Joined: Fri Feb 15, 2008 12:01 am Posts: 34
Hi guys, I have a fairly large wireless network using RB411's and XR9 cards. A customer just requested a public static IP. I have several available, but how do I forward it to their router? You can see my network structure in the image below. Both IP's are available on the same port of the DSL modem to the first AP. How do I get it to the client???
Forgive the lecture if you know this stuff... But this background has helped me build better networks by avoiding use of NAT where ever possible.
NAT is evil because the hosts that are behind routers that are running NAT do not have end to end connectivity. NAT was developed inthe 90' s to try to conserve IPv4 Addresses, and while the internet was growing in popularity and most content was retrieved by browsers and so on (passive internet surfing) this was all ok. But now more than ever internet users are becoming more proactive in using the internet. Uses of internet that are not NAT friendly include:
P2P VOIP Gaming Servers Streaming VPN Tunnels And so forth.
All these protocols are made more tricky by NAT. Also to run NAT you must have connection tracker enabled = more CPU cycles for the router.
I am not starting to roll out IPv6 in our networks so that all hosts have genuine public IP's.
10.0.0.0/24 for customers who do not require a public IP, and in this example as a small WISP we are going to use this subnet as our management network too. So, all our AP' s backhauls and so on will use these IP addresses. This is configured on ether 2 which is the internal interface.
Then we have a public IP Range given to us by our ISP that we configure on ether1 our external interface. e.g. 196.x.x.x/30
As a small wisp lets say that our upstream ISP will only give us a /27 (30 Ip addresses) of public IP's so they are in pretty short supply, but we can still build our network with private IP's and give out Publics to those who need them while others are using private IP's that are NATted at the gateway. Lets call it the 201.x.x.x/27 network.
To start with you set up your network so that it is fully up and running properly with the private IP subnet of 10.0.0.0/24.
At this point you MUST NOT use the MASQUERADE action in your src-nat rules in IP>FIREWALL>NAT to do the natting. The reason for this is that MASQ. will NAT all of your networks and because we want our public IP subnets NOT to be natted we must src-nat ONLY the private subnet. So here is an example src nat rule:
So now all our traffic that is generated by hosts with 10.0.0.0/24 addresses is SRC-NATted out of the ether1 interface on the 196.x.x.x address.
The next step is that we need to divide our /27 in to some subnets that we can give to our customers that do need public IP addresses.
So lets say we are going to divide it to a bunch of /30 subnets (so 2 IP' s per subnet with a total of 15 Subnets. That means that we can give 15 of our customers a single public ip address. Obviously you apply your own subnet plan here.
Now we have to do the static routing for these subnets so that the addresses can route OVER our private 10.0.0.0/24 Network to the customers CPE.
routing.png [ 21.32 KiB | Viewed 956 times ]
So I think that covers the topic in basic terms. Obviously on larger networks you dont want to do this with static routing and OSPF is the way forward. Thats why I pick this as a small WISP.
So in this example we are able to avoid any double NAT, give customers that need it a public IP, efficiently subnet our public IP's to make efficient use, create a demarcation point where CPE is managed by you and the customer router by themselves.
I am sure there are bits I have missed or whatever. Please point them out, but we do this on many networks that we build and it works really well.
Joined: Mon Aug 21, 2006 1:57 am Posts: 634
Location: Winnipeg, Manitoba, Canada
use interface routing ie. pppoe and assign public or private address depending on the client. your src-nat rule on your gateway must have a not rule for your public addresses. You must have your ISP forward all public addresses to your gateway assigned addresses.
Private WILL route over public, it is as simple as that.
ALSO: you must have routing rules for your internal routers to route the traffic.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum