1 of 1 people found this helpful
Though I have one of these devices, I haven't tried to configure the scenario you are describing. But, I am not unfamilar with this scenario and have configured it numerous times on McAfee Firewall Enterprise appliances.
Unless there's a fundamental difference in the way the SnapGears work, you shouldn't be prevented from adding a further alias address to port B based on your new /30 subnet.
Where things get a little tricky is in the routing aspect. It doesn't matter how many different aliases you have configured and how many different subnets these aliases belong to, you can only have one default gateway address. Unless you have explicit routes configured you basically can't use both connections at the same time. We would normally advise our MFE customers to add the new address as an alias, in preparation for the switch-over and when the time comes simply change the default gateway address on the appliance.
Looking at the different configuration GUIs, the fact that on the SnapGear the default gateway value is configured on the same screen as the primary interface address could mean that my theory won't work in this case. On the MFE appliances, the default gateway is configured in a separate screen. So as long as this value corresponds with one of the configured interface addresses (be it the primary address, or one of the aliases) it will be accepted.
I hope that helps in some way.
Thanks for the response Phil, that's exactly where I have been running into the confusion. Up until now multiple IP's from this cable co have virtually always been issued out of the same subnet so the gateway has always been the same. But now they've obviously decided that they like subnetting a lot and have moved to /30's for everything which with individual gateway IP's appears may be problematic for the snapgear.
>>>>> Mike <<<<<
Maybe not, Mike.
As with my earlier response, I haven't dealt with the practical aspects of this on the SnapGear product - I have 10+ years experience working with and supporting McAfee's Firewall Enterprise offering, but I happen to have a SnapGear at home which is where most of my exposure to this product comes from.
One thing the SnapGear does have (which MFE does not) is the concept of a policy-based route. Normal static routes are pretty inflexible, but the policy routes do give you some additional criteria to work with. If rcamm see's this he may be able to give you a comprehensive answer - as he's 'the man' when it comes to SnapGear. But, if you take a look at the Policy Routes tab (under Network Setup -> Routes) you may be able to create a policy route based on a specific characteristic of your new subnet. This may still fall flat if the ISP is trying to issue the new subnet range over your existing connection. But maybe, just maybe, because they've been forced to issue addresses in a different subnet, but are using the same physical connection to provision them, they are able to do something clever with the router - rather than you needing to do anything special with your SnapGear, aside from adding the alias addresses. Your existing default gateway remains as is, and the ISP is able handle traffic for each subnet. I don't know...
It's been a while since I last use a snapgear. You should add them as aliases (or one as the primary and the other as an alias) doesn't matter what subnet they are on as each will have to have an ip/mask.
Until now it was no problem to add the 2nd IP as an alias because it was assigned out of a larger IP block and they both had the same gateway. Unfortunately the problem now is that the IP is assigned out of a /30 which means that each IP has it's own individual gateway... and the Snapgear doesn't have anywhere to specify that 2nd gateway.
I'm in the process of "solving" the problem by replacing the SnapGear with a MikroTik router as the setup of this configuration on that platform is 2-clicks simple :-)
>>>>> Mike <<<<<