Why do we use another IP pool instead of exit wan interface ip

Umesh · ‎09-26-2023

Dear All,

I have few queries which are as follows:-

1. Why do we assign WAN IP Pool instead of exit WAN interface to our email server.

2. Let say we have two ISP1 & ISP2 .

ISP1 range is (192.168.99.0/28) and ISP2 range is (193.168.99.0/29)

ISP1 exit interface IPs are - 192.168.99.2 (customer end) and 192.168.99.1 is ISP1 end similarly

ISP2 exit interface IPs are - 193.168.99.2 (customer end) and 193.168.99.1 is ISP2 end

My concern is why do we not use exit interface for email communication. please refer the attached snapshot.

Thank you

xshkurti · ‎09-29-2023

@Umesh
In your case you have 193.168.99.0/29 given from your ISP.
That means that you have 5 usable IPs 193.168.99.1 - 193.168.99.6
The same goes from ISP2
193.168.99.1 is used for all traffic. Now you have 4 left IPs. It is good design practice to use different IPs for different mission critical services. One of the reasons is that the IP you specify for emails, will be declared in other services to whitelist that IP and expect mail flows.
Now if you leave WAN interface IP, on that IP a lot of traffic will pass (web, video, audio etc), and there is a risk that that IP may be blocked by mail checker services --> As a result your outgoing IP will be blacklisted and all your emails will go to spam folders on the receiver side, or worse, being blocked by their spam filters.

There are a lot of reasons why it is recommended that design.
Technically, you can use wan IP and not involve IP Pools at all. So using IP pool is recommendation, but not mandatory.
Once again, it is up to you to decide your infrastructure design, but i advise you follow Best Practices Guides as they have feedback from real live scenarios.

View solution in original post

xshkurti · ‎09-26-2023

@Umesh You can use WAN exit interface or IP Pool. This depends on how you want to separate traffic.

In this case you may use IP Pool so that emails will use a dedicated IP instead of WAN exit interface IP.
It all depends on you. Technically there are no issues if you use WAN exit interface, or IP Pools.

In the case of 2 ISPs (if you use SDWAN), you use IP Pool, so that your mail server is published with one known external IP, which should be routable from both ISPs (1 IP for mail server may help in SPF, DKIM,DMARC)
Hope that answers your question

Umesh · ‎09-29-2023

Hi Xshkurti,

Can you please make me understand with using scenario basis Why do we use another IP pool instead of exit wan interface ip.

Thank you.

xshkurti · ‎09-29-2023

@Umesh
In your case you have 193.168.99.0/29 given from your ISP.
That means that you have 5 usable IPs 193.168.99.1 - 193.168.99.6
The same goes from ISP2
193.168.99.1 is used for all traffic. Now you have 4 left IPs. It is good design practice to use different IPs for different mission critical services. One of the reasons is that the IP you specify for emails, will be declared in other services to whitelist that IP and expect mail flows.
Now if you leave WAN interface IP, on that IP a lot of traffic will pass (web, video, audio etc), and there is a risk that that IP may be blocked by mail checker services --> As a result your outgoing IP will be blacklisted and all your emails will go to spam folders on the receiver side, or worse, being blocked by their spam filters.

There are a lot of reasons why it is recommended that design.
Technically, you can use wan IP and not involve IP Pools at all. So using IP pool is recommendation, but not mandatory.
Once again, it is up to you to decide your infrastructure design, but i advise you follow Best Practices Guides as they have feedback from real live scenarios.

Umesh · ‎09-29-2023

Understood, thanks for reply