I am trying to setup a multi-tenant configuration where 4 different customers, each connected to a different port on a CCR1016, have their own public IP address (to be assigned to their firewall) from a single public subnet assigned by the ISP.
Details (example, no actual IP addresses were harmed in this post):
Port 1: Customer 1
Port 2: Customer 2
…etc…
Port 16: ISP’s equipment
I would like for Customer 1 (on port 1) to be assigned 60.60.60.228, Customer 2 (port 2) assigned 60.60.60.229, etc.
Additionally I will be doing per-port rate-limiting, but we can save that for another post (if, indeed I have any problems with it… in the lab it worked perfectly).
Is this configuration possible without breaking the public address space into smaller subnets and doing traditional routing? Is it a question of bridging the customers’ ports to the ISP port?
I have done a fair amount of searching and haven’t found a definitive answer to this particular configuration, so any assistance is appreciated.
From how I see it, creating a bridge interface for the 4 ports should be enough. In theory the routerboard doesn’t even need an IP in that bridge if it isn’t delivering any services outside of limiting the traffic. A client would fill in their allotted IP, and just use the provider information for the rest (Subnet, gateway, DNS, etc.) and it should work. Essentially you are just bridging/switching the traffic. Bandwith regulation on port level should still work.
If you wish all traffic to pass through your routerboard so you can do more firewalling or custom DNS records and other stuff, you should use an IP on the bridge and then tell your customers that is their gateway and DNS server for instance. Do not use the gateway IP address of your provider, it can only exist once. You will then become their router and in turn it will pass data to the gateway of your provider (given the right configuration).
Yes, I understand, I think that is what he is trying to do also, but still you should claim the ISP gateway IP with the routerboard. Depending on the situation you should give the routerboard an IP and use that as the gateway or not give it an IP at all if he just wants to bandwith limit the ports.
Thanks to everyone for their replies. I created a bridge and added each customers interface to the bridge. I don’t need the CCR doing any firewalling or NAT, so I did not assign an address to it - I just gave each customer their IP address and the ISP’s gateway and everything worked perfectly.
I then applied bandwidth limiting queues to each interface, and after figuring out that I needed to enable the IP firewall in the bridge settings, the queues worked perfectly as well.
I appreciate all of you taking the time to respond!