Forum Discussion

ithero's avatar
ithero
Friendly Neighbour
6 months ago

Telus Fiber + Static Public IPs: NAH must not be in Bridge mode?

I keep hearing over and over again from Telus on-site techs and support agents that the Network Access Hubs will not work with Static IP addresses if set to Bridge Mode and they should be set to Rout...
ithero's avatar
ithero
Friendly Neighbour
6 months ago
With the help of bimmerdriver who shared this reddit thread with extra details, I believe that now I've got a working theory.
 
In "router" mode NAH has a dual personality:
(A) it functions as a typical home router, handing off pivate IPs to LAN devices via DHCP (192.168.1.0/24), and NAT-ing internet traffic between WAN and LAN zones. 
(B) at the same time it functions as a plain router between LAN and WAN subnets with no NAT in action.
 
In "bridge" mode NAH runs as a bridge on a dedicated port. On that dedicated port the WAN/LAN zone segregation collapses into a pass-through bridge. The device connected to this port will acquire a DYNAMIC public IP from ISP.
  • ithero's avatar
    ithero
    Friendly Neighbour
    6 months ago
    Let's review in detail each mode.
     
    (A) Router mode with NAT: a typical home router.
    NAH gets a public IP address from Telus on its WAN interface e.g. 50.50.50.50
    On the LAN side NAH has a 192.168.1.254 gateway address and provides private IP addresses to its clients: 192.168.1.1-250
    NAH routes internet traffic between WAN and LAN while doing the Network Address Translation which effectively hides the LAN zone from direct access from the internet.
     
    (B) Router mode without NAT: meant for static IPs and direct reacheability of the LAN zone from the internet.
    Just like in (A), NAH gets a public IP address from Telus on its WAN interface e.g. 50.50.50.50
    Telus provisions a Static IP subnet for the customer e.g. 100.100.100.2-6 range and the gateway 100.100.100.1.
    NAH's LAN interface is configured with the second gateway address: 100.100.100.1 (in addition to 192.168.1.254).
    The downstream client (enterprise firewall) is configured with static IPs: 100.100.100.2-6.
    • ithero's avatar
      ithero
      Friendly Neighbour
      6 months ago
      Now the LAN interface of NAH is configured with 2 different IP addresses and both act as gateways for their own sets of clients:
       
      The DHCP clients will reach internet via the gateway IP 192.168.1.254. This traffic will be NAT-ed/masquaraded with the NAH's WAN IP 50.50.50.50 and continue towards the ISP. Everything originating from the client's network will show source IP as 50.50.50.50.
      While the clients configured with static IP 100.100.100.2-6 (the firewall in our case) will reach the gateway IP 100.100.100.1. This traffic also will be routed to NAH's WAN 50.50.50.50 and continue towards the ISP.
      However, the big difference is that the 100.100.100.0/29 subnet will never be NAT-ed/masked with the NAH's WAN IP 50.50.50.50. Instead, the WAN IP 50.50.50.50 will be just another hop on the way to ISP. And vice verso. This makes the 100.100.100.0/29 subnet visible as source and directly accessible from the internet.
      The only other pre-requisite that needs to happen for the statics to work, is provisioning of the 100.100.100.0/29 subnet on the ISP side, so that their systems know that the subnet is available via the 50.50.50.50 path. This can be easily implemented via static routes on the ISP backbone. Otherwise the internet will not know how to reach 100.100.100.0/29.
       
      Lastly, the bridge mode. The problem about the bridge mode, apparently, is that once configured, the LAN/WAN zones collapse into a pass-through bridge and we end up with no interface where we can set up the gateway 100.100.100.1 for our static IPs. In such scenario the the gateway must be created on the next hop device on the way to ISP. But that's a totally different design approach that Telus isn't doing in the first place.
Related Content