So lets say we have three IP ranges.
10.0.0.0/24 for customers who do not require a public IP, and in this example as a small WISP we are going to use this subnet as our management network too. So, all our AP' s backhauls and so on will use these IP addresses. This is configured on ether 2 which is the internal interface.
Then we have a public IP Range given to us by our ISP that we configure on ether1 our external interface. e.g. 196.x.x.x/30
As a small wisp lets say that our upstream ISP will only give us a /27 (30 Ip addresses) of public IP's so they are in pretty short supply, but we can still build our network with private IP's and give out Publics to those who need them while others are using private IP's that are NATted at the gateway. Lets call it the 201.x.x.x/27 network.
To start with you set up your network so that it is fully up and running properly with the private IP subnet of 10.0.0.0/24.
At this point you MUST NOT use the MASQUERADE action in your src-nat rules in IP>FIREWALL>NAT to do the natting. The reason for this is that MASQ. will NAT all of your networks and because we want our public IP subnets NOT to be natted we must src-nat ONLY the private subnet. So here is an example src nat rule:
- Code: Select all
chain=srcnat action=src-nat to-addresses=196.x.x.x to-ports=0-65535 src-address=10.0.0.0/24 out-interface=ether1
So now all our traffic that is generated by hosts with 10.0.0.0/24 addresses is SRC-NATted out of the ether1 interface on the 196.x.x.x address.
The next step is that we need to divide our /27 in to some subnets that we can give to our customers that do need public IP addresses.
So lets say we are going to divide it to a bunch of /30 subnets (so 2 IP' s per subnet with a total of 15 Subnets. That means that we can give 15 of our customers a single public ip address. Obviously you apply your own subnet plan here.
Now we have to do the static routing for these subnets so that the addresses can route OVER our private 10.0.0.0/24 Network to the customers CPE.
So I think that covers the topic in basic terms. Obviously on larger networks you dont want to do this with static routing and OSPF is the way forward. Thats why I pick this as a small WISP.
So in this example we are able to avoid any double NAT, give customers that need it a public IP, efficiently subnet our public IP's to make efficient use, create a demarcation point where CPE is managed by you and the customer router by themselves.
I am sure there are bits I have missed or whatever. Please point them out, but we do this on many networks that we build and it works really well.