Bridge and NAT
I have USG 20 that has 3 ports bridged and one port that is behind NAT.
How can I get Internet connection from the port behind NAT? OR where should
I start to lookup why it is not working.
I can post more info tomorrow when I get access to device but here´s what can I tell now.
- Bridge (br0) is created by grouping DMZ and WAN. Bridge has ip 192.168.10.1
- Lan1 (the network behind NAT) is 192.168.0.1/24
- I tried creating policy routin rules for Lan1 network but did not get Internet connection working
- I can use only dynamic public ip addresses
- Do I need to add routing rules or somekind of NAT rules or both to get this working?
Is this for real?
The only reason I ask is, the very next thread down, titled "Bridge vs NAT" that I started has some info that may be relavent to what you are trying to do.
In any case, with your setup the bridge doesn't make sense, and I am not even sure I see the need for the bridge. Since you are using WAN as part of the bridge, yet assigning the bridge a non public IP address, I don't see how routing to the internet through WAN will ever work.
To me it looks like you are trying to just create a "switch" with 3 ports. A much easier way would be to just go to Configure, Network, Interface, Port Role tab, and put the desired 3 physical jacks into the same group. You could then have one network segment (LAN1 with 192.168.0.1/24 assignment) and another (say DMZ with 126.96.36.199/24 assignment), and isolate them from each other via the firewall if needed.
I am going to make a BIG assumption here in an attempt to help. If what your trying to do matches the following, then read on. If not, a better description of the problem may be in order:
Since you state that you can only use dynamic public IP addressES, I am going to assume you have multiple public IPs available to you, and you would like to assign three of your devices these public IP addresses. I also assume you have other equipment on LAN1 that you just want to use a private IP range and NAT.
IF this is the case, then you can goto my other thread and just follow the two kb articles to get the job done, but in short what you do is:
Create the bridge using the desired interfaces. If WAN is going to be part of the bridge, set the interface type to "External", the zone to "WAN", and set the bridge IP to "get automatically", that way the bridge interface itself will get a dhcp assigned public IP, as will any other devices connected to the bridge.
Edit/add to your Trunk and add the newly created bridge as part of the trunk. No need for NAT rules or policy routes or anything else like that.
Hope this helps,
|reply to wtfman |
Thanks for the answer Alan.
I noticed the thread below and actually read it before posting. I understand that my setup does not really make sense without all the info, sorry about that I´ll TRY to explain more
This setup I´m asking is only for testing purposes (where I can use only dynamic public ip addresses for wan side), but I need to create similiar setup to existing production environment(there I might be able to use one static ip).
The environment where the setup is eventually going to be has unknown amount of computers with static public ip addresses(all in use). And I want to add another NATted network besides that. Sorry about bad explanation of this.
Maybe better question would have been can USG 20 have one port Bridged and another NATted. Don´t mind the amount of ports.
I already found out that USG 300 supports this kind of setup. There´s guide how to do it on the manual
Bridge mode & Router (NAT) mode co-exist
Ah, okay...I was just checking
The short answer is YES, bridge and NAT can coexist. Follow my instructions above (specifically, the first kb article, but what they don't tell you is about adding the bridged interface to the trunk; without that info, NATed interfaces can't access the internet...that info was found on the article pertaining to the USG 300).
But anyway, I am currently doing exactly this very thing at my main office at work. I have a USG 200 with WAN1 and DMZ bridged, so all my public IP devices are connected to the DMZ port. I also have two interfaces NATed as well: LAN1 for business side and ext-wlan for employee personal device wireless.
I know its not a USG 20, but it should work just fine. I hope this helps.