Static Public IP Setup for 3801

Static Public IP Setup for 3801

I have a couple of servers on our LAN which I want to be able to have receive port 80 forwarded from different static public IP's.  Anyone know how to do this for the 3801HGV?

 

My configuration is as follows:

DHCP Scope: 192.168.1.1-199

Servers have private fixed addresses of 192.168.1.1 and 192.168.1.2

I have a range of public IP addresses of 108.123.123.20-24 (changed for privacy)

I want to point my name server of www.xyz.com to 108.123.123.20 with port 80 forwarded to 192.168.1.1

I want to point my name server of fun.xyz.com to 108.123.123.21 with port 80 forwarded to 192.168.1.2

I do not want these servers to simply be given those public IP addresses because I need them to remain on our private LAN.

 

How do I accomplish this?

Message 1 of 8 (647 Views)
Employee

Re: Static Public IP Setup for 3801

To verify understanding,
You subscribed to a block of 8 static IP addresses of which 5 are usable for $15 per month and are having trouble assigning and port forward port 80. Is this correct?
Employee Contributor*
*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.
Message 2 of 8 (628 Views)

Re: Static Public IP Setup for 3801

Yes.

Message 3 of 8 (617 Views)

Re: Static Public IP Setup for 3801

[ Edited ]

I wanted to add some clarification here and since a picture is worth a thousand clarifying words, I'll do it through screen shots. IP addresses have been changed to protect the innocent. (Open just the image to view it in detail.) Here’s our server (UCM6108) with a private fixed IP address assigned by DHCP:

 

Note that we need this server to remain on our internal LAN so it should retain that 192.168.1.3 IP address. When we attempt to “map” a WAN IP address to it, we get this error:

 

The error reads, "For the public routed subinterface only WAN IP mapping is allowed. Okay, let's see what happens when we assign the "WAN IP Mapping" address:

 

That's not good, our server has just been moved outside of our LAN scope (and possibly outside of our firewall?). It has the public IP address assigned to it, but no longer has an its internal IP address of 192.168.1.3. So after changing DHCP back to assign a private fixed IP address to our server, we head over to allow a pinhole through the firewall from public IP address 107.xxx.xxx.26 to 192.168.1.3:

We successfully forward port 80 (web server) and 443 (HTTPS) to our UCM6108 which is still at 192.168.1.3:

The problems with this solution are that we a) can’t assign another server (HAL9000 at 192.168.1.1) as a webserver because "Web Server is currently assigned to UCM6108":

and b) haven’t been able to select which of our public IP addresses are being forwarded (i.e. 107.xxx.xxx.2x) and the answer is that NONE of them are being forwarded. Instead, what is being forwarded is a public IP address that isn’t even in our block of public IP addresses:

So how does one accomplish what we need to do? Do I have to assign the public IP address for each server to a separate firewall and then have that firewall port forward 80 and 443 to the respective internal IP address? That seems seriously flawed, but what's the point of offering these public IP addresses if I can't forward ports for each of them irrespective of the others?

 

Message 4 of 8 (611 Views)
Expert

Re: Static Public IP Setup for 3801


millennium wrote:
...

So how does one accomplish what we need to do? Do I have to assign the public IP address for each server to a separate firewall and then have that firewall port forward 80 and 443 to the respective internal IP address? That seems seriously flawed, but what's the point of offering these public IP addresses if I can't forward ports for each of them irrespective of the others?


 

You can forward the ports to individual IP addresses within the static block, but they must be assigned to the server.  And as you've found out, the 2Wire routers don't support multihomed hosts (hosts with more than one IP address on the same Ethernet interface), so the public IP address disappears when you assign a static IP.

 

The 2Wire routers also do not support NAT of the assigned static IP subnet, which is what you're wanting to do.  To do that, the static IPs would have to be exposed on the WAN interface of the 2Wire and have the ability to assign NAT entries, but the 2Wire can only assign them to the LAN interface with no NAT.

 

I see 3 different ways you can work around these restrictions with the 2Wire that will work:

 

1. Why do you need the servers to maintain their private LAN IP address?  The 2Wire should route traffic between the private and public subnets, so if a computer on the private LAN wants to talk to the server on a public static IP, it can, provided that the server's internal DNS name resolves to the public static IP.

 

2. You can give the servers dual IP addresses if you use two separate network cards that have different MAC addresses.  Assign the static IP to one of the network cards via the 2Wire's IP Allocation page, and assign a private IP address to the other network card manually.  It is important to do the private IP manually because you want to leave the default gateway on that card blank.  That way, return traffic to clients that hit the web server will be routed out the static IP network card and not the private IP card.  With this configuration, private IP computers can talk to the server on the private IP card, and web clients will talk to it on the public IP card.  When configuring IIS (for Windows) or Apache (for Linux) make sure the server is listening on both network interfaces.

 

3. You can put a Cisco router or Linux routing server between the 2Wire and the servers that does NAT, and configure the NAT accordingly.  For this to work, you have to go through some hoops so that the Cisco (or Linux) router presents multiple MAC addresses to the 2Wire to maintain the 1-to-1 MAC-to-IP mapping (no multihoming supported).  For the Cisco router, you can abuse the Hot Standby Router Protocol (HSRP) to do this, see the following post: https://forums.att.com/t5/2013-Jogger-Archive-2/How-to-fake-bridged-mode-with-U-Verse/m-p/2859191/hi... For a Linux router, I don't know of any thread that has step-by-step instructions, you're kind of on your own if you want to do that.

 

 

Message 5 of 8 (598 Views)

Re: Static Public IP Setup for 3801

Is there a 4th answer in that I can use five separate firewalls each with their public interface being assigned one of the public IP addresses we received and each one port forwarding to the appropriate internal IP address?

 

Is there a different device that we can use in place of this 2Wire piece of junk?

Message 6 of 8 (584 Views)

Re: Static Public IP Setup for 3801

One other question: this IP address of my 2Wire router 99.66.xxx.xxx, is that a static IP address that one can rely on? If not, can one get a single static public IP address that the 2Wire can port forward from to individual LAN IP addresses?
Message 7 of 8 (583 Views)
Expert

Re: Static Public IP Setup for 3801


millennium wrote:

Is there a 4th answer in that I can use five separate firewalls each with their public interface being assigned one of the public IP addresses we received and each one port forwarding to the appropriate internal IP address?

 

Is there a different device that we can use in place of this 2Wire piece of junk?

 

One other question: this IP address of my 2Wire router 99.66.xxx.xxx, is that a static IP address that one can rely on? If not, can one get a single static public IP address that the 2Wire can port forward from to individual LAN IP addresses?


 

1. Yes, theoretically, you could indeed use 5 separate firewalls for the 5 static IPs.  Assign one of the static IPs to the WAN on the firewall, and configure the NAT entry to route the traffic to the private IP address of the server on the LAN interface.  Lots of excess hardware, though.

 

2. No, AT&T requires the use of the 2Wire or Motorola devices, all of which have the same restrictions.

 

3. Yes, the default public IP address that the 2Wire gets is indeed pretty static.  It will only change if a technician changes the port at the VRAD, or if for some reason you have to have the 2Wire replaced.  It can port forward to all of your different servers on private IP addresses, but like any NAT router, a single port can only be forwarded to one server.  Thus, only one server can answer on port 80, only one server can answer on port 443, etc.

 

Message 8 of 8 (571 Views)
Share this topic
Announcements

Welcome to the AT&T Community Forums!!! Stop by the Community How-To section for tips on how to get started.