become the DG for privately addressed hosts connected off of that interface. The public ip address configured on the Interfaces tab will become the DG for publicly addressed hosts on each Firebox interface. Drop-In mode will allow you to use the same public address space on each interface without needing to subnet the address block.