Can firewall have the same IP address for WAN and LAN

Topic

New Reply

I have a misbehaving firewall device that I’m going to have to take offline until a replacement arrives. I’ll be stuck depending on the firewall in the ISP modem. (Bother). I need to minimize the downtime while I reconfigure the modems LAN IP address.

I want to change the LAN address of the modem to be the same as the LAN address of the bad firewall and turn off the modems DHCP serving. Then unplug the modem from the firewall device WAN port, and unplug our network from the firewall LAN port. Then plug the network directly into the modem LAN port. On our internal network DHCP is served from another server and not the firewall device.

Is there any reason that this won’t work? I figure that network downtime while I unplug and plug in cables to be about 30 seconds.

Incidentally, the problem with the firewall device is that it is occasionally disconnecting from the modem without the modem or firewall logs shedding any light as to why. Our ISP has already replaced the modem without solving the issue. We’re a church and have a major event streaming in a few days. The connection cannot be allowed to drop during the event!

Reply | Quote

Replies

WAN and LAN devices can’t have the same IPs.
LAN has internal IPs not visible from the outside (for security).
WAN has external IPs visible to all.

Reply | Quote

Actually it seems to work. I did some experimenting yesterday and made this change resulting in three separate networks.

First is the public WAN, the Internet.

Second is the ISP modem LAN. I gave the LAN port of the modem the IP 10.124.94.1. It has only one client, our firewall’s WAN port.

The third network is the LAN side of the firewall. It contains all our clients. They can only connect to the firewall. They cannot directly connect to anything on the WAN side of the firewall. So they do not care what the IP address range for the WAN side of the firewall. The firewall does all the NAT work.

It all works just fine. Makes sense really. After all there are oodles of independent 192.168.x.x networks hiding behind routers and firewalls, and they all can connect to the internet and not, directly, to each other.

Reply | Quote

Dear (other) anonymous,

You should test the software to be used for your upcoming “streaming event” before declaring victory.

As Paul T indicates, double-nat can sometimes present difficulties.  I would suggest putting your ISP modem into transparent bridge mode, leaving your firewall to act as the (only) router.  Hard to give concrete advice, since you never mentioned the specific equipment involved.

See this article for example, and/or google double+nat

Good luck.

 

Reply | Quote

Your suggested solution is perfectly valid – as you found out.

The downside of having router > firewall > network is you “double NAT” the internal devices, although this isn’t an issue if you are just surfing / email etc.

cheers, Paul

Reply | Quote