Another thing I’ve been thinking… When I setup the NAT on the CPE, I plan on giving each customer a unique private /24 and NATing that to the public IP. This would come in useful if I have a multi-location customer, I can VPN between them and don’t have to worry about conflicting IP addresses. I’d like to have all the private IPs for my customers and my infrastructure separate from the public IP system, so I’d setup another routing table for that. To prevent clients from accessing things on the private IP network that they should not, would I just create a rule on the CPE to drop all traffic destined to\from the customer’s IP network and the rest of my private IP network? When I need access to their internal network, disable that rule.