As my service delivery options get faster, I'm finding that no vendors are producing reasonable CPE for modern service delivery. At the same time, I'm tired of managing CPE hardware in customers homes, so I want to try something for the future.
I don't want to issue customers routers, just a switch/WAP. Their network outlet will deliver to them their LAN (VLAN per customer), and I will host DHCP, firewall, NAT, etc for their LAN in the DC.
I can't find an elegant way to configure this, and I suspect it might be impossible, but let's think it over.
Consider this problem scenario:
VLAN 10 - Upstream x.y.z.0/24 (DC routers internet facing IP, issued by upstream carrier)
VLAN 100 - Customers public IP address pool (18.104.22.168/24)
VLAN 1000, 1001, 1002, ... - Customer LANs
Traditionally I deliver VLAN 100 to customers, their CPE receives their public IP from this pool and hosts their LAN, firewall, NAT as usual. Customer traffic destined for 0.0.0.0/0 is routed normally upstream via VLAN 10.
So each CPE implements the customers LAN which NAT's to their devices WAN identity (103.165.0.x) on VLAN 100. But now I want to create the customer LAN on my DC router, ie, VLAN 1000, but this customer LAN must still NAT via their public IP address issued in VLAN 100 before routing upstream to VLAN 10.
My challenge is that when I create VLAN 1000 as the customer LAN, the router recognises traffic destined upstream, and routes directly to VLAN 10 (0.0.0.0/0 -> VLAN 10) as a good router should do. I need to configure the router to first route 1000 -> 100 with masquerade and then route 100 -> 10 as usual.
So I need to somehow have VLAN 1000 first route 0.0.0.0/0 to VLAN 100 (with masquerade), and then once incoming to VLAN 100 further route 0.0.0.0/0 -> VLAN 10. It's like a double-route, but performed by a single router. It's not clear how to segregate a single router this way?
The additional challenge exists where I want each customer 1000/1001/1002 to masquerade via a different IP address in VLAN 100:
1001 -> 100 (masq via 22.214.171.124) -> route to 10
1002 -> 100 (masq via 126.96.36.199) -> route to 10
1003 -> 100 (masq via 188.8.131.52) -> route to 10
I guess 1000s interfaces must issue to DHCP clients a gateway address for the router within VLAN 100? This way the LAN clients are directing their traffic to VLAN 100 rather than the router, but how to configure a NAT rule for traffic from 1000s interfaces destined for VLAN 100 to masquerade through their allocated public IP address? I need to map incoming interface to a public IP somehow... I don't want to do this with hundreds of individual NAT rules for each incoming interface, that would severely burden the router. One rule which looked up the customers IP from a table keyed by the incoming interface would be ideal...?
If this made sense, then I'd love any advice towards achieving this configuration?
It's important for performance and customer management that I don't have a million NAT rules hard-coded for each customer... I should be able to apply some sort of policy based mapping to a single NAT rule applied to an interface group or something. This feels like a script is needed, and I expect this is where the whole thing falls apart.
Can ROS do this? Too complex? Do I need a raw linux machine and a bunch of custom scripting?
It feels like something that should be common; I mustn't be the first person that wants to aggregate a bunch of customer LAN's onto a single piece of high-end industrial equipment this way... rather than buying hundreds of CPE devices for customers, I can buy a small number of high-end routers, cheaper, probably more energy efficient, and much easier to manage. If I never have to do a customer site visit, or explain to a customer how to configure their custom device again, it'll be too soon.