For background, the nonprofit organization I work for supports multiple public library systems with multiple branches per system. At the moment, it is about 26 sites that we support. Most of these sites are fortunate to be able to connect directly to a state wide library WAN network. A notable few exceptions are connected via a commercial ISP.
Many many years ago, every branch was allocated IPv4 network address space in the state wide library WAN network. Each branch had an ISDN modem that would connect a 56K channel. All the computers in the branches had public IP addresses, and their network size was determined by their need at the time. They had Sonicwall firewalls.
When I was hired, there was a project in place to replace all the Sonicwall firewalls with Cisco Pix firewalls, and I was able to assist in that project. As part of that project, we reconfigured every network with multiple VLANs, so there was now a WAN (outside), Staff (inside), Patron, and DMZ network. Staff and Patron were RFC1918 addresses in the 192.168 range. DMZ was the former public address space.
Over time, and many upgrades, we now have ASA 5506 firewalls acting as firewall, router, and nat device for each branch. Most of the branches are fortunate to have a high quality link into the state wide library WAN, typically over fiber. Over time, most of the sites have effectively stopped using their DMZ addresses, as they stopped having their own servers, and typically 3-5 IPs are used solely for NAT purposes. We have also added the obligatory BYOD network everyone seems to need these days.
I am in the process of replacing the ASA firewalls with Balance 20x model (and in one case, a Balance 310 Fiber 5G).
The problem I am running into is the locations where they still use their public IPs as a DMZ with public facing services.
So picture this example (using TEST-NET-x IP ranges as examples):
WAN network: 192.0.2.248/30
- interface IP: 192.0.2.250 # my WAN IP
- gateway IP: 192.0.2.249 # ISPs L3 switch
DMZ network: 198.51.100.128/25
- interface ip: 198.51.100.129
Staff network: 10.32.1.0/24
- interfaece ip: 10.32.1.1
- public NAT address: 198.51.100.150
Patron network: 10.32.2.0/24
- interface ip: 10.32.2.1
- public NAT address: 198.51.100.151
BYOD network: 10.132.0.0/16
- interface ip: 10.132.0.1
- dhcp pool: 10.132.0.2 - 10.132.255.254 # to support a ton of random BYO users
- public NAT address: 198.51.100.254
This is an oversimplification. However, there is equipment in the 198.51.100.128/25 network that cannot easily be moved to a new IP.
I have tried everything I can think of to set the primary WAN interface to IP Forwarding mode, creating a VLAN to be called DMZ with the 198.51.100.128/25 network, using the .129 IP for itself. Then set up VLANs for Staff, Patron, and BYOD, and try to have them NAT to the appropriate public IP in the DMZ.
Things I have tried:
- Primary WAN as 192.0.2.250, in IP Forwarding mode (aka routed mode)
- Additional WAN in NAT mode: either a USB Ethernet adapter, or more recently VLAN as WAN, with a cable connecting back to a port in access mode in the DMZ VLAN,
For the life of me, I am just unable to produce a similarly functional configuration as what the single Cisco ASA does. I am positive it is my own lack of understanding to blame here, hence seeking advice from the peplink community at large.
The only thing I have managed to get to successfully work for me is to use 2 peplink devices, one in IP Forwarding mode, the other in NAT mode, back to back. Obviously, this seems wasteful, and is hard to explain to management. “well, you see, the peplink is super awesome, but we have to buy 2 of the things to replace the thing”. That is simply not an argument I wish to try to justify.
I will admit that my comprehension of SNAT and DNAT etc isn’t the best, and I suspect that is a majorly contributing factor.
Any advice would be very welcome!
Thank you for your time and attention,
Jim
