The Bigleaf routers support LAN IP assignments via DHCP and NAT Firewall modes, in addition to the standard Static IP configuration. The DHCP and NAT Firewall modes configuration should only be used in limited situations where needed.
Static IP assignment is the standard configuration for LAN networks. The subnet mask, usable IP address, and gateway IP are manually configured on the firewall or other device.
Note: High Availability (HA) service plans and equipment currently only support Static configuration. Other configuration modes are not shown for sites using an HA service plan.
Bigleaf routers provide a DHCP-assigned address from the LAN network to the firewall, router, or other networking device. If more than one LAN network is configured on the site, you can select the block from which to assign addresses.
Keep this in mind when using DHCP:
- You can’t change directly from NAT mode to DHCP mode. You must first change from NAT mode to Static mode, assign a /30 prefix, and then change to DHCP mode.
- This feature is designed to simplify the configuration, you won’t have to configure a static IP on your firewall, router, or other networking devices.
- You can’t reserve a specific DHCP/IP combination.
- Mixing DHCP and Static IP configuration on a LAN can result in IP conflicts, See the Mixed DHCP and Static Configuration topic below for more details.
NAT Firewall Configuration
Network Address Translation (NAT) allows many devices on a private network to share a single gateway to the internet. In turn, all of those devices will have the same public IP address -- that of the gateway -- and unique private IP addresses. NAT firewall configuration is intended only as a mechanism to support special requests, or for use in Bigleaf Home Office installations.
If you understand how to configure the NAT firewall mode, and have Super Admin credentials in the Bigleaf Web Dashboard, you can do so. If you’re unsure about whether you need to use NAT, or have questions about configuring a NAT firewall, contact Bigleaf Support.
Keep this in mind when using NAT firewall configuration:
- With the exception of Bigleaf Home Office installations or special use scenarios, the NAT Firewall feature is not recommended.
- NAT Firewall can’t be used in addition to assigned LAN subnets or routes. All LAN networks must be removed to enable this feature.
- The default LAN NAT subnet is 10.134.0.0/22,and this can be customized in the Bigleaf Web Dashboard.
The default gateway must be part of the standard RFC-1918 address space:
The combination of default gateway and netmask will establish the pool of IPs that the CPE will provide via DHCP.
- 1:1 NAT, PNAT, DMZ, and NAT reservations are not supported.
- Inbound traffic that does not have an associated NAT translation will go to the router loopback IP (and likely be dropped).
- The DHCP DNS servers are fixed to be the Bigleaf DNS servers 126.96.36.199 and 188.8.131.52. See the DHCP Configuration topic above for more information.
Mixed DHCP and Static Configuration
For multiple LAN Networks assigned to a site, the LAN Network Mode can be set to DHCP for one of the configured LAN Networks, and the other configured LAN Network(s) must be set to Static mode.
In the example below, LAN network 184.108.40.206/30 is set to DHCP mode, while 220.127.116.11/30 is Static.
Keep this in mind when using mixed DHCP and Static configuration:
- You can change from Static mode to DHCP, then select the LAN Network for DHCP. Or, you can have a site with one LAN Network already set to DHCP mode and new LAN Networks added to the site will use Static mode.
- Careful and intentional configuration is required to ensure the intended firewall, routers, or other networking devices are requesting addresses from the DHCP LAN Network pool. For example, it’s possible to have allocated a static IP address for a LAN Network, then if changed to DHCP, the DHCP server on the Bigleaf router is not aware of the existing static IP allocation. This will create an IP conflict that can cause ARP issues and/or service impact.
- Sites that use the HA service can only use Static mode.
Additional information about using the NAT Firewall mode
The public NAT IP address is assigned to the site as a single /32 IP address, and is configured on the Bigleaf router as a loopback IP. This IP will only be assigned if the primary tunnel endpoint server is a valid and operational server -- that is, if during provisioning, the NAT firewall is enabled while the primary tunnel endpoint server is still set to a provisioning placeholder (then no IP will be assigned).
The public NAT IP will always be changed if the primary POP changes, which will cause all sessions to be dropped. This occurs only with a primary POP configuration change, not due to failover to the secondary POP if the primary is down. There are no guarantees that the same IP will be reassigned if a site moves back to the original POP.
It’s important to remember that while addresses are fairly stable, this mode does not provide static IP assignment.