I keep hearing over and over again from Telus on-site techs and support agents that the Network Access Hubs will not work with Static IP addresses if set to Bridge Mode and they should be set to Router Mode instead. Help me understand how the WAN traffic is expected to hit my Enterprise Firewall directly over the static public IPs configured on its WAN interface, when the upstream Telus NAH is running in the Router Mode with its LAN side configured as a Private Network 192.168.x.x, and handing off private IP addresses to the downstream devices? There should be something configured like the Bridge or IP pass-through on a dedicated port, but there is NO WAY I can connect to a firewall over the public IP when it sits behind a NAT!

Here is another thread with more details: Business PureFibre Static IP Subnet NAH Configuration : r/telus

Ok, this last reddit link that you posted has some observations that shed some light on how the NAH could be working with Static IPs. Based on them I've put together a working theory, and if my speculations are proven true, then I can only say that the implementation is so... twisted?And the comical part is that such an implementation could really require that the NAH remained in the router mode, not bridge mode. I'll describe everything in my next comment. I just thought I'd follow up real quick. BTW my HW is NH20A and FW is v1.18.02 build04.

With the help of bimmerdriver who shared this reddit thread with extra details, I believe that now I've got a working theory. In "router" mode NAH has a dual personality:(A) it functions as a typical home router, handing off pivate IPs to LAN devices via DHCP (192.168.1.0/24), and NAT-ing internet traffic between WAN and LAN zones. (B) at the same time it functions as a plain router between LAN and WAN subnets with no NAT in action. In "bridge" mode NAH runs as a bridge on a dedicated port. On that dedicated port the WAN/LAN zone segregation collapses into a pass-through bridge. The device connected to this port will acquire a DYNAMIC public IP from ISP.

What is your configuration? Who is providing the static ip address(es)?

Telus of course. LAN > Enterprise Firewall > Telus NAH > Fiber > ISP.5 Static IP addresses from Telus.I am assigning them to the Firewall's WAN interface.Branch offices and Remote users must be able to establish VPN tunnels with the Firewall (VPN Gateway) over those IP addresses.This means that the Network Access Hub must transparently pass-through the packets.Telus claims that NAH must be set up in Router Mode for the static IPs to work. Router Mode means NAT.

Telus Fiber + Static Public IPs: NAH must not be in Bridge mode?

12 Replies

ithero
Friendly Neighbour
4 months ago
With the help of bimmerdriver who shared this reddit thread with extra details, I believe that now I've got a working theory.

In "router" mode NAH has a dual personality:
(A) it functions as a typical home router, handing off pivate IPs to LAN devices via DHCP (192.168.1.0/24), and NAT-ing internet traffic between WAN and LAN zones.
(B) at the same time it functions as a plain router between LAN and WAN subnets with no NAT in action.

In "bridge" mode NAH runs as a bridge on a dedicated port. On that dedicated port the WAN/LAN zone segregation collapses into a pass-through bridge. The device connected to this port will acquire a DYNAMIC public IP from ISP.
- ithero
  Friendly Neighbour
  4 months ago
  Let's review in detail each mode.
  
  (A) Router mode with NAT: a typical home router.
  NAH gets a public IP address from Telus on its WAN interface e.g. 50.50.50.50
  On the LAN side NAH has a 192.168.1.254 gateway address and provides private IP addresses to its clients: 192.168.1.1-250
  NAH routes internet traffic between WAN and LAN while doing the Network Address Translation which effectively hides the LAN zone from direct access from the internet.
  
  (B) Router mode without NAT: meant for static IPs and direct reacheability of the LAN zone from the internet.
  Just like in (A), NAH gets a public IP address from Telus on its WAN interface e.g. 50.50.50.50
  Telus provisions a Static IP subnet for the customer e.g. 100.100.100.2-6 range and the gateway 100.100.100.1.
  NAH's LAN interface is configured with the second gateway address: 100.100.100.1 (in addition to 192.168.1.254).
  The downstream client (enterprise firewall) is configured with static IPs: 100.100.100.2-6.
  - ithero
    Friendly Neighbour
    4 months ago
    Now the LAN interface of NAH is configured with 2 different IP addresses and both act as gateways for their own sets of clients:
    
    The DHCP clients will reach internet via the gateway IP 192.168.1.254. This traffic will be NAT-ed/masquaraded with the NAH's WAN IP 50.50.50.50 and continue towards the ISP. Everything originating from the client's network will show source IP as 50.50.50.50.
    While the clients configured with static IP 100.100.100.2-6 (the firewall in our case) will reach the gateway IP 100.100.100.1. This traffic also will be routed to NAH's WAN 50.50.50.50 and continue towards the ISP.
    However, the big difference is that the 100.100.100.0/29 subnet will never be NAT-ed/masked with the NAH's WAN IP 50.50.50.50. Instead, the WAN IP 50.50.50.50 will be just another hop on the way to ISP. And vice verso. This makes the 100.100.100.0/29 subnet visible as source and directly accessible from the internet.
    The only other pre-requisite that needs to happen for the statics to work, is provisioning of the 100.100.100.0/29 subnet on the ISP side, so that their systems know that the subnet is available via the 50.50.50.50 path. This can be easily implemented via static routes on the ISP backbone. Otherwise the internet will not know how to reach 100.100.100.0/29.
    
    Lastly, the bridge mode. The problem about the bridge mode, apparently, is that once configured, the LAN/WAN zones collapse into a pass-through bridge and we end up with no interface where we can set up the gateway 100.100.100.1 for our static IPs. In such scenario the the gateway must be created on the next hop device on the way to ISP. But that's a totally different design approach that Telus isn't doing in the first place.
bimmerdriver
Advisor
4 months ago
What is your configuration? Who is providing the static ip address(es)?
- ithero
  Friendly Neighbour
  4 months ago
  Telus of course. LAN > Enterprise Firewall > Telus NAH > Fiber > ISP.
  5 Static IP addresses from Telus.
  I am assigning them to the Firewall's WAN interface.
  Branch offices and Remote users must be able to establish VPN tunnels with the Firewall (VPN Gateway) over those IP addresses.
  This means that the Network Access Hub must transparently pass-through the packets.
  Telus claims that NAH must be set up in Router Mode for the static IPs to work. Router Mode means NAT.
  - bimmerdriver
    Advisor
    4 months ago
    What kind of NAH is it, NH20A or NH20T? I have an NH20T. It has a setting to configure a static subnet on the LAN, but there aren't any settings on the WAN side for static ip addresses. You might be better off with an ONT rather than an NAH.

Forum Discussion

Telus Fiber + Static Public IPs: NAH must not be in Bridge mode?

12 Replies

Related Content

How to Enable Bridge Mode on TELUS Gateway for Custom Router Setup

Public Payphones

Public payphone booths

Charge extra cost for public ip and enablic stati

Static IPv6

Recent Discussions

Business Line Support Process Frustrations

Get sales, support, anybody to call.

Adding new gateway mac address for static ip

Telus Account Issues

TELUS Business Issues