This document walks through a design example for a scenario where site Firewall device wishes to use static IP address from a range provided by service provider.
WAN Subnet Requirements
An enterprise is allocated from its service provider a X.Y.134.112/28 as its WAN subnet (where X and Y are the first and second bytes of the subnet). The network diagram is Internet - CPE - Firewall - Internal Network as shown below.Â

The customer requires to assign the Firewall a static IP address from the subnet provided by the service provider.Â
CPE WAN Subnet Design
The solution for the CPE WAN subnet design is to split the /28 into two /29 subnets.Â
CPE WAN Subnet (/29):
Network: X.Y.134.112/29
Usable IP addresses: X.Y.134.113 to X.Y.134.118
Default gateway: X.Y.134.113Â (The default gateway is the ISP router)
Broadcast address: X.Y.134.119
CPE WAN Eth0 IP address: X.Y.134.114
CPE LAN Subnet (/29):
Network: X.Y.134.120/29
Usable IP addresses: X.Y.134.121 to X.Y.134.126
Default gateway: X.Y.134.121
Broadcast address: X.Y.134.127
CPE LAN Eth1 IP address: X.Y.134.121
Firewall IP address: X.Y.134.122
The above design is illustrated in the diagram below.Â

Other considerations.
For this configuration to work, the CPE WAN NAT function is disabled.Â
Firewall NAT function should be enabled.Â
Migration Steps
If CPE has been deployed and the above diagram is a new requirement, you can adopt the CPE configuration by following the steps below.
Login to the Bumblebee portal
Under Intelligent Edge, click CPE Routers
Select the CPE on the list, click Actions -> Edit WAN Interface
Change the WAN IP address and related fields and disable NAT by un-selecting Enable Source NAT
Wait a few minutes for the CPE device to come up again (The Op State of the CPE should be green)
Once it has come back up, proceed to change LAN Interface by Actions -> Edit LAN Interface
How about a /29 WAN subnet?
The same approach can be applied if the service provider allocates a /29 WAN network for a site. By splitting a /29 to two /30 subnets, enterprise can install both CPE and Firewall on two separate /30 subnets.
As an example, say the WAN subnet is X.Y.134.112/29, one can split it into two /30 subnet as follows with 2 usable host IP address on each subnet.
CPE WAN Subnet (/30):
Network: X.Y.134.112/30
Usable IP addresses: X.Y.134.113 and X.Y.134.114
Default gateway: X.Y.134.113Â (The default gateway is the ISP router)
Broadcast address: X.Y.134.115
CPE WAN Eth0 IP address: X.Y.134.114
CPE LAN Subnet (/30):
Network: X.Y.134.116/30
Usable IP addresses: X.Y.134.117 and X.Y.134.118
Default gateway: X.Y.134.117
Broadcast address: X.Y.134.119
CPE LAN Eth1 IP address: X.Y.134.117
Firewall IP address: X.Y.134.118
Comments