The Ecessa appliance requires use of an IP address from the IP subnet of each WAN connection. To accommodate a variety of network environments, the Ecessa appliance can function in three different modes: NAT, Routed, and Translucent. The purpose of this article is to provide a brief description for each of these operating modes. For additional information, please refer to the Basic Setup section in the online Ecessa manual.
NAT mode – similar to a traditional firewall, NAT mode configures the WAN interface(s) with the appropriate WAN subnet(s) while the LAN interface and all internal network devices connected to the Ecessa LAN are configured with a private network. Depending on the existing network configuration, this mode may require additional configuration changes during installation as existing network device settings are modified to reflect the new private network.
Situations where NAT mode may be recommended include, but are not limited to: WANs using point-to-point subnet masks (255.255.255.252 - CIDR /30); or instances when all available WAN addresses are assigned to hosts or services with none available for the Ecessa appliance’s use.
Routed mode – a semi-transparent mode, Routed mode allows the internal network devices to continue to use addresses from the WAN subnet, however, may require additional configuration changes during the installation as the existing network devices are modified to use a different default gateway address. This option does have some caveats:
- The existing WAN subnet mask is at least 29 bits (255.255.255.240 – CIDR /29)
- The existing WAN has four contiguous addresses that fall within a /30 subnet
- The gateway address on the firewall or the actual gateway (ISP) device address can be changed
Situations where Routed mode may be recommended include, but are not limited to: WANs using point-to-point subnet masks with a separate routable subnet. The point-to-point WAN is sometimes referred to as a “hand-off” for the routable “LAN” subnet.
Translucent mode – a transparent mode, Translucent allows the Ecessa appliance to use only a single IP address from the routed WAN subnet. This address is configured on both the WAN and LAN interfaces while the existing network devices behind the Ecessa appliance continue to use the same IP configuration and default gateway. Devices that are configured with an IP address within the same range “pass-through” the PowerLink without requiring NAT while the Ecessa appliance provides load-balancing and WAN failover transparently. Translucent mode is available in firmware versions 8.0 and later.
Situations where Translucent mode may be recommended include, but are not limited to: This option is the preferred operating mode, as it uses only a single IP address from the WAN subnet and minimizes firewall and gateway changes. Translucent mode is especially useful for installing an Ecessa appliance in an environment where the firewall (and possibly other devices) is already configured to use an IP address within the WAN range.
NOTE: Although multiple WAN lines can be configured to use Routed or Translucent mode, it is typically recommended that additional (secondary) WAN lines are configured for NAT mode.
Could you explain your note at the bottom that "it is typically recommended that additional (secondary) WAN lines are configured for NAT mode"? Is there a problem with using translucent mode for multiple WAN links?
No, there is not a problem with using multiple WANs in translucent mode, however, that scenario does require the neighboring LAN device (such as a firewall or router) to be configured with an address for each of the translucent subnets. The LAN device would also have to make routing decisions to determine which address to use for traffic as the Ecessa appliance cannot NAT between the LANs. For these reasons, it is uncommon though not unprecedented to use multiple translucent WAN lines.
For simplicity, we recommend configuring a single (primary) WAN line for translucent mode and any additional WAN lines are configured for NAT mode. This way NAT between the WAN lines and routing decisions can occur at the Ecessa with the neighboring device handling NAT (usually public to private addressing) if necessary.