TELUS Neighbourhood

ithero · Saturday

I keep hearing over and over again from Telus on-site techs and support agents that the Network Access Hubs will not work with Static IP addresses if set to Bridge Mode and they should be set to Router Mode instead.

Help me understand how the WAN traffic is expected to hit my Enterprise Firewall directly over the static public IPs configured on its WAN interface, when the upstream Telus NAH is running in the Router Mode with its LAN side configured as a Private Network 192.168.x.x, and handing off private IP addresses to the downstream devices?

There should be something configured like the Bridge or IP pass-through on a dedicated port, but there is NO WAY I can connect to a firewall over the public IP when it sits behind a NAT!

bimmerdriver · Sunday

What is your configuration? Who is providing the static ip address(es)?

ithero · Sunday

Telus of course. LAN > Enterprise Firewall > Telus NAH > Fiber > ISP.

5 Static IP addresses from Telus.

I am assigning them to the Firewall's WAN interface.

Branch offices and Remote users must be able to establish VPN tunnels with the Firewall (VPN Gateway) over those IP addresses.

This means that the Network Access Hub must transparently pass-through the packets.

Telus claims that NAH must be set up in Router Mode for the static IPs to work. Router Mode means NAT.

bimmerdriver · Sunday

What kind of NAH is it, NH20A or NH20T? I have an NH20T. It has a setting to configure a static subnet on the LAN, but there aren't any settings on the WAN side for static ip addresses. You might be better off with an ONT rather than an NAH.

ithero · Monday

Static IPs configured on the WAN side of the NAH is what I am trying to avoid.

The very fact that NAH has 2 sides: WAN and LAN means that is acts as a router/NAT.

I need the static IPs configured on my own business firewall, that takes on the entire role of the router/VPN gateway/firewall. While the NAH in front of it must act as a "dumb" pass through converter from fiber to copper (modem).

bimmerdriver · Monday

I find it really hard to believe Telus expects business customers to use an NAH with NAT with static IP addresses. An NAH only slightly less of a toy router than the T3200M. It must be possible to use an ONT.

ithero · Monday

And yet, here we are. I am 300km away from the customer site to confirm visually the device that was installed. The on-site tech from Telus said he wasn't sure. The phone support said it was Arcadyan based on the job order. The firewall does not receive internets if I configure WAN with static IP addresses. But if I put it in DHCP mode, it gets a private 192 address and the internet works. Telus support says that's how NAH should be configured if I want to use static IPs, which DOES NOT MAKE ANY SENSE.

bimmerdriver · Monday

I found a thread on Reddit about this topic. Apparently, you can set port 1 to bridged mode and then the static IP can be assigned to the MAC address of your router.

Here is a link: Public Static IP for business : r/telus

bimmerdriver · Monday

Here is another thread with more details: Business PureFibre Static IP Subnet NAH Configuration : r/telus

ithero · 8 hours ago

Ok, this last reddit link that you posted has some observations that shed some light on how the NAH could be working with Static IPs. Based on them I've put together a working theory, and if my speculations are proven true, then I can only say that the implementation is so... twisted?

And the comical part is that such an implementation could really require that the NAH remained in the router mode, not bridge mode.

I'll describe everything in my next comment. I just thought I'd follow up real quick.

BTW my HW is NH20A and FW is v1.18.02 build04.

ithero · 4 hours ago

With the help of @bimmerdriver who shared this reddit thread with extra details, I believe that now I've got a working theory.

In "router" mode NAH has a dual personality:

(A) it functions as a typical home router, handing off pivate IPs to LAN devices via DHCP (192.168.1.0/24), and NAT-ing internet traffic between WAN and LAN zones.

(B) at the same time it functions as a plain router between LAN and WAN subnets with no NAT in action.

In "bridge" mode NAH runs as a bridge on a dedicated port. On that dedicated port the WAN/LAN zone segregation collapses into a pass-through bridge. The device connected to this port will acquire a DYNAMIC public IP from ISP.

ithero · 4 hours ago

Let's review in detail each mode.

(A) Router mode with NAT: a typical home router.

NAH gets a public IP address from Telus on its WAN interface e.g. 50.50.50.50

On the LAN side NAH has a 192.168.1.254 gateway address and provides private IP addresses to its clients: 192.168.1.1-250

NAH routes internet traffic between WAN and LAN while doing the Network Address Translation which effectively hides the LAN zone from direct access from the internet.

(B) Router mode without NAT: meant for static IPs and direct reacheability of the LAN zone from the internet.

Just like in (A), NAH gets a public IP address from Telus on its WAN interface e.g. 50.50.50.50

Telus provisions a Static IP subnet for the customer e.g. 100.100.100.2-6 range and the gateway 100.100.100.1.

NAH's LAN interface is configured with the second gateway address: 100.100.100.1 (in addition to 192.168.1.254).

The downstream client (enterprise firewall) is configured with static IPs: 100.100.100.2-6.

ithero · 4 hours ago

Now the LAN interface of NAH is configured with 2 different IP addresses and both act as gateways for their own sets of clients:

The DHCP clients will reach internet via the gateway IP 192.168.1.254. This traffic will be NAT-ed/masquaraded with the NAH's WAN IP 50.50.50.50 and continue towards the ISP. Everything originating from the client's network will show source IP as 50.50.50.50.

While the clients configured with static IP 100.100.100.2-6 (the firewall in our case) will reach the gateway IP 100.100.100.1. This traffic also will be routed to NAH's WAN 50.50.50.50 and continue towards the ISP.

However, the big difference is that the 100.100.100.0/29 subnet will never be NAT-ed/masked with the NAH's WAN IP 50.50.50.50. Instead, the WAN IP 50.50.50.50 will be just another hop on the way to ISP. And vice verso. This makes the 100.100.100.0/29 subnet visible as source and directly accessible from the internet.

The only other pre-requisite that needs to happen for the statics to work, is provisioning of the 100.100.100.0/29 subnet on the ISP side, so that their systems know that the subnet is available via the 50.50.50.50 path. This can be easily implemented via static routes on the ISP backbone. Otherwise the internet will not know how to reach 100.100.100.0/29.

Lastly, the bridge mode. The problem about the bridge mode, apparently, is that once configured, the LAN/WAN zones collapse into a pass-through bridge and we end up with no interface where we can set up the gateway 100.100.100.1 for our static IPs. In such scenario the the gateway must be created on the next hop device on the way to ISP. But that's a totally different design approach that Telus isn't doing in the first place.

TELUS Neighbourhood

Telus Fiber + Static Public IPs: NAH must not be in Bridge mode?