Greetings to the community, I have spent years reading in these forums but I have never decided to write.
I tell you my doubt if anyone can enlighten me.
Currently my provider gives me 2 ranges of ip / 24 through a / 30 between a juniper r240 and my ccr1016, in my ccr1016 I perform nat of all the private ip of my network, since I have declared these ip’s in a virtual interface ( a bridge)
This week we are going to change this, my provider will deliver the 2 ip / 24 ranges for a full BGP in a new CCR1032 and also 1 range / 22 that has me signed RIPE.
My question is the following:
I want to do Full BGP on a CCR1036 and Nat on the other CCR1016, How do I do it? , I put a / 30 between them and I give the CCR1016 that makes nat a default route?
Thanks and greetings
Best practice on BGP routers is leaving them alone, specially the state table and anything affecting forwarding (minimum firewall, etc), so the best approach would be as you exposed natting from the 1016.
That being said, why NAT? don’t you assign the public IPs to your customers?
Regarding your question, you need to get routing working between both, which is usually accomplished by running OSPF or iBGP between them.
If you want to go with static routing between both:
1- Set the /30 between them
2- On CCR1016, set CCR1036 /30 end the default GW
3- On CCR1036, create the routes to the two /24s and the /22 through the remote /30 on the 1016.
Thank you for answering so quickly.
Great, at least in the good practices of the BGP I have hit.
What I have not been clear is point 3, On CCR1036, create the routes to the two / 24s and the / 22 through the remote / 30 on the 1016.
Ip route add dst-address = public / 24 gateway = private / 30
Ip route add dst-address = public / 24 gateway = private / 30
Ip route add dst-address = public / 22 gateway = private / 30
How would you create the routes?
Ho in the OSPF to the router that makes the BGP?
Regarding the NAT, it is for 2 reasons, the first is that we are in the process of migrating from the network, from bridge to routed mode, we are currently using ospf and mpls, of all the routers we have created vpls tunnels until the CCR1016 where we do nat , for now.
The second reason I get to deliver ip’s public to customers is that we have 2 other fiber providers that serve as backup, but they are residential and we only have one ip in each of them, then when our main provider fails to routing To all the world by these suppliers, making nat with those 2 ips. If I delivered the public ips directly to the clients could not use these 2 backup providers, can not do nat of a public ip on another public ip, right ?.
Thanks for your time
If you use OSPF already, then use it for CCR1036-1016 routing.
In this case you’ll need to setup the /30, then as long as
1.- the /24’s and /22’s are in OSPF networks,
2.- Proper interfaces are added to OSPF (should happen automatically after step #1 but it’s good practice to copy them in order to make them static then set the proper topology)
you’ll be done. CCR1036 should be able to reach any public IP inside CCR1016, which makes a seperate domain where you can either assign those IPs to customers routing, or to the CCR1016 and use NAT.
I would be setting them inside an area/backbone comprised by the CCR1016, and the two other routers on your backup lines so you can float your full ip address space to the maximum; you’re an AS now, so in theory you can use routing to publish where your public IPs are.
This may breach contract rules (are you in Spain?) and you may as well find they blackhole/block these backup connections to be used for this however.
Perfect, thanks.
If I am from Spain, our backup provider (Movistar) does not allow what you comment, more than anything because it is a fiber for home. In the future we will hire a 2 provider that will allow us to make the Full BGP backup.
That’s why we will continue to do nat on our edge router until we can do multihomed BGP
Thank you for your time and your answers.
Has been of help
P.S. Excuse my English, I use a translator. 
In any case, I’d prefer a NAT-less scenario, you don’t lose the ability to use the backup lines NATting the public ip’s inside.
That is: handing the ips directly from the nearest BRAS to the customers, then setting backup Internet routes through the 1016 for example, applying NAT only to connections from inside public IPs exiting by the backup WAN interfaces.
You will avoid lots of complaints from players due to double-nat… plus your network will be cleaner and easier to manage and troubleshoot, with an overall straighter path.
You have OSPF deployed, so would be really straightforward. Are you using radius?
Yes, we are a wisp, the network is all based on radio links.
I thought it was not possible to mask a public IP over another public ip.
Thank you
Is perfectly possible. Routers do not have a concept for “private” or “public” IP addresses.
If you are overhauling your WISP (as it seems) now is the best time to overhaul and setup everything as per best practices, consulting is really advisable.
Perfect, your answers have been very helpful.
This week I will try, and I will follow your advice, I will deliver public ip to my clients without doing NAT.
Thank you very much