I have a user who has his own vlan with a “public” address space, let’s say it’s 8.254.10.1/24, provided by me.
For a while now, he’s been running with public IPs as well as his own 10.x.x.x/21 private network with DHCP and all kinds of stuff inside this vlan. I don’t need to know about the private network, I don’t care about it. It’s his deal.
Recently he’s decided he needs connectivity between the private and public networks.
By the rules, I’m not allowed to put an IP from his private address space on the router’s vlan interface alongside the public IP.
I’m thinking of telling him to run his own NAT router inside the vlan. Meaning, he has connections from the same L2 domain on both “sides” of the router with the public address on one side, and the private address on the other. It doesn’t have to do anything other than NAT. No DHCP, no anything else.
Will this work? I think it will. The bigger question is: Is it a good idea?
You should route that public /24 to the customer.
So instead of your router serving as the gateway for “his” public /24, you will instead route that entire /24 to his routers IP.
That way he can terminate that public /24 on his own router, and do with it as he pleases.
He would also be able to route between the public and private subnet without NAT, since its all behind his router.
That would be the cleanest solution, but it will of course require reconfiguration of your and his routers, as well as some L2 changes.
I thought about that. This might be the answer. People generally aren’t supposed to run their own routers or switches below mine but this is a good case for it.
Something I forgot to mention is that most of the public IPs he needs to access are in the same vlan, and there are only a handful. There is one outside of the vlan, but I think it should work anyway.
I tried to get him to put 10.x.x.x/21 addresses on the same interfaces at the public IPs in the vlan, that way those machines in the same vlan are on both subnets and will “just work”. But there was some reason he couldn’t explain very well about why this wouldn’t work.
Anyway, it’s not a big deal. Ultimately it’s not my problem, it’s his, he has to figure it out within the rules that we have.