Hi!
I try to share a common internet connection to 10 appartments in our building. Each appartment has it’s own VLAN IP from a RJ45 socket that goes to a central HP 1810 switch. The switch is then trunked to RB2011 to handle VLANs. I want each appartment to have their own router to handle their “local” traffic, such as video streaming and other heavy bandwidth usage, and don’t go through the central RB2011 router. The central router should only handle outbound traffic to Internet. This is causing double NAT which I don’t like. Is there any solution for double NAT in my setup, for instance using bridge or route without NAT?
The setup is likea a ISP for the appartments.
Do you control all devices in this diagram, or where is your point of demarcation?
If you control all devices, the simplest way to avoid double-NAT would be to simply not NAT on the Local Routers, and use static or dynamic routing to let the RB2011 router know which 192.168.X.X subnet is on which local router. The RB2011 would then be NAT’ing each local router’s LAN network on the outbound leg, and you can use firewall forward rules on the Local Routers or the RB2011 (depending on your routing setup) to prevent LAN to LAN traffic.
If you don’t control the Local Routers, then the only way to avoid double-NAT would be to get a different public IP for each Local Router and bridge the RB2011 (or just remove it and plug the modem directly into the switch, depending on the technical reason that you have each Local Router on a different VLAN for its “WAN” IP as-is).
Thanks for your input. I don’t control the Local Routers, that’s the owner of the appartment who’s in charge of that router. That means with new owners and routers I need to have a dynamic solution, hence VLAN by on switch ports.
I only get 1 public IP from our ISP. Can I then connect the cable from the modem directly into the switch? Should it belong to a separate VLAN or its port untaged in respective VLAN as is?
Do I need to do any RB2011 configuration to get the routing correct if I connect modem to switch?
If you only get 1 public IP, you either have to double-NAT, or set up the Local Routers as non-NAT routers and put the necessary routes in the RB2011 to get traffic back to their LANs. No other choice will work, from a technological perspective.
Some home-grade routers (Linksys, Belkin, etc) do support a non-NAT router setup, but the setup is relatively complex, compared to what most people are used to for that class of router, and it won’t survive the reset button. Ultimately, in this sort of setup, you’re probably stuck with the “carrier grade NAT” limitation of double-NATing.