Here is another question.

I am renting space on a tower and I have my own shed where my fibre will be installed in two weeks. My servers, routers etc. are all located in this shed.

bsd router 4 nics

ether0 connected to upstream provider 10meg over 10/100 ethernet
ether1 connected to internal network - private ips
ether2 connected to servers dns qmail apache etc. - public ips
ether3 connected to public ip of WAR

ether 2 and 3 on same public subnet

Does that make sense?

Is that too many steps?

Am I essentially setting up a DMZ or 2 DMZ's?

Seems fine to me, although you might just want to connect your WAR to the switch that ether2 and your servers are connected to or else use a little /30 on ether3 for the WAR. Bridging ether2 and ether3 is kind of redundant, you might as well just plug the WAR into the switch in that case.

Use ethernet surge protection with grounding for the WAR's ethernet cable!

Also I usually use AMD stuff, but I have to say, a normal Pentium 4 3GHz box as my router (I have two identical set up using CARP) in the NAP/Datacenter was a good choice at the time. It handles interrupts like nobody's business, I have taken a 60,000 packet per second DoS attack before and my FreeBSD 5.4 router just shrugged it off with something like 70% of its CPU to spare.

Thank you very much for your response. I am on the right track, awesome. Things are starting to make sense.

One more piece of the puzzle.


The ethernet of my WAR is public address

I will be giving my clients public ips in blocks of 8 so what ips do I assign the radios ?

Why are you giving them 8 addresses? 99% of my customers survive nicely with one in their router and let it dhcp out private ones to the PC network. Giving them 8 each would be a waste unless your circumstances are different. Most of them don't even need any public ones if you nat behind your core router. If I was starting out today, that's the way I'd do it. Makes it nice if you ever do change backbone providers.

I am against doing NAT for my customers. I feel this is not an Internet provider's place. I don't even want to do it at the CPE because I don't want to give the customer control of the wireless CPE and the customer having no access/control over their own NAT device is unacceptable to me.

If you are supporting mostly high-dollar business clients where handing them a block of IPs makes more sense then sure, assigning a /29 to the ethernet on their WRAP/WAR CPE makes sense. My most common setup is the $30 - $80 range cable/DSL replacement service so I hand out one public IP to a customer and they put that on their own router that they are responsible for or single computer. StarOS v3 will have WDS-type client bridging where you can use DHCP so that will be the way to go for me.

If you want to do it my way where the clients generally don't have more than a single IP (most people, even businesses, just stick a cheap broadband router on their Internet connection and they're happy) then you'd want maybe a /26 on your first wireless access point radio interface, assuming you intend to put lots of clients on that radio directly and it's not just a backhaul to someplace else...

For those few clients who do need an actual block of public IPs, you can still use an IP from your /26 on their wireless CPE's wireless interface and then route that /29 or larger through whatever IP you gave them from your normal /26.

I like to setup a decent DHCP pool and then leave some aside for static IP clients, for example 11.22.33.1/26 on wpci1 would be 11.22.33.2 - 45 for my DHCP pool and the rest of the IPs from 46 - 62 would be left alone to assign to my static IP clients.

If you are intent on giving each of your clients a /29, the above doesn't really change much except there's no point in running a DHCP server because all of the IPs will be statically assigned by you to each wireless CPE.

I am against doing NAT for my customers. I feel this is not an Internet provider's place. I don't even want to do it at the CPE because I don't want to give the customer control of the wireless CPE and the customer having no access/control over their own NAT device is unacceptable to me.



I agree 1000% I have never seen a telecom carrier do it so neither do I.

Still a little confused (actually maybe more confused)

First off only a few clients will need say 8 ips which is actually 5 to them.

The rest I can give one static actually 4

Not interested in dhcp at the moment. Definitely not NAT. was just unsure which interface of the client cpe which will be WAR's connecting to WAR AP get public addresses the ethernet, the radio, or both. Same confusion about AP. I thought I had it figured out but am now confused once again. Maybe I should sleep more! And stop thinking for a while.

Thanks everyone for the input keep it comin.

Oh, yeah, I guess I left out that detail, sorry.

With my proposed setup, you have your AP's wpci1 assigned 11.22.33.1/26, your public IP range.

You also assign a non-public management IP to your AP's wpci1, say 10.0.0.1/24. (Each AP interface you put up should have its own unique management network, next AP would be 10.0.1.1/24)

Then you assign your WAR board CPE's ether1 10.0.0.2 and 3 and so on and just bridge ether1 to wpci1. Then the device connected to ether1 is what gets the public IP, like 11.22.33.2.

I highly recommend using DHCP! You can even use it to hand out static IPs to people by putting a specific entry for them in your DHCP server. Every cheap broadband router and operating system out there defaults to asking for an IP via DHCP, why not go with the flow?

A customer gets a router, calls you up, you say hang on, I see your router asking us for an IP. You add the new router's MAC address to your DHCP config and their router magically provides them Internet connectivity. You advise them to put a WEP key on their broadband router's access point and maybe help them do it, and then you're done. Later on you can change your IP configuration and it isn't half an hour on the phone with somebody who can barely use a mouse.

Thanks for the info. How about instead of just bridging the ethernet to the wireless I just add static routes say customers public ip is 1.2.3.4 addressed to the ethernet and the private ip of say 10.1.0.2 addressed to the wpci then the aps private address of 10.1.0.1 and the ethernet of the ap as a public of say 4.3.2.1 then add a route at the ap stating that info for 1.2.3.4 via 10.1.0.2

Then add a route on the client stating that info for 4.3.2.1 via 10.1.0.1

Would it be better to use publics all around except my internal office network?

I dont offer a residential wireless package. Strictly business service. 95% of have their own IT department. I give all clients at least 1 Static ip some 5 so I dont think I need dhcp and hopefully my clients wont be using cheap broadband routers maybe I am wrong.

I want to use the WAR cpes as their router so I dont have to worry about client routers and such. However if they would like to use their own router also I would then say split out some /30's and point to point their router to the WAR.
I appreciate all the help you guys are giving, Thanks

Given your situation where you expect everybody will have statics and need blocks of addresses and such, then you should statically assign the IPs to the WAR board CPE and use the WAR board on the CPE side as the router, yes. That's a good setup.

You still want something like a /26 on the AP's radio interface and use one of the IPs from the /26 on the WAR board CPE's radio interface and then the customer's /30 or /29 block on the WAR board's ethernet interface. This is assuming you want to allow for up to 62 clients on that radio. If you're doing all high-end stuff you probably wont want your APs to be so dense and you might just assign a /27 or /28 to your AP radio interface.

It really doesn't hurt anything to use private IPs on your routers (your WAR CPE radio interface) in a simple setup, but I've always preferred to use public IPs.

I've never really debated the issue, I just have always used publics for my router interfaces.

Great. Thanks for helping me clear things up. I actually have 4 AP's on my tower so I will distribute my clients as equally as I can. The goal for this cell is approx. 100 clients 25 clients per ap would be sweet. Then on to the next cell. Of the few larger clients that I have spoke to so far seem to be really interested in a product we offer, 5Mbps fibre with a wireless backup for redundancy. So some of the larger clients will only be using the wireless if their fibre goes down which is a rare occurance so I could possibly have a few more than that per AP.