Details
Under my previous configuration, I had one static IPv4 address and no IPv6 addresses. I had a DMZ interface, behind which hosts had only static IPv4 addresses, and a private interface, behind which hosts had DHCP addresses. I used Destination NAT to route traffic to a server behind my DMZ and I used Source NAT to handle all outgoing traffic (from both the DMZ and the private net). I understand how all of that works and how to configure it.
My new setup is much more robust and meets my full use case, and I'm not sure how best to configure it. I have ranges of static IPv4 and IPv6 addresses.
- My IPv4 range (changed to example values for this question) is 1.2.3.168/29. I am not allowed to use 1.2.3.168 or 1.2.3.175 (buffer IPs, I guess). The ISP's assigned address for the modem (Comcast Business IP Gateway) is 1.2.3.174, which takes one of the range IPs. This leaves me with five usable IPv4 addresses: 1.2.3.169 - 1.2.3.173. (The "default gateway" assigned to the modem is 5.6.7.1 [also changed], but I don't think I need to use that anywhere in my VyOS config.)
- My IPv6 prefix (similarly changed) is 1:2:3:8700::/56. I can use the entire prefix. The ISP's assigned IPv6 address for the modem isn't in the range—it's (also changed for this question) 5:6:7:e:512d:8177:a1ea:1ce8. (The "default gateway" is fe80::201:5cff:fe6d:d246 and the "WAN Link Local" is fe80::7654:7dff:feb1:d390, but I don't think I need to use those anywhere in my VyOS config.)
Here's what I need to do, and I'm just not sure how to approach it.
- I want to assign 1.2.3.169 as the IPv4 address to my WAN interface.
- I want to statically assign 1.2.3.170, 1.2.3.171, 1.2.3.172, and 1.2.3.173 to servers behind my DMZ interface, OR, if there's a better way, somehow make it (I assume through DNAT) so that traffic to those IPv4 addresses gets routed to those servers behind my DMZ interface.
- I want outgoing IPv4 traffic SNATed to go out through 1.2.3.169.
- I want to assign an IPv6 address from that prefix to the WAN.
- I want to statically assign (or similarly route as above) IPv6 addresses from some sub-range of that prefix to servers behind my DMZ interface.
- I want to dynamically assign (DHCPv6, SLAAC, or whatever) IPv6 addresses from another sub-range of that prefix to hosts on my private net.
The firewall stuff I can figure out ... it's which IP addresses to assign to which interfaces and what DNAT/SNAT/routing rules to set up that I'm a little lost on.
Would appreciate some guidance on this configuration.
Thanks!