I'm trying to figure out how to set up my network with a /28 IPv4 and /64 IPv6 subnet that my ISP is providing. They want to know how I'd like to receive it—either via a transit IP (point-to-point) or onlink. I need at least one or two IPs on the WAN because I want to run WireGuard on my Unifi EFG, but I also want to assign the rest to a VLAN and distribute those IPs to my servers and VMs. What would be the best solution for this, and can I achieve it with an onlink/WAN subnet?
3 Answers
It sounds like you have a solid plan, but keep in mind that you might not need to expose your WireGuard instance directly if it's just for internal purposes. If you're worried about using VLANs with static IPs, you can definitely manage subnets this way, but make sure your Unifi setup supports the configuration you need. Always best to check the specific capabilities of your hardware.
A good approach is to use a firewall with the complete subnet on the WAN interface. Then, you can have your VLANs as private subnets with the firewall acting as the gateway. If a specific device or server needs to use a certain outgoing IP, you can set that up with firewall rules. For incoming traffic, you'll need to either set up port forwarding or use reverse proxy/WAF capabilities on the firewall.
Both methods can work, but it depends a lot on your equipment and what your ISP is using. Generally, the simplest route for small to medium businesses is onlink. You would configure the /28 on your firewall’s WAN, allowing it to assign usable WAN IPs to other devices using methods like 1:1 NAT or virtual IPs. However, I’m curious why you need a second IP for WireGuard. If your Unifi ESG is your primary firewall, it might be better to have it on the LAN and just forward the necessary ports for WireGuard instead.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures