Transparent Bridge - Need equipment suggestions

S

SJConsultant

2[H]4U
Joined
Jan 14, 2004
Messages
3,599
I'm looking for a commercial router/firewall that can do Transparent Bridging or Proxy ARP, budget is around $500 to $600.

The issue I am trying to resolve is that we are switching ISPs and the new ISP provides a high speed connection with multiple static IPs, however their equipment limits you to only connecting one device through MAC address restrictions (no they will not increase the number of allowable MACs). They suggested using Static NAT mapping in their router, however that does not work with the IPSEC VPN tunnels that are deployed. I need to be able to put the static IPs directly on the devices rather than use static nat mapping hence the need for the transparent bridge.
 
Just a quick quesiton... why would you switch to a compnay that doesn't offer the services you want if the one you already use does? or does the ISP you are moving from not allow it either?
 
Grentz said:
Would this help at all?
http://www.ciscoblog.com/archives/2008/02/static_nat_inac.html
Click to expand...

Not sure if thats the problem or not. The ISP provided router isn't cisco equipment, and the management is branded and customized (stripped down). So no CLI to play with.

OmegaAvenger said:
Just a quick quesiton... why would you switch to a compnay that doesn't offer the services you want if the one you already use does? or does the ISP you are moving from not allow it either?
Click to expand...

Because we need higher upload speeds than what comcast can provide us and the new ISP is the only one who can provide the service we want at the price we are willing to pay.;) Its just the way they setup their equipment is less than ideal for a business and we didn't find out about the "issue" until after it was already installed.
 
what are you using for a firewall? that info would help us make recommendations. you might be able to accomplish what you need without purchasing additional hardware.
 
I know the Cisco ASA supports allowing traffic through the firewall without address translation. You could put one of those in front of your ISA box and your other public boxes. I've set this up a few times for school districts that have two or three entire class C public networks. Works just fine. Only thing I can think of that would cause issues is the outside interface of the ASA would need to be on a different subnet than your other public facing servers.
 
Captain Colonoscopy said:
Only thing I can think of that would cause issues is the outside interface of the ASA would need to be on a different subnet than your other public facing servers.
Click to expand...

If I understand you correctly, the ASA wouldn't work in if the ISP issued a single contiguous block of 5 static IPs?
 
to my knowledge, that is correct. I could be wrong, however.

Is there any reason you can't do static NAT on your own firewall rather than the ISP device? The ASA can do the NAT translations and pass any traffic you need over it depending on the ACLs you have setup.
 
Captain Colonoscopy said:
to my knowledge, that is correct. I could be wrong, however.

Is there any reason you can't do static NAT on your own firewall rather than the ISP device? The ASA can do the NAT translations and pass any traffic you need over it depending on the ACLs you have setup.
Click to expand...

No matter what we do, static NAT on the ISPs router breaks the IPSEC VPN tunnels we are using on a different router/firewall (USR 8200) than our ISA Server.

We need a transparent bridge that will allow us to have our ISA server on one static IP while using another static IP on a router with multiple IPSEC VPN Tunnels.
 
Your isp need to set their router up as a router for your subnet of 5 addresses and not a nat router.
It would then become the gateway for the rest of your ip addresses.
I run into this all the time.
The integrated modem/routers are a pain in rear when it comes to configuring vpn.
You need to contact one of their network admins instead of tech support.
 
stormy1 said:
Your isp need to set their router up as a router for your subnet of 5 addresses and not a nat router. It would then become the gateway for the rest of your ip addresses.
I run into this all the time.
The integrated modem/routers are a pain in rear when it comes to configuring vpn.
You need to contact one of their network admins instead of tech support.
Click to expand...

ISPs router isn't that sophisticated.

Their connection terminates into a fiber ONT with one network jack. The ONT will only recognize one MAC address so I can't use a switch, and they can't (will not?) increase the number of allowed MAC addresses.

All I need is a transparent bridge or device that will do proxy arp to solve this problem.
 
SJConsultant said:
ISPs router isn't that sophisticated.

Their connection terminates into a fiber ONT with one network jack. The ONT will only recognize one MAC address so I can't use a switch, and they can't (will not?) increase the number of allowed MAC addresses.

All I need is a transparent bridge or device that will do proxy arp to solve this problem.
Click to expand...
Then you need your own router to route the subnet and act as the gateway. (clone the mac)
Forget proxy and do routing
 
SJConsultant said:
If you guys know of a better way, then please explain a little more.
Click to expand...
Essentially you have a Ethernet port with 1 allowable mac address.
You run a router that is the gateway for your network.
ie the router is
xxx.xxx.xxx.101 router <--- your first IP address.
xxx.xxx.xxx.102 usable
xxx.xxx.xxx.103 usable
xxx.xxx.xxx.104 usable
xxx.xxx.xxx.105 broadcast

Mask: 255.255.255.252

Which your router then routes to your isp gateway. xxx.xxx.xxx.1/255.255.255.0

Then either they can add a route to your router (best way) or proxy arp will handle reverse connections.
Either way is better than simple proxy arp.
 
stormy1 said:
Essentially you have a Ethernet port with 1 allowable mac address.
You run a router that is the gateway for your network.
ie the router is
xxx.xxx.xxx.101 router <--- your first IP address.
xxx.xxx.xxx.102 usable
xxx.xxx.xxx.103 usable
xxx.xxx.xxx.104 usable
xxx.xxx.xxx.105 broadcast

Mask: 255.255.255.252

Which your router then routes to your isp gateway. xxx.xxx.xxx.1/255.255.255.0

Then either they can add a route to your router (best way) or proxy arp will handle reverse connections.
Either way is better than simple proxy arp.
Click to expand...

But that eliminates two IPs right from the start which is not doable for our particular needs.

I'm curious to know why routing is preferred over straight proxy arp?
 
SJConsultant said:
But that eliminates two IPs right from the start which is not doable for our particular needs.

I'm curious to know why routing is preferred over straight proxy arp?
Click to expand...

proxy arp is unstable and a pita to troubleshoot and you can get loops.
It should not be used if uptime is important.
 
Also your ISP's anti-ARP poisoning configuration may prevent it from working at all.
 
I hooked up a 5 year old Xincom router, updated the firmware, and using it as a transparent bridge. So far seems to be working well. Its doing NAT for any DHCP clients, but if I assign a static IP on a device, it passes traffic without any problems including IPSEC VPNs.

I'll probably try an ASA , and if it works, use the ASA as the primary with the Xincom as a backup in case of equipment failure.
 
You must log in or register to reply here.
Back
Top