I would like some clarification on how to setup the External interface for use with our CIDR block from Cox. They gave us an IP and gateway and then gave us a CIDR block to use for our public IP's.
Here is what they gave us (IP's changed for security):
WAN Address 220.127.116.11
WAN Netmask 255.255.255.240
WAN Gateway 18.104.22.168
Customer CIDR Network 22.214.171.124/28
Customer CIDR Netmask 255.255.255.240
Number of hosts: 13
Suggested Default Gateway 126.96.36.199
First Useable 188.8.131.52
Last Useable 184.108.40.206
So for the External interface do I give it two IP's, 220.127.116.11/28 and 18.104.22.168/28 with a static route to 22.214.171.124?
Or do I need to give it the WAN IP of 126.96.36.199/28 and static route of 188.8.131.52 and then also assign each individual Public IP from the CIDR block like 184.108.40.206/28, 220.127.116.11/28, 18.104.22.168/28 ... 22.214.171.124/28?
For the second list I think these are your public IPs. They have given you a /28 which means you have 16 addresses.
1 goes for the network
1 goes for the broadcast
1 goes for the router
which leaves 13 and this ties up with the list.
Now you need to be able to route in and out of the this mini network so you need to tell this router for this mini network that it's upstream gateway is 126.96.36.199. This would mean puting another IP on the external interface of the router so it's on the same network as the gateway (188.8.131.52).
I think they are expecting you to put a router on your end of the CIDR rather than a firewall with the firewall being behind your router and protecting your internal network.
I'm not sure if you can get MFE to pretent to be a router, but I think you need somekind of router in the mix to make this work.
I might be talking nonsense and you've got this all working - if so I'd love to hear the explanation of how you got it working.
This is what I received from tech support:
"Yes, thesecond option to have indivudual IP's for 69.110.175.x as alias ip's ,184.108.40.206/28 as WAN IP and staticroute to 220.127.116.11 will work here. Usually, COX will be having therequired routing for both the subnets in its upstream router to pass the traffic."
I haven't tried it yet so I guess we will see. When it gets cut over I will update this thread and let you know what we had to do. I would think you could go right from the cable modem to the firewall but who knows.Message was edited by: grinder on 3/28/13 4:44:15 PM CDT
Just for giggles I tried the following.
Clean MFE virtual machine with two interfaces in a test lab.
external interface : 192.168.1.1/24
internal interface : 192.168.2.1/24
Turned on allow ICMP echo response so I could ping the external LAN.
Test virtual PC with IP 192.168.1.2/24 and set it's default gateway to be 192.168.1.1. Could successfully ping the external interface (yup I know, does not need the default gateway for this).
So far, so good nothing special here.
Added alias IP 192.168.3.1/24 to the external interface - notice this is on a different subnet (a bit like your CIDR allocation).
I could then ping 192.168.3.1 from the virtual PC. I guess it must have been routing to the firewall and the MFE knew what to do when it arrived at it's 192.168.1.1 interface.
I think this will work okay.