4 Replies Latest reply on Nov 2, 2012 8:26 AM by gtd

    SG560U Map WAN to LAN IPs

      Hello everyone,

       

      I'm sorry this is an extremely basic question (I've developer not a network admin obviously).

       

      My situation is that I have a fiber internet connection with a /29 block of ip4 addresses.  I have my SG560U configured to use the first available IP.  On the LAN I have a handful of servers which I've given assigned IPs based on MAC address, and I want to make these available via the remaining public IPs we have. 

       

      So my very basic question is what are the configuration options that allow me to map external IP (possibly with specific ports) to internal IPs?

       

      Due to my weak networking knowledge I'm having a hard time Googling for an answer, and I'm not sure what of the following is relevant: Aliases, Static Routes, Policy Routes, Static Hosts, etc.  If someone could just help me out with the right terminology I'm sure I can figure it out.

        • 1. Re: SG560U Map WAN to LAN IPs
          PhilM

          Hi,

           

          While the SG units aren't one of my headline products, I think I may be able to point your in the correct general direction, and when he comes online rcamm may well be able to put you straight or fill in any remaining blanks.

           

          What you need to implement is Network Address Translation - the means of allowing a host with an otherwise unroutable private address on the internal side of your Firewall use one (or more) of your allocated public ISP-supplied addresses.

           

          There is a NAT option on the GUI and from within this page I'm guessing you will need to focus on either the "Port Forwarding" tab or the "1 to 1 NAT" tab. Based on your description, you may end up looking at 1 to 1.

           

          Port Forwarding allows you to define policies based on ports and services. This allows you accept connections on a specific external IP address and then, based on the service in question, decide which internal host should actually be the recipient of that connection. This is a flexible option and allows multiple hosts to share a single public address.

           

          1 to 1, as the name suggests is more of a permanent relationship between one of your external IP addresses and a host on your internal network.

           

          Once you have decided which 'mode' best suits your needs and you have configured the NAT policies you still need to create Firewall rules (Packet Filter rules) to control which traffic is allowed to flow through the Firewall itself.

           

          I hope that is of use to you.

           

          -Phil.

          • 2. Re: SG560U Map WAN to LAN IPs

            Thanks for the response Phil.  I'm quite familiar with basic NAT, so I am confident setting up that part, but the issue is that the router has one IP assigned, and no other IP address is available when editing NAT entries.  I have the correct /29 netmask, but whenver I go to set up NAT it makes me choose the external IP from a drop-down, and that only shows the single IP assigned to the router.  So maybe my question boils down to, how do I make the remainder of the IP block available for NAT entries?

            • 3. Re: SG560U Map WAN to LAN IPs
              PhilM

              Go to the Network Setup page, select the "internet" port (Port B in my case), and click on the edit link.

               

              When the next page appears, you should see 6 tabs at the top of the screen and another 5 tabs immediately below. In this second row of tabs is one called "Aliases".


              This screen should then allow you to add the remaining addresses from your ISP-supplied /29 subnet to that interface on the Firewall. Once they're in place you should then be able to reference them in the NAT configuration.

               

              -Phil.

               

              Message was edited by: PhilM on 02/11/12 13:09:52 GMT
              • 4. Re: SG560U Map WAN to LAN IPs

                That's it!  Problem solved, thanks Phil!