Splitting an ISP allocated range to multiple networks with a single public IP each (Layer 3 Switch)


Recommended Posts

Hi

I've been given the task of taking what was once a single occupancy building and turning it into essentially a small 'serviced office'

Currently the building is serviced by a 50Mb leased line on a /29 subnet

What I want to achieve is a single public IP per tenant office, and require them to provide an Ethernet router (or provide one to them)
I'm not interested in the actual LANs, I simply want to present them a 'pure' routable public IP address on the WAN side of their router.

My assumption is a L3 switch is the thing to use, and then a VLAN per office.
What is confusing me is, the VLAN config at L3.
Is each VLAN IP an actual IP of the interface or is it the IP allocated to the device at the other end of the wire,
Basically do I need to use 2 IP addresses per tenet, one for the L3 switch interface and one for their router?

I can do a diagram if required - just not on the machine I'm using at the moment.

Cheers!

 

 

How do you think your going to breakup a /29 to how many different networks?  Your problem is the /29 is most likely not actually routed to you.. But your device is a member of this /29

You will prob have to setup 1:1 NATs using your IPs to their devices.  Handing them the actual public is going to be difficult with how ISPs normally connect a customer.  Now if you got more networks routed to your current /29 then sure you could put those networks behind your router..  Just like the ISP gives you your /29

Cheers for that

I totally take your point on this,

The easy way would be to bring the WAN links on my gear, 1:1 NAT them to a private IP on a VLAN and then give this info to their IT people to configure their router/firewall. Then SNAT the traffic on the way back out of my firewall onto the internet to tag it with the correct IP 

However, I'm trying to keep my hands clean of the networks in the offices if I can, and am trying to avoid ending up with double NAT scenarios especially if the tenant offices start looking at VoIP - Hence the desire to simply offer up a pure address.

I realised this is a 'waste' of IP addresses, but is it possible to split a /29 in to 2 /30 nets and still have it route able?
That doesn't sit right in my head logically

I know it can be done - I've been in places where I've done the configs from the tenants side - been give an IP and a gateway on a /30 and a switch port to plug into on the suppliers switch.

Presumably you'd do something like this?

VLan10 - path to ISP provided router
VLan20 /30
VLan30 /30
And so on with VLan20,30 etc having a 0.0.0.0/0 route up VLan10 and out -
But that's the bit I don't quite grasp, and I suspect is the logic ('you really just can't do it like this'!) hole in this plan - What would be the addressing on VLAN10?

Or am I SO far out with this as to be ridiculous ;) ?
 

As an attentional idea

I suppose on way to kind of do this with a single would be have the ISP gear plug into a managed L2 switch, have a port based VLAN (/29) of the number of ports as I have IP addresses (6 in this case) and allocate them to the client routers with a /29 and the VLAN address as the gateway.

That would give the desired effect of passing a route-able public IP down to the client equipment

However if a client was malicious (or simply daft) enough to mis-configure the IP address on their equipment that may cause issues, and if possible I prefer not to have to rely on other people not making a mistake to ensure nothing untoward happens.

Maybe a switch that supported L2 isolation might do the job though

(I'd still like to know how you would do it properly though - L3 and multiple /30 nets as that seems to my mind to be the 'right' way to do this, and tbh I don't want to do it cheap, I want to do it right)

We have a small office in a large office building and they gave us one public IP to use which we configured on our device.  My understanding is that they were using a transparent firewall which allowed us to configure our "router" with the public IP they assigned to us.

  On 20/08/2015 at 16:42, c.grz said:

We have a small office in a large office building and they gave us one public IP to use which we configured on our device.  My understanding is that they were using a transparent firewall which allowed us to configure our "router" with the public IP they assigned to us.

Yep - this is what I'm trying to achieve, but from the 'they' perspective :)

If you want to setup firewall/router as transparent and then give your "clients" each a pubic IP in your /29 that would work yes.

So you have a /29 lets call it 192.0.2.0/29

So in this example your isp and your gateway is 192.0.2.1

So then you could setup your clients like this

client 1 192.0.2.2
client 2 192.0.2.3
client 3 192.0.2.4
client 4 192.0.2.5
client 5 192.0.2.6

192.0.2.7 would be broadcast and everyone would use the mask /29 and point to 192.0.2.1 as their gw

If you don't have another network to access your firewall with then you would have to take one of those IPs and use on the firewall itself to be able to manage it.

But you don't really need a firewall or router to do this.. Just any layer 2 switch would work.. So any say 8 port dumb switch would work. 

easysetup.thumb.png.4b849b18e5b91e3122d9

This takes you completely out of it - and just let them provide their own routers or provide them for them and connect them to your dumb switch.  Or you might want a smart one if you want to evenly split the bandwidth between them with rate limiting, etc.

If you have 50Mbits per second then give them 10Mbps each via rate limiting on your switch and your golden.

 

 

 

Edited by BudMan
  On 20/08/2015 at 18:19, BudMan said:
 

 

If you want to setup firewall/router as transparent and then give your "clients" each a pubic IP in your /29 that would work yes.

So you have a /29 lets call it 192.0.2.0/29

So in this example your isp and your gateway is 192.0.2.1

So then you could setup your clients like this

client 1 192.0.2.2
client 2 192.0.2.3
client 3 192.0.2.4
client 4 192.0.2.5
client 5 192.0.2.6

192.0.2.7 would be broadcast and everyone would use the mask /29 and point to 192.0.2.1 as their gw

If you don't have another network to access your firewall with then you would have to take one of those IPs and use on the firewall itself to be able to manage it.

 

  On 20/08/2015 at 18:19, BudMan said:

Yep - that makes perfect sense - however what if client 2 decided to setup their kit with client 3's IP?
(Apart from them being stupid)

What would be the 'proper' way to do it?

(I don't think the forum software exactly likes Edge!)

 

 

Sorry - the last 'quote' was me replying - I'll try IE next time

  On 20/08/2015 at 18:30, grunger106 said:

Yep - that makes perfect sense - however what if client 2 decided to setup their kit with client 3's IP?
(Apart from them being stupid)

What would be the 'proper' way to do it?

Sorry - the last 'quote' was me replying - I'll try IE next time

You would want a firewall to prevent those types of scenarios. It depends on how involved you want to be really. (IPB4 likes Edge a lot better than IPB3 did >.<)

Thanks guys (especially Budman) :) - yep that makes perfect sense and is actually probably what I'll do tomorrow as I'm close enough to these clients to config 'their' firewalls myself
I will be rate-limiting so I will be using a managed switch.
(I just don't like leaving the option of someone else configuring something 'wrong' breaking a network)

However (and this is not important, more of a fill in the gaps for me :) )
I'd like to know how I'd do this with my original plan with subnets at L3

Allocate the clients a VLAN with a /30 each.
However that's where I'm missing a link - how their /30 nets get routed back up and out the trunk port to the ISP kit while remaining route-able in each direction.

 

here is where you run into a problem with the routed networks.  Even if you split the /29 into 2 /30 what are you using for the wan of your firewall?  And normally they don't actually route that /29 its just your connected to their network.  In a routed solution you would have a transit network and all your other networks are routed to that transit like this.

So there would be a small transit network that connects you to your ISP, /30 normally unless your devices support /31

Then whatever network they route to you be it a /24 your break up, or multiple networks all get routed to you in the example the 192.0.2.2 address.  Then whatever networks they route to you can subnet how ever you want.

routednetworks.thumb.png.08478dfcd755e71

Sure if you wanted you could have a downstream router or L3 switch routing these networks as well behind your firewall.  But this most likely not how they have you setup, so even if you wanted to break up the /29 into 2 /30 it would be problematic making it work.

Sometimes you can break the /x network int multiple /y's in the first subnet as transit - but this is not always the case you need to check with your isp that you want to subnet the /whatever they gave you and make sure they route to you vs just having them on their network in that /subnet.

If you want to give all your clients IPv6 that is easy ;)  you can get a /48 real easy from a tunnel broker and then give them all a /64 or even /56 etc.. and let them do what they want.  But that would be purely ipv6 network ;)

 

 

Edited by BudMan
  • 4 weeks later...

Right, I hate it when people start a topic get a load of very useful info and then the thread dies with no conclusions ;)
Sorry for the delay, I did this, got busy on a load of other stuff and then had a holiday :)

The ideal solution would be to get a /30 interlink and then have the ISP route additional nets to that, and have a L3 switch provide the routing from the interlink to the client VLANs
However Virgin Media (the business bit) cannot (or will not) do this (as Budman quite correctly theorised) I have other proper LL providers who will, but the client (main client) is not willing to pay the premium for a full bore dedicated fibre LL. (Yet)

What I eventually did is

VM Hub in the 'fixed IP with a range mode' they do for business customers, with the first IP LAN-side, plugged into a HP 1920 switch, a port based VLAN of /29 and the VM Hub as its G/W.
Each client net has a firewall (or Ethernet router or whatever they fancy providing) with a free IP from the /29 range from virgin, with a /32 mask

So each client has the desired public IP which is routable, I can traffic shape on the switch as required.
There is an obvious potential issue - a misconfigured piece of equipment plugged into the switch could screw things up (2 clients with the same ip configured for example) but in this instance I config the client devices myself.
It is not perfect, however it does work as required for now.
The 'main client' has however been read the 'this is what you need to do going forward' script.

P.S
Good shout on IPv6, but not quite yet ;)
 

"with a /32 mask"

So why did you give them a /32 mask?  Normally you would just give them the mask of the network they are in - in this case a /29

Not sure I follow why you would give them a /32??

If anything you would give them an individual ip.  And let them be a part off the /29.  

Everyone should have their own firewall with an external address you assign. You could even dhcp it if you wanted to and hand out those addresses. 

 

I understand the point of giving them a /32..however that only gives it is own address as a segment,  there is no additional address on that network that would route traffic to,  you would need a/30 minimum to be able to accomplish what you want to do but you burn 4 ip addresses that way (1gateway, 1 client, 1 network, 1 broadcast)  that is the minimum you need for network communications. ...you need a router to communicate to on the Lan to route traffic to. 

 

 

I had thought that I could basically split the small pool and give a slightly cleaner segregation
/32 = single host
Not that it would make any real difference, you could still cause an issue it you forcibly mis-configured the client routers with overlapping addresses

However I suspect I may be about to learn the mistake in my logic here?
 

Yes being that you need another host on the network to route traffic to which connects to other networks. Basically you won't communicate to the Internet with a /32 or even with other devices that are on the same network (in your eyes) as the /32 exclusively will allow communication to itself (this is the way subnets work). But have fun learning the hard way.  

When it doesn't work, please come back here and read, "it is working as it is supposed to...it is not broken, how you are thinking it is supposed to work is what is broken. "

  On 15/09/2015 at 01:57, sc302 said:

Yes being that you need another host on the network to route traffic to which connects to other networks. Basically you won't communicate to the Internet with a /32 or even with other devices that are on the same network (in your eyes) as the /32 exclusively will allow communication to itself (this is the way subnets work). But have fun learning the hard way.  

When it doesn't work, please come back here and read, "it is working as it is supposed to...it is not broken, how you are thinking it is supposed to work is what is broken. "


I understand the concept, what had slightly confused me is that you do see /32 masks in use but they are on PPP links
A number of the ISPs I deal with you end up with a /32 on the firewall when it is doing PPPoE via a modem

I understand why it shouldn't work, but a rather strangely It's been working for 3 weeks. Most probably the equipment is either ignoring something or working round something.

I'll change the interfaces to a /29 which is what I should have done in the first place.

However it does work configured as described, honest - I'm actually using it to write this.....

You can use /32 in PPP because everything would go down the link anyway.  But you could also have a PPP link without any IP ;)  You could use a /32 on a loopback as well.  But in your setup where this IP is a on a /29 network its mask should be /29

How its working??  Not quite sure without know exactly the equipment your working with and the exact configuration, etc.

If I had to guess why its working is because the /32 you gave him and setup a gw for is actually in the /29 anyway so the gateway can talk to that IP be it that you have a wrong mask or not..  Depending on the device or OS you couldn't even put in a gateway if you set the mask to /32 on the interface.

warningwrongmask.thumb.png.c38a0e16603be

 

Edited by BudMan

Yep - I totally agree :)
It shouldn't work, /32 mask would mean it cannot communicate with its gateway (or anything else) - technically impossible. 
That's what I thought initially, and I fully expected it not to work at all, its when it did I was surprised.
(The PPP thing threw me into trying it - now with some additional reading I understand how that works too)

If I have a second I'll speak with Zyxel and see what they say about it (all the firewalls are theirs, 2 USG100s and a Zywall 110) - you don't actually have to specify a gateway on the interfaces, which would lead me to believe that it may be ignoring that field in this case.
(I suspect the answer will be much as you have guessed Budman)

In any case I have reconfig'd the 3 firewalls correctly on /29.

However I have now got the greenlight on proper leased line and the ISP will provide a /30 interlink and will route additional /29 networks over it so I'll be doing it properly shortly anyhow :)

Edited by grunger106
  On 15/09/2015 at 22:15, BudMan said:

there you go so you will have multiple /29 on a transit network using a /30

That is a proper setup!!

Yep :) 
Well it will be when they actually install the link, 45 working day lead time on leased lines over here in the UK....

Budman's solution is easy and conventional. 

Just wanted to add that "technically" you can use host address w/32 netmask on a subnet which is not /32. Only other requirement is that you will need to configure GW IP address on the host, otherwise host will not communicate. 

You can try this on your network. On /24 subnet assign your computer /32 netmask with GW being your GW IP address. You will be able to ping GW, other hosts in /24 subnet, IP address outside subnet (if they are connected to GW). The difference is... packet have to pass through GW. Run tracert command and you see this in action.

Usually this is coupled with Private VLAN configuration. Basically getting benefits of micro-subnetting without actually subnetting and wasting addresses.

Edited by -ANiMaL-
Elaborated a bit more
  • 5 months later...

I know I am reviving an old post, but a question here to Budman.  Based on your design above, what would the configuration be on the transit router and the firewall to actually get those ip's to the clients?  What would a client use for a gateway address given they are assigned a /29?  

 

Thanks.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • How can all of these Neowin deals be "an all time low price". I find that pretty hard to believe.
    • Oh wow, a patch for an Unreal game to improve performance? We'll see...
    • Get this massive 4TB WD_BLACK SN7100 SSD at a new all-time low price by Taras Buria Xbox owners recently received a new storage upgrade option, which allows them to equip the Xbox Series X|S with 4TB of extra space. That card, however, has an eye-watering price tag—nearly as much as the 1TB Xbox Series S. On the PC side, though, things are much better. Right now, if you need a 4TB SSD without selling a kidney, you can get the WD_BLACK SN7100 PCIe Gen4 SSD. It is now available on Amazon at a new all-time low price after a 16% discount (nearly half the cost of the new 4TB Xbox Storage Expansion Card). The SN7100 is a fast, reliable, and, more importantly, affordable Gen4 solid-state drive. Its speeds are rated up to 7,000MB/s sequential read and 6,700MB/s sequential write, while random input-output speeds are rated at 900K IOPS read and 1,350K IOPS write. These specs are not record-breaking, but they are fast enough for modern gaming (DirectStorage is supported), fast loading times in games and apps, and quick file transfer. The WD_BLACK SN7100 has a limited five-year warranty and endurance rating up to 2,400 TBW. You can monitor the health of your drive in the WD_Black Dashboard app on Windows. As for compatibility, you can use the SN7100 in any PC that accommodates M.2 2280 PCIe Gen4 drives, including PlayStation 5. It is compatible with PCIe Gen3 systems, but the maximum speeds will be limited. 4TB WD_BLACK SN7100 PCIe Gen4 Solid-State Drive - $249.99 | 16% off on Amazon US This Amazon deal is US-specific and not available in other regions unless specified. If you don't like it or want to look at more options, check out the Amazon US deals page here. Get Prime (SNAP), Prime Video, Audible Plus or Kindle / Music Unlimited. Free for 30 days. As an Amazon Associate, we earn from qualifying purchases.
    • Snagit 2025.2.0 by Razvan Serea Snagit is the most complete screen capture utility available. Showing someone exactly what you see on your screen is sometimes the quickest and clearest way to communicate. With Snagit, you can select anything on your screen – an area, image, article, Web page, or error message – and capture it. Then, save the screen capture to a file, send it to Snagit​'s editor to add professional effects, share it by e-mail, or drop it into PowerPoint®, Word®, or another favorite application. Capture and share images, text or video from your PC. Create beautiful presentations, flawless documentation and quickly save online content. The latest version of Snagit offers a totally new interface and workflow - making SnagIt easier for beginners to use, while still providing maximum convenience and flexibility for the screen capture experts. Snagit 2025.2.0 changelog: Edit Images from Camtasia Snagit can now be used to seamlessly edit images from Camtasia. Requires Camtasia version 2025.2.0 or later. In the Camtasia Media Bin, right-click an image and select the Edit in Snagit option. In Snagit, make your edits. When finished, click Send in the "Send changes to Camtasia" notification to replace the image on your Camtasia timeline. Step Capture Improved the Step Capture template to accommodate longer auto-populated step text. Annotations such as Callout or Arrow tool objects now anchor to and move with sections as sections are added to, reordered, or deleted from templates. Subscription Software Updated the Account dropdown to open automatically when new subscription related messages are present. Performance Improvements Improved the startup time for Snagit Capture application. Updates for IT Administrators Updated BouncyCastle.Cryptography package to address CVE-2024-29857 and CVE-2024-30172. Removed dependency on Xceed Zip. Updated LeadTools DLLs. Fixed an issue where Snagit might not recognize offline subscription activation. Fixed an issue where the video recording toolbar could be hidden from users when using Snagit in virtual environments or with remote desktop applications. Bug Fixes Fixed an issue where using Step Capture with the Share destination set to File in the Capture Window could result in data loss. Fixed a crash that could occur when capturing on some HDR monitors. Fixed an issue where the cursor object in a capture might include some of the background image in certain situations. Fixed an issue with the Box share destination to use the default browser for authentication. Fixed an issue where the Blur tool Color property could show when the blur or pixelate Type was selected. Fixed an issue where the privacy policy link in Snagit's installer might not open in the expected language. (PONRPD) Download: Snagit 64-bit | 419.0 MB (Shareware) Links: SnagIt Home Page | Release Notes Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Week One Done
      jfam earned a badge
      Week One Done
    • First Post
      survivor303 earned a badge
      First Post
    • Week One Done
      CHUNWEI earned a badge
      Week One Done
    • One Year In
      survivor303 earned a badge
      One Year In
    • Week One Done
      jbatch earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      420
    2. 2
      +FloatingFatMan
      185
    3. 3
      snowy owl
      183
    4. 4
      ATLien_0
      179
    5. 5
      Xenon
      140
  • Tell a friend

    Love Neowin? Tell a friend!