Does this work with static blocks?

[bhechinger]

I have a static block from AT&T and was curious if this will work with static blocks at all.

[jaysoffian]

Yes it should. EAP is independent of DHCP.

Also, even with a static block, doesn’t AT&T still issue it via DHCP? Surely they don’t expect you to manually configure your RG, do they?

[bhechinger]

So you plug the static config into the RG. It itself doesn't get a static IP (as far as I know, maybe it's the static block's gateway?) and your statics are handed out via DHCP to your clients. DHCP is required for your clients though. You can't statically assign one of these addresses. Without a lease the RG won't pass traffic for it. I'm not entirely sure what exactly is going on there.

[thford89]

Yes, you can get it to work. The following sets will use a VLAN to keep the traffic separated. Your network and devices must support this for it to work. You can change this around and not use VLANS but you are taking a security risk unless you configure firewall policies to do proper forwarding.

I am using a firewall after the edgerouter, and would recommend doing the same.

you may need to look at a subnet calculator to get the proper addresses if you do not know how to calculate. http://jodies.de/ipcalc

Create an interface on you LAN with vlan 100 and set static IP address for the interface to the hostmax IP address in your block.

Under Firewall -> NAT, you will need two rules. One for source and one for destination.

Create a new source rule using the following settings. Outbound interface will be your WAN interface vlan
Src Address is your network address/subnet

Create a destination NAT rule. Inbound interface will be the WAN interface vlan again. translations address will be the hostmax addres. dest address will be your network address/subnet

You can now set a device to the proper VLAN and static assign an ip within your static block.

[thford89]

So your static IP has to be behind your street IP. This is opposite of what we normally think of static IP address but its how AT&T is configuring residential service.

Routing: A&T Network - Router "Street IP" - Static Default Gateway (hostmax) - Static address.

Just a note, you could set each static address as a vlan interface and do port forwarding to a local machine. Outgoing connections will still show as your public IP unless you configure the NAT rules.

[bhechinger]

I have a VLAN capable switch and firewalls that would sit behind the ERL (They currently get statics from the RG) so I should be all set. This is perfect, thanks so much!!

[jaysoffian]

Thank you for the assist @thford89.

[Archerious]

All credit goes to mb300sd, his method doesn't involve using NAT twice.

You add the interface (VLAN 300 in my case), then create a basic firewall rule to allow from WAN out to in VLAN300.

He tested on pfSense, if anyone on here with Ubiquiti wants to test please do.

I'm using Mikrotik, the rule looks like this:

Lastly from HetrixTools proving the internet can ping and reach port 80 on my nginx server running on one of the static ips.

[ramsaso]

I don't mean to be such a bother, but I still don't understand how to apply this to my Edgerouter 4.

I followed the instructions to a Tee and yet I'm still having a hard time routing one of my static ips to one of my devices using a VLAN capable switch and assigning a VLAN to it.

(Using a TL-SG108E from TP-Link)

[Archerious]

I don't mean to be such a bother, but I still don't understand how to apply this to my Edgerouter 4.

I followed the instructions to a Tee and yet I'm still having a hard time routing one of my static ips to one of my devices using a VLAN capable switch and assigning a VLAN to it.

(Using a TL-SG108E from TP-Link)

I can help you on discord screenshare or anydesk.

[Archerious]

We got it working on ER4. Had to add /27 with not default gateway but ip before that example: if .75-100 was usable with 101 being gateway, we made VLAN100 71.299.200.100/27 (example IP) then made two exclude NAT rules for 71.299.200.100/27 and put to top of exclude rule lists for SRC and DST.

[Archerious]

Ramsaso figured out most of it all on his own, but I'm glad I was able to help. No double NATing needed for static IPv4 blocks from AT&T!

[nikolaishields]

I read through this issue, however I'm still having some trouble getting my block of static ip's assigned. For reference I'm using a ER4 with eap_proxy in the configuration described in this projects README. Any thoughts and/or help is greatly appreciated!

[derekatkins]

@nikolaishields --

I read through this issue, however I'm still having some trouble getting my block of static ip's assigned. For reference I'm using a ER4 with eap_proxy in the configuration described in this projects README. Any thoughts and/or help is greatly appreciated!

I just configured an ER-4 today using the documentation in the README. I've got a /29 of static blocks, and I only had to make a minor change to the configuration to get it working:

First, I ensure the RG gets an IP address to make it happy (note that you could use a /24 here instead of a /29):

set interfaces ethernet eth2 description 'AT&T router'
set interfaces ethernet eth2 address 192.168.3.1/29

set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name rg_dhcp authoritative enable
set service dhcp-server shared-network-name rg_dhcp subnet 192.168.3.0/29 lease 1209600
set service dhcp-server shared-network-name rg_dhcp subnet 192.168.3.0/29 default-router 192.168.3.1
set service dhcp-server shared-network-name rg_dhcp subnet 192.168.3.0/29 dns-server 192.168.3.1
set service dhcp-server shared-network-name rg_dhcp subnet 192.168.3.0/29 start 192.168.30.2 stop 192.168.3.5
set service dhcp-server static-arp disable

Then you need to change the firewall so that only this network gets masqueraded:

set service nat rule 5010 description 'masquerade for WAN'
set service nat rule 5010 outbound-interface eth0.0
set service nat rule 5010 protocol all
set service nat rule 5010 type masquerade
set service nat rule 5010 source address 192.168.3.0/29

Finally, all you need to do then is set eth1 to your /29 "gateway" address:

set interfaces ethernet eth1 address 99.69.300.400/29
set interfaces ethernet eth1 description LAN

I will note that, yes, you need to know what your public /29 network is. It should be visible in the RG configuration screens, somewhere. There is no NAT'ing at all of the public IPs. AT&T will just route the /29 to your DHCP address. There WOULD be double-NAT if someone used the private network from the RG.

There may be a security issue with someone on your RG being able to access your /29, because the ER-4 (in my case) would happily just route between the /29 and the 192.168.3.x address of the RG. You could use VLANs (as suggested above) or a source-route firewall rule to block that. Personally I would go with the source-route rules, only because I don't want to have to reconfigure all my /29 devices to be on a VLAN -- it would make it harder to quickly revert back to using the AT&T RG if things break.

PS: Sorry to touching such an old issue.

[brettzink]

@derekatkins Really appreciate you posting your configuration here. Wondered if I could ask you a couple questions? I've had eap_proxy running for a couple of years now on an ER6P and I just ordered a /29 from ATT today.

Why is it necessary to give RG an IP address now? Is it just a coincidence that you created a /29 network for it now or is it related to the static block? Aren't we still only sending EAP packets there?

I may have a fundamental misunderstanding of what's happening here too, but I'm confused why you're only Source NAT'ng that new network now.

Then I think you have a typo when setting your public block address. You say eth2 but you commands say eth1. This part also confuses me because you're putting the public block on your LAN interface, when I would have expected it on you WAN VIF interface eth0.0

Again, I may be totally misunderstanding how this works. I'd really appreciate any clarification you could give.

[derekatkins]

@brettzink --

Why is it necessary to give RG an IP address now? Is it just a coincidence that you created a /29 network for it now or is it related to the static block? Aren't we still only sending EAP packets there?

I give the RG an IP address so it actually shows a green service light. Is it required? Probably not. It's just a coincidence that I gave it a /29. I could have given it a /24, or even a /30. I chose a /29 because there is only one device on that network (the RG), but I did have a SECOND device on that network at one point (my laptop), so just to ensure the RG ALWAYS got an IP I made it a /29, but really there's no reason it can't be a /24. I updated my text above to make that more clear.

I may have a fundamental misunderstanding of what's happening here too, but I'm confused why you're only Source NAT'ng that new network now.

Because I don't want to NAT my public /29.

Basically, if a packet originates on the box, it uses the (DHCP-provided) public IP If a packet comes from my LAN, it's using a public IP from my /29, so I just need to send that out. If a packet comes from the RG (on the private /29, or /24, or whatever), THEN I need to NAT it.

Then I think you have a typo when setting your public block address. You say eth2 but you commands say eth1.

Yep, that's a typo. Fixed.

This part also confuses me because you're putting the public block on your LAN interface, when I would have expected it on you WAN VIF interface eth0.0

Why would I do that? Then my LAN devices wouldn't have access to the Public IPs. The whole point here is that this box is acting as a router for my public /29 -- so my LAN devices ARE the public /29 devices. AT&T knows to route my public /29 to the public IP given by DHCP. Then I use that /29 internally, the same way you'd use it if you were sitting behind the RG.

Again, I may be totally misunderstanding how this works. I'd really appreciate any clarification you could give.

Hopefully what I said above helps clarify.

[brettzink]

@derekatkins Thanks for explaining. That makes perfect sense. I wasn't considering the public addresses getting applied to actual devices, I was only thinking about the opportunity to dNAT the addresses on the router. I really appreciate you taking the time to work through that with me.