So, last week I inherited an network that has all of it’s devices on a public facing network, yikes. I obviously want to transition them to a routed private network schema and am looking for guidance.
Currently there is an EdgeRouter at the head end, and all tower sites are switched only. My plan is to swap the EdgeRouter for a CCR1036 first, leaving the rest of the network as-is for a short period of time. The next step is to move one tower at a time to a routed network using private IPs, and NAT public IPs starting out and working in. Each tower will have the RB3011.
What I am looking for is comments or advice from users who have faced the same situation, or general input on how to proceed and what to expect from any user more knowledgable than me.
Won’t the clients prefer a public ip? Most public Internet services offer a public ip so it’s not unusual? I would have though better than having a nat private ip as long as client devices are setup correctly there should be no problem? Also by using prIvate ip its much harder to log and check traffic or identify problem users if you are contacted by authorities.
Our plan for public IPs is DHCP by default, with the option for static for those who need it. As you know, Public IPs are not a limitless resource. Is anyone else doing this? Is there a better way?
Typically, public IPs are located on Edge devices or in DMZ networks for public facing services. You don’t normally find host devices with public IPs within a network.
Using private IPs does not make it “harder” to log traffic, troubleshoot or provide information to authorities when required.
So what is a “tower?” What does the network look like today versus what you are planning to accomplish? If you want serious input, you have to provide more details otherwise people will just be guessing based off of what “image” appears in their head.
What are your requirements?
Why have you chosen a CCR1036?
How many users?
How many WAN links and what bandwidth is available?
Do you need HA or Fail over is you have multiple WAN links?
How many Public IPs?
What type of data / network segregation, based on roles / job section, are you looking to implement?
What shared resources are there, i.e. NAS?
Are there any web servers that customers / clients access ?
Is there a need for VPN services?
Are the users accessing the network via wireless or wired?
If they are connected via wired, what devices are being used and are they managed or unmanaged?
Ok, here is our current situation.
I have inherited one network, which is more like two separate networks that are duct taped together.
2 head end providers no HA or failover set up currently.
currently 200M pipe from each, but scalable to Gig+ as necessary.
2 /24 public subnets available on each head end.
Each tower basically services a community, with anywhere from 3 - 7 wireless APs per tower, as well as backhaul equipment.
All APs and CPEs are currently public facing
All subscribers connect wirelessly.
600+ current subscribers, but projected to triple in the coming months with new targeted market areas.
30 PtP business customers.
We currently provide no shared resources to subscribers, with no immediate changes planned.
Ultimately we want to provide internet access to extremely underserved communities.
Right now there is a router at each head end and the rest of the network is switched, and every subscriber is handed a static public IP
My goal is to route each tower, move the entire network over to private addressing, provide failover between the two head end providers, assign static Public IPs to subscribers where necessary, and handle the rest with DHCP. Redundancy at the tower locations is also important, but I will tackle that after this project.
Make sense? Hope this helps, and thank you for the input.
So you are acting as an ISP. That changes things entirely as I was imagining it was an office environment. That means what estar typed is better advice. I’ll have to think this one over a bit.
I would start penciling down levels of service.
Clients pay X for private IPs and get NAT’d on your devices.
Clients pay XX for single public IP
Clients pay XXXX for business class support, public IP and QoS preference.
Using prIvate iP does make it harder to log traffic because everybody is sharing the wan ip that would be what is logged by most Internet servers. So any illegal activity is tied to that ip which your router uses. So if you had a court order you would need to find which private ip was accessing the server on the Internet at that time so would need to log all browsing by users. With public ip and radius you can simply know who is using what public ip at whatever time so you know much easier. Also I don’t agree that only public ip’s go on edge devices. Normally with most isps I’ve ever seen the user has a nat router that gets a public ip on its wan then the users have their own private lan for the home or office. Whether or not you have public ip’s on your other network devices is up to you. You could privately address the network devices that are not used by a public user then to save public addresses use nat for not intenet accessed devices such as p2p links etc?
Depends. If you were allowing anyone to pull a private IP dynamically, then you would need thorough logs. You can still assign private IPs to users in blocks, thus you would be able to tie back activity back to an end user.
This is something I agree with you on. The first time I read his post, I did not read it from an ISP perspective but from a corporate / data center perspective - hence my follow on post after he answered some additional questions which gave me a better understanding of what “he” was trying to achieve.