This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to publish static ARP entries with multiple WAN subnets from ISP

Hi Everyone

Working on a bit of an odd situation here. Trying to find out a way to set up multiple subnets on the WAN interface for NAT. I have tried all the usual items such as 'additional interfaces', vlans and just directly creating the D/SNAT statements and nothing works. What the ISP is telling me is that they need a different MAC address for each of the addresses outside what is assigned to the WAN intererface.

IE: First range is 12.12.12.x /24, with the UTM at 12.12.12.12. All addresses work fine on this network for NAT. But I need to create an address in the second network of 14.14.14.x /24, and here is where the problem.

They provided a link below to the sonicwall setup, but I see no way to create a radomly generated MAC address for this new entry.

https://www.sonicwall.com/support/knowledge-base/configuring-multiple-wan-subnets-using-static-arp-with-sonicos-enhanced/170503911164326/

Thoughts?

Thanks

This thread was automatically locked due to age.

Parents

0 dirkkotte over 4 years ago

Sophos use the same IP for all VLAN's / additional addresses at one physical interface.

You can use a second physical interface and a little Switch to get multiple MAC's.

But why ... don't understand the requirement.

If i need a second network segment from same ISP (for NAT or other reasons) i order "gateway for second Network is external Sophos IP of first" (second subnet is routet behind first)

So i can use NAT with addresses from second subnet.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 JSeiler over 4 years ago in reply to dirkkotte

The reason we are in this situation is because the ISP does not have anything more than small business cable modem service in this area. Thus, we are stuck with network blocks that are not contiguous. They provided three separate blocks and use one of those addresses in each block on their cable modem. I was trying the route of the vlans but since the UTM plugs into their cable modem we are a bit stuck. Using separate physicals NICs would work, but they are used up on two other DMZ with one for HA, another for LAN and the WAN.

Bit of a joke of an internet connection if you ask me. Good thing it's the backup connection.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 JSeiler over 4 years ago in reply to dirkkotte

The reason we are in this situation is because the ISP does not have anything more than small business cable modem service in this area. Thus, we are stuck with network blocks that are not contiguous. They provided three separate blocks and use one of those addresses in each block on their cable modem. I was trying the route of the vlans but since the UTM plugs into their cable modem we are a bit stuck. Using separate physicals NICs would work, but they are used up on two other DMZ with one for HA, another for LAN and the WAN.

Bit of a joke of an internet connection if you ask me. Good thing it's the backup connection.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BAlfson over 4 years ago in reply to JSeiler

Instead of trying to put all of the IPs on an external interface, why not have the ISP route the other subnets to your primary public IP ("transfer net") and then create a DMZ with public IPs? You would just need to change the Source/Destination translation for the NATs on your primary interface to the public IPs in the DMZ. Make sure your masq rules don't apply to the DMZ subnet. Can that approach work for them?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel