Community discussions

MUM Europe 2020
 
c.reiter
just joined
Topic Author
Posts: 8
Joined: Mon Oct 30, 2006 10:36 pm

NAT with many VLAN Interfaces - all of them in same Subnet?

Thu Dec 21, 2006 3:03 pm

Hi!

I am currently working on an ISP Setup (FTTH). What i would need is to have many VLAN Interfaces (one per subscriber), each of them having assigned the same IP on the Mikrotik side (192.168.1.254/24, acting as default gateway for every customer). Every customers should get access to the internet using another official IP-Address by NAT.

Example:
Map IP Segment 192.168.1.0/24 in VLAN Interface cust0001 to official IP 89.111.123.4
Map IP Segment 192.168.1.0/24 in VLAN Interface cust0002 to official IP 89.111.123.5
Map IP Segment 192.168.1.0/24 in VLAN Interface cust0003 to official IP 89.111.123.6
... and so on ...

I do not want to have all customers in one huge VLAN (viruses, trojans, double IP Addresses....).
Also there is no way for me to use any kind of encapsulation like PPPoE or something similar.

Is that possible with RouterOS?

kind regards,
christian
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: NAT with many VLAN Interfaces - all of them in same Subn

Thu Dec 21, 2006 3:27 pm

What i would need is to have many VLAN Interfaces (one per subscriber), each of them having assigned the same IP on the Mikrotik side
Not possible.
Map IP Segment 192.168.1.0/24 in VLAN Interface cust0001 to official IP 89.111.123.4
Map IP Segment 192.168.1.0/24 in VLAN Interface cust0002 to official IP 89.111.123.5
Map IP Segment 192.168.1.0/24 in VLAN Interface cust0003 to official IP 89.111.123.6
... and so on ...
Will your customers be free to chose their own internal IP network behind the NAT CPE or will you determine their addressing (only makes sense if you mange the CPE devices and the customer has no access to them)? If you decide their addressing then I would not give every customer the same network (like you did with 192.168.1.0/24 in your example). Reason: If two of your customers decide to setup a VPN tunnel between each other, this will make things more complex for them.
I do not want to have all customers in one huge VLAN (viruses, trojans, double IP Addresses....).
That's a good idea.
Also there is no way for me to use any kind of encapsulation like PPPoE or something similar.
Why not? What prevents you from doing so?

Anyway, multiple VLAN interfaces sharing the same IP address on
your gateway router will simply not work. You will need to give each VLAN
interface a unique address on your end (might work to use /32 on the VLANs, though).

--Tom
 
c.reiter
just joined
Topic Author
Posts: 8
Joined: Mon Oct 30, 2006 10:36 pm

Re: NAT with many VLAN Interfaces - all of them in same Subn

Thu Dec 21, 2006 6:46 pm

Not possible.
Very unfortunate but exactly as thought.
Will your customers be free to chose their own internal IP network behind the NAT CPE or will you determine their addressing (only makes sense if you mange the CPE devices and the customer has no access to them)? If you decide their addressing then I would not give every customer the same network (like you did with 192.168.1.0/24 in your example). Reason: If two of your customers decide to setup a VPN tunnel between each other, this will make things more complex for them.
No, i intended to nail the customers up on 192.168.1.0/24, but your VPN Argument is good...

On the other side, customers which are planning to use "more complicated" features like VPN are advised to choose routing instead of NAT (Routing is avalaible for all customers at no extra charge, NAT should be a kind of "Basic Security").

Why not? What prevents you from doing so?

Anyway, multiple VLAN interfaces sharing the same IP address on
your gateway router will simply not work. You will need to give each VLAN
interface a unique address on your end (might work to use /32 on the VLANs, though).

--Tom
Any Encapsulations are unwanted by the corporate management.... It should be as easy as possible for the Customer to connect to the Internet.

Do you know any vendor of routers or routing-switches who do support such a config?

christian
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: NAT with many VLAN Interfaces - all of them in same Subn

Thu Dec 21, 2006 7:34 pm

Do you know any vendor of routers or routing-switches who do support such a config?
No, not with VLAN (or Ethernet) interfaces for customer access. The problem is that VLAN and Ethernet interfaces are not Point-to-Point by nature, therefore they can not have "unnumbered" IP addressing, and even if they did I believe that your design would still not be possible.

If I understood your design correctly then you're planning to have a transparent Layer 2 connection on the access circuit between the customer's LAN and the corresponding VLAN interface on your gateway router (of which all should be identically configured with 192.168.1.254/24), right? If that were possible then you'd end up with a bunch of directly connected routes to 192.168.1.0/24 (one for each customer VLAN interface), all overlapping. And now lets assume two different customers, each of them setting their PC to the address 192.168.1.66. How would your gateway know on which of all those 192.168.1.0/24 segments they both are, and how to differenciate between them?

The only routers that would be able to handle this would be devices that are capable of multiple virtual routers (VRF, aka routing instances). Typically this would be MPLS capable routers such as Juniper ERX or higher-end devices from Cisco and Foundry. With the virtual routers it would be possible to circumvent the overlap problem by putting each customer into his own VRF.

So PPPoE could really save your day here, or at least do DHCP on the MikroTik gateway and hand out different RFC1918 networks to the customers...

--Tom

Who is online

Users browsing this forum: imdadali, McSee, naxos, robo, SiB, stanelie and 129 guests