Splitting an ISP allocated range to multiple networks with a single public IP each (Layer 3 Switch)

[grunger106]

Hi

I've been given the task of taking what was once a single occupancy building and turning it into essentially a small 'serviced office'

Currently the building is serviced by a 50Mb leased line on a /29 subnet

What I want to achieve is a single public IP per tenant office, and require them to provide an Ethernet router (or provide one to them)
I'm not interested in the actual LANs, I simply want to present them a 'pure' routable public IP address on the WAN side of their router.

My assumption is a L3 switch is the thing to use, and then a VLAN per office.
What is confusing me is, the VLAN config at L3.
Is each VLAN IP an actual IP of the interface or is it the IP allocated to the device at the other end of the wire,
Basically do I need to use 2 IP addresses per tenet, one for the L3 switch interface and one for their router?

I can do a diagram if required - just not on the machine I'm using at the moment.

Cheers!

 

 

[+BudMan MVC]

How do you think your going to breakup a /29 to how many different networks?  Your problem is the /29 is most likely not actually routed to you.. But your device is a member of this /29

You will prob have to setup 1:1 NATs using your IPs to their devices.  Handing them the actual public is going to be difficult with how ISPs normally connect a customer.  Now if you got more networks routed to your current /29 then sure you could put those networks behind your router..  Just like the ISP gives you your /29

[grunger106]

Cheers for that

I totally take your point on this,

The easy way would be to bring the WAN links on my gear, 1:1 NAT them to a private IP on a VLAN and then give this info to their IT people to configure their router/firewall. Then SNAT the traffic on the way back out of my firewall onto the internet to tag it with the correct IP 

However, I'm trying to keep my hands clean of the networks in the offices if I can, and am trying to avoid ending up with double NAT scenarios especially if the tenant offices start looking at VoIP - Hence the desire to simply offer up a pure address.

I realised this is a 'waste' of IP addresses, but is it possible to split a /29 in to 2 /30 nets and still have it route able?
That doesn't sit right in my head logically

I know it can be done - I've been in places where I've done the configs from the tenants side - been give an IP and a gateway on a /30 and a switch port to plug into on the suppliers switch.

Presumably you'd do something like this?

VLan10 - path to ISP provided router
VLan20 /30
VLan30 /30
And so on with VLan20,30 etc having a 0.0.0.0/0 route up VLan10 and out -
But that's the bit I don't quite grasp, and I suspect is the logic ('you really just can't do it like this'!) hole in this plan - What would be the addressing on VLAN10?

Or am I SO far out with this as to be ridiculous ?
 

[grunger106]

As an attentional idea

I suppose on way to kind of do this with a single would be have the ISP gear plug into a managed L2 switch, have a port based VLAN (/29) of the number of ports as I have IP addresses (6 in this case) and allocate them to the client routers with a /29 and the VLAN address as the gateway.

That would give the desired effect of passing a route-able public IP down to the client equipment

However if a client was malicious (or simply daft) enough to mis-configure the IP address on their equipment that may cause issues, and if possible I prefer not to have to rely on other people not making a mistake to ensure nothing untoward happens.

Maybe a switch that supported L2 isolation might do the job though

(I'd still like to know how you would do it properly though - L3 and multiple /30 nets as that seems to my mind to be the 'right' way to do this, and tbh I don't want to do it cheap, I want to do it right)

[c.grz]

We have a small office in a large office building and they gave us one public IP to use which we configured on our device.  My understanding is that they were using a transparent firewall which allowed us to configure our "router" with the public IP they assigned to us.

[grunger106]

  On 20/08/2015 at 16:42, c.grz said:

We have a small office in a large office building and they gave us one public IP to use which we configured on our device.  My understanding is that they were using a transparent firewall which allowed us to configure our "router" with the public IP they assigned to us.

Yep - this is what I'm trying to achieve, but from the 'they' perspective

[+BudMan MVC]

If you want to setup firewall/router as transparent and then give your "clients" each a pubic IP in your /29 that would work yes.

So you have a /29 lets call it 192.0.2.0/29

So in this example your isp and your gateway is 192.0.2.1

So then you could setup your clients like this

client 1 192.0.2.2
client 2 192.0.2.3
client 3 192.0.2.4
client 4 192.0.2.5
client 5 192.0.2.6

192.0.2.7 would be broadcast and everyone would use the mask /29 and point to 192.0.2.1 as their gw

If you don't have another network to access your firewall with then you would have to take one of those IPs and use on the firewall itself to be able to manage it.

But you don't really need a firewall or router to do this.. Just any layer 2 switch would work.. So any say 8 port dumb switch would work. 

This takes you completely out of it - and just let them provide their own routers or provide them for them and connect them to your dumb switch.  Or you might want a smart one if you want to evenly split the bandwidth between them with rate limiting, etc.

If you have 50Mbits per second then give them 10Mbps each via rate limiting on your switch and your golden.

 

 

 

Edited August 20, 2015 by BudMan

[grunger106]

  On 20/08/2015 at 18:19, BudMan said:

 

 

If you want to setup firewall/router as transparent and then give your "clients" each a pubic IP in your /29 that would work yes.

So you have a /29 lets call it 192.0.2.0/29

So in this example your isp and your gateway is 192.0.2.1

So then you could setup your clients like this

client 1 192.0.2.2
client 2 192.0.2.3
client 3 192.0.2.4
client 4 192.0.2.5
client 5 192.0.2.6

192.0.2.7 would be broadcast and everyone would use the mask /29 and point to 192.0.2.1 as their gw

If you don't have another network to access your firewall with then you would have to take one of those IPs and use on the firewall itself to be able to manage it.

 

  On 20/08/2015 at 18:19, BudMan said:

Yep - that makes perfect sense - however what if client 2 decided to setup their kit with client 3's IP?
(Apart from them being stupid)

What would be the 'proper' way to do it?

(I don't think the forum software exactly likes Edge!)

 

 

Sorry - the last 'quote' was me replying - I'll try IE next time

[Stokkolm]

  On 20/08/2015 at 18:30, grunger106 said:

Yep - that makes perfect sense - however what if client 2 decided to setup their kit with client 3's IP?
(Apart from them being stupid)

What would be the 'proper' way to do it?

Sorry - the last 'quote' was me replying - I'll try IE next time

You would want a firewall to prevent those types of scenarios. It depends on how involved you want to be really. (IPB4 likes Edge a lot better than IPB3 did >.<)

[grunger106]

Thanks guys (especially Budman)  - yep that makes perfect sense and is actually probably what I'll do tomorrow as I'm close enough to these clients to config 'their' firewalls myself
I will be rate-limiting so I will be using a managed switch.
(I just don't like leaving the option of someone else configuring something 'wrong' breaking a network)

However (and this is not important, more of a fill in the gaps for me )
I'd like to know how I'd do this with my original plan with subnets at L3

Allocate the clients a VLAN with a /30 each.
However that's where I'm missing a link - how their /30 nets get routed back up and out the trunk port to the ISP kit while remaining route-able in each direction.

 

[+BudMan MVC]

here is where you run into a problem with the routed networks.  Even if you split the /29 into 2 /30 what are you using for the wan of your firewall?  And normally they don't actually route that /29 its just your connected to their network.  In a routed solution you would have a transit network and all your other networks are routed to that transit like this.

So there would be a small transit network that connects you to your ISP, /30 normally unless your devices support /31

Then whatever network they route to you be it a /24 your break up, or multiple networks all get routed to you in the example the 192.0.2.2 address.  Then whatever networks they route to you can subnet how ever you want.

Sure if you wanted you could have a downstream router or L3 switch routing these networks as well behind your firewall.  But this most likely not how they have you setup, so even if you wanted to break up the /29 into 2 /30 it would be problematic making it work.

Sometimes you can break the /x network int multiple /y's in the first subnet as transit - but this is not always the case you need to check with your isp that you want to subnet the /whatever they gave you and make sure they route to you vs just having them on their network in that /subnet.

If you want to give all your clients IPv6 that is easy   you can get a /48 real easy from a tunnel broker and then give them all a /64 or even /56 etc.. and let them do what they want.  But that would be purely ipv6 network

 

 

Edited August 20, 2015 by BudMan

[grunger106]

Right, I hate it when people start a topic get a load of very useful info and then the thread dies with no conclusions
Sorry for the delay, I did this, got busy on a load of other stuff and then had a holiday

The ideal solution would be to get a /30 interlink and then have the ISP route additional nets to that, and have a L3 switch provide the routing from the interlink to the client VLANs
However Virgin Media (the business bit) cannot (or will not) do this (as Budman quite correctly theorised) I have other proper LL providers who will, but the client (main client) is not willing to pay the premium for a full bore dedicated fibre LL. (Yet)

What I eventually did is

VM Hub in the 'fixed IP with a range mode' they do for business customers, with the first IP LAN-side, plugged into a HP 1920 switch, a port based VLAN of /29 and the VM Hub as its G/W.
Each client net has a firewall (or Ethernet router or whatever they fancy providing) with a free IP from the /29 range from virgin, with a /32 mask

So each client has the desired public IP which is routable, I can traffic shape on the switch as required.
There is an obvious potential issue - a misconfigured piece of equipment plugged into the switch could screw things up (2 clients with the same ip configured for example) but in this instance I config the client devices myself.
It is not perfect, however it does work as required for now.
The 'main client' has however been read the 'this is what you need to do going forward' script.

P.S
Good shout on IPv6, but not quite yet
 

[+BudMan MVC]

"with a /32 mask"

So why did you give them a /32 mask?  Normally you would just give them the mask of the network they are in - in this case a /29

Not sure I follow why you would give them a /32??

[sc302 Veteran]

If anything you would give them an individual ip.  And let them be a part off the /29.  

Everyone should have their own firewall with an external address you assign. You could even dhcp it if you wanted to and hand out those addresses. 

 

I understand the point of giving them a /32..however that only gives it is own address as a segment,  there is no additional address on that network that would route traffic to,  you would need a/30 minimum to be able to accomplish what you want to do but you burn 4 ip addresses that way (1gateway, 1 client, 1 network, 1 broadcast)  that is the minimum you need for network communications. ...you need a router to communicate to on the Lan to route traffic to. 

 

 

[grunger106]

I had thought that I could basically split the small pool and give a slightly cleaner segregation
/32 = single host
Not that it would make any real difference, you could still cause an issue it you forcibly mis-configured the client routers with overlapping addresses

However I suspect I may be about to learn the mistake in my logic here?
 

[sc302 Veteran]

Yes being that you need another host on the network to route traffic to which connects to other networks. Basically you won't communicate to the Internet with a /32 or even with other devices that are on the same network (in your eyes) as the /32 exclusively will allow communication to itself (this is the way subnets work). But have fun learning the hard way.  

When it doesn't work, please come back here and read, "it is working as it is supposed to...it is not broken, how you are thinking it is supposed to work is what is broken. "

[+BudMan MVC]

Only time you use /32 is in a firewall sort of rule - hey only this IP is allowed, etc..

[grunger106]

  On 15/09/2015 at 01:57, sc302 said:

Yes being that you need another host on the network to route traffic to which connects to other networks. Basically you won't communicate to the Internet with a /32 or even with other devices that are on the same network (in your eyes) as the /32 exclusively will allow communication to itself (this is the way subnets work). But have fun learning the hard way.  

When it doesn't work, please come back here and read, "it is working as it is supposed to...it is not broken, how you are thinking it is supposed to work is what is broken. "

I understand the concept, what had slightly confused me is that you do see /32 masks in use but they are on PPP links
A number of the ISPs I deal with you end up with a /32 on the firewall when it is doing PPPoE via a modem

I understand why it shouldn't work, but a rather strangely It's been working for 3 weeks. Most probably the equipment is either ignoring something or working round something.

I'll change the interfaces to a /29 which is what I should have done in the first place.

However it does work configured as described, honest - I'm actually using it to write this.....

[+BudMan MVC]

You can use /32 in PPP because everything would go down the link anyway.  But you could also have a PPP link without any IP   You could use a /32 on a loopback as well.  But in your setup where this IP is a on a /29 network its mask should be /29

How its working??  Not quite sure without know exactly the equipment your working with and the exact configuration, etc.

If I had to guess why its working is because the /32 you gave him and setup a gw for is actually in the /29 anyway so the gateway can talk to that IP be it that you have a wrong mask or not..  Depending on the device or OS you couldn't even put in a gateway if you set the mask to /32 on the interface.

 

Edited September 15, 2015 by BudMan

[sc302 Veteran]

What he said. 

[grunger106]

Yep - I totally agree
It shouldn't work, /32 mask would mean it cannot communicate with its gateway (or anything else) - technically impossible. 
That's what I thought initially, and I fully expected it not to work at all, its when it did I was surprised.
(The PPP thing threw me into trying it - now with some additional reading I understand how that works too)

If I have a second I'll speak with Zyxel and see what they say about it (all the firewalls are theirs, 2 USG100s and a Zywall 110) - you don't actually have to specify a gateway on the interfaces, which would lead me to believe that it may be ignoring that field in this case.
(I suspect the answer will be much as you have guessed Budman)

In any case I have reconfig'd the 3 firewalls correctly on /29.

However I have now got the greenlight on proper leased line and the ISP will provide a /30 interlink and will route additional /29 networks over it so I'll be doing it properly shortly anyhow

Edited September 15, 2015 by grunger106

[+BudMan MVC]

there you go so you will have multiple /29 on a transit network using a /30

That is a proper setup!!

[grunger106]

  On 15/09/2015 at 22:15, BudMan said:

there you go so you will have multiple /29 on a transit network using a /30

That is a proper setup!!

Yep  
Well it will be when they actually install the link, 45 working day lead time on leased lines over here in the UK....

[IrfanL]

Budman's solution is easy and conventional. 

Just wanted to add that "technically" you can use host address w/32 netmask on a subnet which is not /32. Only other requirement is that you will need to configure GW IP address on the host, otherwise host will not communicate. 

You can try this on your network. On /24 subnet assign your computer /32 netmask with GW being your GW IP address. You will be able to ping GW, other hosts in /24 subnet, IP address outside subnet (if they are connected to GW). The difference is... packet have to pass through GW. Run tracert command and you see this in action.

Usually this is coupled with Private VLAN configuration. Basically getting benefits of micro-subnetting without actually subnetting and wasting addresses.

Edited September 22, 2015 by -ANiMaL-
Elaborated a bit more

[swappedsr]

I know I am reviving an old post, but a question here to Budman.  Based on your design above, what would the configuration be on the transit router and the firewall to actually get those ip's to the clients?  What would a client use for a gateway address given they are assigned a /29?  

 

Thanks.