Splitting an ISP allocated range to multiple networks with a single public IP each (Layer 3 Switch)


Recommended Posts

Hi

I've been given the task of taking what was once a single occupancy building and turning it into essentially a small 'serviced office'

Currently the building is serviced by a 50Mb leased line on a /29 subnet

What I want to achieve is a single public IP per tenant office, and require them to provide an Ethernet router (or provide one to them)
I'm not interested in the actual LANs, I simply want to present them a 'pure' routable public IP address on the WAN side of their router.

My assumption is a L3 switch is the thing to use, and then a VLAN per office.
What is confusing me is, the VLAN config at L3.
Is each VLAN IP an actual IP of the interface or is it the IP allocated to the device at the other end of the wire,
Basically do I need to use 2 IP addresses per tenet, one for the L3 switch interface and one for their router?

I can do a diagram if required - just not on the machine I'm using at the moment.

Cheers!

 

 

How do you think your going to breakup a /29 to how many different networks?  Your problem is the /29 is most likely not actually routed to you.. But your device is a member of this /29

You will prob have to setup 1:1 NATs using your IPs to their devices.  Handing them the actual public is going to be difficult with how ISPs normally connect a customer.  Now if you got more networks routed to your current /29 then sure you could put those networks behind your router..  Just like the ISP gives you your /29

Cheers for that

I totally take your point on this,

The easy way would be to bring the WAN links on my gear, 1:1 NAT them to a private IP on a VLAN and then give this info to their IT people to configure their router/firewall. Then SNAT the traffic on the way back out of my firewall onto the internet to tag it with the correct IP 

However, I'm trying to keep my hands clean of the networks in the offices if I can, and am trying to avoid ending up with double NAT scenarios especially if the tenant offices start looking at VoIP - Hence the desire to simply offer up a pure address.

I realised this is a 'waste' of IP addresses, but is it possible to split a /29 in to 2 /30 nets and still have it route able?
That doesn't sit right in my head logically

I know it can be done - I've been in places where I've done the configs from the tenants side - been give an IP and a gateway on a /30 and a switch port to plug into on the suppliers switch.

Presumably you'd do something like this?

VLan10 - path to ISP provided router
VLan20 /30
VLan30 /30
And so on with VLan20,30 etc having a 0.0.0.0/0 route up VLan10 and out -
But that's the bit I don't quite grasp, and I suspect is the logic ('you really just can't do it like this'!) hole in this plan - What would be the addressing on VLAN10?

Or am I SO far out with this as to be ridiculous ;) ?
 

As an attentional idea

I suppose on way to kind of do this with a single would be have the ISP gear plug into a managed L2 switch, have a port based VLAN (/29) of the number of ports as I have IP addresses (6 in this case) and allocate them to the client routers with a /29 and the VLAN address as the gateway.

That would give the desired effect of passing a route-able public IP down to the client equipment

However if a client was malicious (or simply daft) enough to mis-configure the IP address on their equipment that may cause issues, and if possible I prefer not to have to rely on other people not making a mistake to ensure nothing untoward happens.

Maybe a switch that supported L2 isolation might do the job though

(I'd still like to know how you would do it properly though - L3 and multiple /30 nets as that seems to my mind to be the 'right' way to do this, and tbh I don't want to do it cheap, I want to do it right)

We have a small office in a large office building and they gave us one public IP to use which we configured on our device.  My understanding is that they were using a transparent firewall which allowed us to configure our "router" with the public IP they assigned to us.

  On 20/08/2015 at 16:42, c.grz said:

We have a small office in a large office building and they gave us one public IP to use which we configured on our device.  My understanding is that they were using a transparent firewall which allowed us to configure our "router" with the public IP they assigned to us.

Yep - this is what I'm trying to achieve, but from the 'they' perspective :)

If you want to setup firewall/router as transparent and then give your "clients" each a pubic IP in your /29 that would work yes.

So you have a /29 lets call it 192.0.2.0/29

So in this example your isp and your gateway is 192.0.2.1

So then you could setup your clients like this

client 1 192.0.2.2
client 2 192.0.2.3
client 3 192.0.2.4
client 4 192.0.2.5
client 5 192.0.2.6

192.0.2.7 would be broadcast and everyone would use the mask /29 and point to 192.0.2.1 as their gw

If you don't have another network to access your firewall with then you would have to take one of those IPs and use on the firewall itself to be able to manage it.

But you don't really need a firewall or router to do this.. Just any layer 2 switch would work.. So any say 8 port dumb switch would work. 

easysetup.thumb.png.4b849b18e5b91e3122d9

This takes you completely out of it - and just let them provide their own routers or provide them for them and connect them to your dumb switch.  Or you might want a smart one if you want to evenly split the bandwidth between them with rate limiting, etc.

If you have 50Mbits per second then give them 10Mbps each via rate limiting on your switch and your golden.

 

 

 

Edited by BudMan
  On 20/08/2015 at 18:19, BudMan said:
 

 

If you want to setup firewall/router as transparent and then give your "clients" each a pubic IP in your /29 that would work yes.

So you have a /29 lets call it 192.0.2.0/29

So in this example your isp and your gateway is 192.0.2.1

So then you could setup your clients like this

client 1 192.0.2.2
client 2 192.0.2.3
client 3 192.0.2.4
client 4 192.0.2.5
client 5 192.0.2.6

192.0.2.7 would be broadcast and everyone would use the mask /29 and point to 192.0.2.1 as their gw

If you don't have another network to access your firewall with then you would have to take one of those IPs and use on the firewall itself to be able to manage it.

 

  On 20/08/2015 at 18:19, BudMan said:

Yep - that makes perfect sense - however what if client 2 decided to setup their kit with client 3's IP?
(Apart from them being stupid)

What would be the 'proper' way to do it?

(I don't think the forum software exactly likes Edge!)

 

 

Sorry - the last 'quote' was me replying - I'll try IE next time

  On 20/08/2015 at 18:30, grunger106 said:

Yep - that makes perfect sense - however what if client 2 decided to setup their kit with client 3's IP?
(Apart from them being stupid)

What would be the 'proper' way to do it?

Sorry - the last 'quote' was me replying - I'll try IE next time

You would want a firewall to prevent those types of scenarios. It depends on how involved you want to be really. (IPB4 likes Edge a lot better than IPB3 did >.<)

Thanks guys (especially Budman) :) - yep that makes perfect sense and is actually probably what I'll do tomorrow as I'm close enough to these clients to config 'their' firewalls myself
I will be rate-limiting so I will be using a managed switch.
(I just don't like leaving the option of someone else configuring something 'wrong' breaking a network)

However (and this is not important, more of a fill in the gaps for me :) )
I'd like to know how I'd do this with my original plan with subnets at L3

Allocate the clients a VLAN with a /30 each.
However that's where I'm missing a link - how their /30 nets get routed back up and out the trunk port to the ISP kit while remaining route-able in each direction.

 

here is where you run into a problem with the routed networks.  Even if you split the /29 into 2 /30 what are you using for the wan of your firewall?  And normally they don't actually route that /29 its just your connected to their network.  In a routed solution you would have a transit network and all your other networks are routed to that transit like this.

So there would be a small transit network that connects you to your ISP, /30 normally unless your devices support /31

Then whatever network they route to you be it a /24 your break up, or multiple networks all get routed to you in the example the 192.0.2.2 address.  Then whatever networks they route to you can subnet how ever you want.

routednetworks.thumb.png.08478dfcd755e71

Sure if you wanted you could have a downstream router or L3 switch routing these networks as well behind your firewall.  But this most likely not how they have you setup, so even if you wanted to break up the /29 into 2 /30 it would be problematic making it work.

Sometimes you can break the /x network int multiple /y's in the first subnet as transit - but this is not always the case you need to check with your isp that you want to subnet the /whatever they gave you and make sure they route to you vs just having them on their network in that /subnet.

If you want to give all your clients IPv6 that is easy ;)  you can get a /48 real easy from a tunnel broker and then give them all a /64 or even /56 etc.. and let them do what they want.  But that would be purely ipv6 network ;)

 

 

Edited by BudMan
  • 4 weeks later...

Right, I hate it when people start a topic get a load of very useful info and then the thread dies with no conclusions ;)
Sorry for the delay, I did this, got busy on a load of other stuff and then had a holiday :)

The ideal solution would be to get a /30 interlink and then have the ISP route additional nets to that, and have a L3 switch provide the routing from the interlink to the client VLANs
However Virgin Media (the business bit) cannot (or will not) do this (as Budman quite correctly theorised) I have other proper LL providers who will, but the client (main client) is not willing to pay the premium for a full bore dedicated fibre LL. (Yet)

What I eventually did is

VM Hub in the 'fixed IP with a range mode' they do for business customers, with the first IP LAN-side, plugged into a HP 1920 switch, a port based VLAN of /29 and the VM Hub as its G/W.
Each client net has a firewall (or Ethernet router or whatever they fancy providing) with a free IP from the /29 range from virgin, with a /32 mask

So each client has the desired public IP which is routable, I can traffic shape on the switch as required.
There is an obvious potential issue - a misconfigured piece of equipment plugged into the switch could screw things up (2 clients with the same ip configured for example) but in this instance I config the client devices myself.
It is not perfect, however it does work as required for now.
The 'main client' has however been read the 'this is what you need to do going forward' script.

P.S
Good shout on IPv6, but not quite yet ;)
 

"with a /32 mask"

So why did you give them a /32 mask?  Normally you would just give them the mask of the network they are in - in this case a /29

Not sure I follow why you would give them a /32??

If anything you would give them an individual ip.  And let them be a part off the /29.  

Everyone should have their own firewall with an external address you assign. You could even dhcp it if you wanted to and hand out those addresses. 

 

I understand the point of giving them a /32..however that only gives it is own address as a segment,  there is no additional address on that network that would route traffic to,  you would need a/30 minimum to be able to accomplish what you want to do but you burn 4 ip addresses that way (1gateway, 1 client, 1 network, 1 broadcast)  that is the minimum you need for network communications. ...you need a router to communicate to on the Lan to route traffic to. 

 

 

I had thought that I could basically split the small pool and give a slightly cleaner segregation
/32 = single host
Not that it would make any real difference, you could still cause an issue it you forcibly mis-configured the client routers with overlapping addresses

However I suspect I may be about to learn the mistake in my logic here?
 

Yes being that you need another host on the network to route traffic to which connects to other networks. Basically you won't communicate to the Internet with a /32 or even with other devices that are on the same network (in your eyes) as the /32 exclusively will allow communication to itself (this is the way subnets work). But have fun learning the hard way.  

When it doesn't work, please come back here and read, "it is working as it is supposed to...it is not broken, how you are thinking it is supposed to work is what is broken. "

  On 15/09/2015 at 01:57, sc302 said:

Yes being that you need another host on the network to route traffic to which connects to other networks. Basically you won't communicate to the Internet with a /32 or even with other devices that are on the same network (in your eyes) as the /32 exclusively will allow communication to itself (this is the way subnets work). But have fun learning the hard way.  

When it doesn't work, please come back here and read, "it is working as it is supposed to...it is not broken, how you are thinking it is supposed to work is what is broken. "


I understand the concept, what had slightly confused me is that you do see /32 masks in use but they are on PPP links
A number of the ISPs I deal with you end up with a /32 on the firewall when it is doing PPPoE via a modem

I understand why it shouldn't work, but a rather strangely It's been working for 3 weeks. Most probably the equipment is either ignoring something or working round something.

I'll change the interfaces to a /29 which is what I should have done in the first place.

However it does work configured as described, honest - I'm actually using it to write this.....

You can use /32 in PPP because everything would go down the link anyway.  But you could also have a PPP link without any IP ;)  You could use a /32 on a loopback as well.  But in your setup where this IP is a on a /29 network its mask should be /29

How its working??  Not quite sure without know exactly the equipment your working with and the exact configuration, etc.

If I had to guess why its working is because the /32 you gave him and setup a gw for is actually in the /29 anyway so the gateway can talk to that IP be it that you have a wrong mask or not..  Depending on the device or OS you couldn't even put in a gateway if you set the mask to /32 on the interface.

warningwrongmask.thumb.png.c38a0e16603be

 

Edited by BudMan

Yep - I totally agree :)
It shouldn't work, /32 mask would mean it cannot communicate with its gateway (or anything else) - technically impossible. 
That's what I thought initially, and I fully expected it not to work at all, its when it did I was surprised.
(The PPP thing threw me into trying it - now with some additional reading I understand how that works too)

If I have a second I'll speak with Zyxel and see what they say about it (all the firewalls are theirs, 2 USG100s and a Zywall 110) - you don't actually have to specify a gateway on the interfaces, which would lead me to believe that it may be ignoring that field in this case.
(I suspect the answer will be much as you have guessed Budman)

In any case I have reconfig'd the 3 firewalls correctly on /29.

However I have now got the greenlight on proper leased line and the ISP will provide a /30 interlink and will route additional /29 networks over it so I'll be doing it properly shortly anyhow :)

Edited by grunger106
  On 15/09/2015 at 22:15, BudMan said:

there you go so you will have multiple /29 on a transit network using a /30

That is a proper setup!!

Yep :) 
Well it will be when they actually install the link, 45 working day lead time on leased lines over here in the UK....

Budman's solution is easy and conventional. 

Just wanted to add that "technically" you can use host address w/32 netmask on a subnet which is not /32. Only other requirement is that you will need to configure GW IP address on the host, otherwise host will not communicate. 

You can try this on your network. On /24 subnet assign your computer /32 netmask with GW being your GW IP address. You will be able to ping GW, other hosts in /24 subnet, IP address outside subnet (if they are connected to GW). The difference is... packet have to pass through GW. Run tracert command and you see this in action.

Usually this is coupled with Private VLAN configuration. Basically getting benefits of micro-subnetting without actually subnetting and wasting addresses.

Edited by -ANiMaL-
Elaborated a bit more
  • 5 months later...

I know I am reviving an old post, but a question here to Budman.  Based on your design above, what would the configuration be on the transit router and the firewall to actually get those ip's to the clients?  What would a client use for a gateway address given they are assigned a /29?  

 

Thanks.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • AMD 25.6.1 driver out with RX 9060 XT support and a lot more FSR 4 games by Pulasthi Ariyasinghe A brand-new hardware launch is happening today for AMD, and to make sure its new GPUs are running properly, a new graphics driver has also landed right alongside it. The AMD Software: Adrenalin Edition 25.6.1 driver lands with support for the RX 9060 XT and the AMD Radeon AI PRO R9700, while also finally updating the number of games that support its AMD FidelityFX Super Resolution 4 upscaling technology. The consumer space-targeted RX 9060 XT graphics card comes in 8GB and 16GB flavors starting at $300 and $350 price points, respectively. Check out our launch coverage for this RDNA 4 GPU for more details here. At the same time, the AMD Radeon AI PRO R9700 comes in for handling professional workloads with a whopping 32GB of VRAM. While support for this card has already arrived with the latest driver, AMD is expecting to ship the product sometime in July 2025. The driver has also added official support for Onimusha 2: Samurai's Destiny Remaster as well, the Capcom-developed action game from last month. As for fixes, AMD has said that it has resolved reversed Quality and Performance selections in the Radeon Boost UI, as well as Le Mans Ultimate performance issues on RX 9070 series GPUs. There are quite a few known issues AMD is still working on: Stutter and lower than expected performance may be observed when using alt-tab and streaming to Discord with multiple monitors. Intermittent application crash or driver timeout may be observed while playing Marvel Spiderman 2 with Ray Tracing enabled on Radeon™ RX 9060 XT. Intermittent application crash may be observed when first launching The Last of Us Part 1 on Radeon™ RX 9060 XT graphics products. Stutter may be observed while playing games with some VR headsets at 80Hz or 90Hz refresh rate on some AMD Radeon™ Graphics Products such as the Radeon™ RX 7000 series. Users experiencing this issue are recommended to change the refresh rate as a temporary workaround. Intermittent system or application crash may be observed while playing Cyberpunk 2077 on some AMD Radeon™ Graphics Products such as the Radeon™ RX 7000 series. Intermittent application crash or driver timeout may be observed while playing Monster Hunter Wilds with Radeon™ Anti-Lag and Instant Replay enabled. Artifacts or corruption may appear while playing Battlefield™ V on Radeon™ RX 7000 series graphics products. Stutter may be observed while playing Call of Duty®: Warzone™ Season 03 ‘Verdansk’ map on some AMD Graphics Products. Stutter and lower than expected performance may be observed while playing 4K resolution YouTube videos in Chromium. Users experiencing this issue are recommended to play videos in full screen as a temporary workaround. Texture flickering or corruption may appear while playing The Elder Scrolls IV: Oblivion Remastered with AMD FidelityFX™ Super Resolution enabled on Radeon™ RX 9070 XT. Users experiencing this issue are recommended to disable AMD FidelityFX™ Super Resolution as a temporary workaround. As for FSR 4, these games are now supported by the popular upscaling tech for gaining more frames: Deadzone: Rogue Rem Survival F1 25 Runescape: Dragonwilds Frostpunk 2 Star Wars Outlaws Legacy: Steel & Sorcery Steel Seed Lords of the Fallen Stellar Blade Planetaries Virtua Fighter 5 R.E.V.O QANGA Wild Assault The complete list of games with FSR 4 support, as well as upcoming implementations, can be found on AMD's support page here. The WHQL-certified AMD Software: Adrenalin Edition 25.6.1 driver can now be downloaded from the AMD Software app as well as the changelog page on its official website here.
    • Download Unruly: Fighting Back when Politics, AI, and Law Upend [...] (worth $18) for free by Steven Parker Claim your complimentary eBook worth $18 for free, before the offer ends on June 17. In Unruly: Fighting Back when Politics, AI, and Law Upend the Rules of Business, co-founder of software company Hence Technologies and former Global Deputy CEO of Eurasia Group, Sean West, delivers a startlingly insightful new take on how politics, technology and law are converging to upend the rules of business, generating dangerous risks and incredible opportunities. West convincingly argues that we must understand all three factors to get leverage over the future – a future filled with eroding rule of law, deepfakes that upend elections and court decisions, government pressure for businesses to be patriotic, robot lobbyists, a flood of automated legal claims pointed directly at your company and much more. Unruly offers detailed, practical advice for how to understand the world ahead, how to be resilient in the face of innumerable and complex challenges, and how to surround your business with the people and technology you need to excel in this environment. Inside the book: A framework for understanding all of the pressures on modern corporations from the convergence of geopolitics, technology and law. Strategies for turning your company's legal department into a source of enduring competitive advantage How to navigate government pressure for nationalism when you have a global footprint Approaches to winning in a world where courts are politicized and the law is increasingly automated, built on interviews with top experts Ways to deal with the backlash to ESG at a company level Perfect for executives, managers, entrepreneurs, founders, and other business leaders, Unruly is also a must-read for general counsels and the advisors who serve them. How to get it Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last! Download Unruly: Fighting Back when Politics, AI, and Law Upend [...] (worth $18) for free Offered by Wiley, view other free resources The below offers are also available for free in exchange for your (work) email: VideoProc Converter AI v7.5 for FREE (worth $78.90) – Expires 6/18 Winxvideo AI V3.0 Lifetime License for PC ($69.95 Value) FREE – Expires 6/8 Aiarty Image Enhancer for PC/Mac ($85 Value) FREE – Expires 6/8 Solutions Architect's Handbook, Third Edition ($42.99 Value) FREE – Expires 6/10 AI and Innovation ($21 Value) FREE – Expires 6/11 Unruly: Fighting Back when Politics, AI, and Law Upend [...] ($18 Value) FREE - Expires 6/17 SQL Essentials For Dummies ($10 Value) FREE – Expires 6/17 Continuous Testing, Quality, Security, and Feedback ($27.99 Value) FREE – Expires 6/18 Macxvideo AI ($39.95 Value) Free for a Limited Time – Expires 6/22 The Ultimate Linux Newbie Guide – Featured Free content Python Notes for Professionals – Featured Free content Learn Linux in 5 Days – Featured Free content Quick Reference Guide for Cybersecurity – Featured Free content We post these because we earn commission on each lead so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. Other ways to support Neowin The above deal not doing it for you, but still want to help? Check out the links below. Check out our partner software in the Neowin Store Buy a T-shirt at Neowin's Threadsquad Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: An account at Neowin Deals is required to participate in any deals powered by our affiliate, StackCommerce. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through the branded deals site.
    • AMD RX 9060 XT launches above MSRP and is available to buy now by Sayan Sen At Computex 2025 this year, AMD announced its RX 9060 XT mid-range desktop GPUs. The new graphics card landed in both 8GB and 16GB flavors and targets 1080p as well as light 1440p gaming. The community and some of the media criticized the 8GB VRAM model, but AMD defended the move explaining how the smaller memory buffer is not a cause of worry for the majority. Both the 8 GB and the 16 GB RX 9060 XT are now available for purchase. A new driver is out too with Adrenalin version 25.6.1. However, as always, day one stocks would likely be highly limited, similar to other GPUs or any other product, like the Nintendo Switch 2, that also landed today. Third-party AIB (add in board) vendors like Gigabyte, for example, are selling the 8GB at $329 (SEP is $299) currently on Amazon US, so expect some markup. The technical specifications of the Radeon RX 9060 XT are given below: Specification Value GPU Architecture AMD RDNA™ 4 Core Compute Units 32 Video Memory 16 GB / 8GB GDDR6 Infinity Cache 32 MB Core Boost Clock Up to 3.13 GHz Memory speed/bandwidth 20 Gbps / 320 GB/s AI Performance 821 TOPS (INT4 with sparsity) Raytracing & AI Accelerators 32 3rd Generation Raytracing Accelerators; 64 2nd Generation AI Accelerators PCIe Interface PCIe® 5.0 x16 Display Outputs DisplayPort™ 2.1a, HDMI® 2.1b Total Board Power (TBP) 160W* If you notice, we have an asterisk for the TBP value in the table above. That is because AMD says that it can vary between 150 and 182 watts. Performance-wise, we know the $349 16 GB variant is close to the Nvidia RTX 5060 Ti in rasterization but falls behind in ray tracing. Meanwhile, the 8GB model, priced the same as the GeForce RTX 5060 at $299, should be better, as both 8 Gig and 16 Gig SKUs are identical spec-wise outside of memory capacity. As an Amazon Associate we earn from qualifying purchases.
    • It actually looks decent, although trailers could make the worst nonsense look watchable sometimes. I'm not a fan of the "extended" Aliens universe (Prometheus, Covenant), but I liked Romulus so will definitely give this a shot.
  • Recent Achievements

    • Week One Done
      jbatch earned a badge
      Week One Done
    • First Post
      Yianis earned a badge
      First Post
    • Rookie
      GTRoberts went up a rank
      Rookie
    • First Post
      James courage Tabla earned a badge
      First Post
    • Reacting Well
      James courage Tabla earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      406
    2. 2
      +FloatingFatMan
      181
    3. 3
      snowy owl
      176
    4. 4
      ATLien_0
      170
    5. 5
      Xenon
      135
  • Tell a friend

    Love Neowin? Tell a friend!