I want to assign a small subset of IPs to one of our customers via LAN (no authentification needed).
Something like a /29 net.
What I’ve got so far is a /24 net from our provider.
Let’s assume I’ve got 12.34.56.0/24.
My default(ISP’s)-Gateway is 12.34.56.1.
Let’s further assume, I wanted to provide 12.34.56.32/29 to our customer.
This means, that these IPs are lost for the customer:
12.34.56.32 → network
12.34.56.33 → customers gateway
12.34.56.39 → customers broadcast
So IPs 12.34.56.34 to .38 are usable actually.
Additionally I think I will loose one IP address for the router within my /24 net.
How do I need to set up routing to cut out a small subset of IPs from my IP-range in order to provide it to our customer?
Assign 12.34.56.33 to an interface behind the router, and enable proxy ARP on the interface facing your ISP.
That’s inelegant though. Ideally you should have a /30 with your ISP, and they have a route to 12.34.56.0/24 through the IP address you have in that /30. That way they just know the IPs are behind your router, and you can distribute them as you want without using proxy ARP as a band aid.
How are you providing IPs to customers right now? Is it a bridged network or are you giving everyone NAT IPs? PPPOE?
If its just a bridged network, just tell him to use those IPs with the /24 and your .1 as gateway.
If you are doing some kind of point-to-point, ie: PPPOE, server: x.x.x.1, clients x.x.x.10,11,12,13,14,etc,etc then just assign them a private ip like server x.x.x.1 and client 10.0.0.1 and set a route for the /29 with a gateway of 10.0.0.1 and set their lan interface to the first public ip (after network).
Some people frown upon using private IPs in a publicly routable network, but it doesnt matter and there is no point in wasting 1-2 additional IPs.
Proxy-arp would be the best solution if its workable in your infrastructure.. You wouldnt lose the 2 ips in network and broadcast that way.
All depends on how you deliver it to the customer really…
How are you providing IPs to customers right now? Is it a bridged network or are you giving everyone NAT IPs? PPPOE?
Currently they are bridged to our network are and being told only to use their certain range of addresses.
PPPoE or other Point to Point protocols are no option here.
If its just a bridged network, just tell him to use those IPs with the /24 and your .1 as gateway.
But I think this is insecure, because they can see all broadcast traffic and can use whatever IP-address they want to.
Proxy-arp would be the best solution if its workable in your infrastructure.. You wouldnt lose the 2 ips in network and broadcast that way.
So how can I set up a solution with Proxy-ARP in a way that our customer will only be able to use his own address range without being a potential hazard to our network?
I am especially interested in not to loose network and broadcast address like you mentioned.
Some people frown upon using private IPs in a publicly routable network, but it doesnt matter and there is no point in wasting 1-2 additional IPs.
I am afraid of breaking MTU path recovery. And other stuff. I really don’t like to b0rk things.
I also could imagine to set up a bridge filter, that only allows certain addresses to pass through.
But this won’t fix the broadcast issue, though.
IF they are bridged right now, they are already seeing broadcast from everyone…
Yeah, they’re just bridged. They aren’t NATed.
They’ve got plenty of devices with public IPs (in one row) in our net.
I want prevent them from making stupid things (like stealing IPs or causing IP conflicts) in our network as well as avoiding them to see our broadcast traffic.
In your config, proxy-arp would all be done on the CPE.
Since I’ve got no CPE at all for them I need to setup one, or at least create some sort of filter or routing stuff to effectively isolate them from our networking internals.
That is, why I asked for routing a subnet to them. But this is a waste of public IPs.