I've been asked by a customer to create a "Private" network for them connected to another ISP for internet access (This is due to us not having network in the area)


The private network will have 3 AP's (4 port Metro Boards), 5 CPE's (War1's) and 1 Wired client, connected to the ethernet interface of one of the AP's

The hardware setup would be as follows

Internet --> AP1 Ether1

AP1 Ether1 --> Internet
AP1 wpci1 ---> AP2 wpci1
AP1 wpci2 --> Access Point for Clients

AP2 wpci1 --> AP1 wpci1
AP2 wpci2 --> AP3 wpci1
AP2 wpci3 --> Access Point for Clients

AP3 wpci1 --> AP2 wcpi2
AP3 wpci2 --> Access Point for Clients
AP3 Ether1 --> Wired Client


The customer has asked can I provide a public IP to the outside interface of a firewall of the wired client.

They have also said that they don't want to use NAT or IPMAP and if possible can each client have their own Public IP Address.



For the IP side of the network I'm thinking I setup the network to with 172.16.0.0/16 IP's and subnet them out so that it is fully routing using OLSR as the routing protocal.


I'm thinking I ask the other ISP for a /28 Public IP range with the first IP from the range on their network as my default gateway.

I put the second IP on the ether1 of AP1, set a default gateway on the AP to the ISP and not announce this to OLSR (to keep VDS out of the routing protocal)

I setup 7 VDS Master tunnels, and bridge each VDS session to Ether1, with no IP Address for the VDS Session.


On the clients I'm thinking I set them up as VDS Slaves.
For the WAR1's route 172.16.0.0/16 to the AP they are connected to, and route 0.0.0.0/0 to the Public IP on the VDS master.

and NAT all traffic from the clients IP Range (192.168.1.0/24) to the VDS session.

For the Wired client I setup a VDS Slave and Bridge it to the ethernet interface, with no IP Address on either the VDS Session or the Ethernet interface and put the public IP on the customers firewall, tellin gthem to set their default gateway to the Public IP on the VDS Master

Also I'm thinking since I'll need to support this remotely, I should setup AP2 & AP3 as VDS Slaves with Public IP's assigned to the VDS sessions.


I'm setting up a Lab with 1 Metro & 6 Wrap Boards to test the setup, I guess the question is, am I nuts to even think if doing this?, is there an easier way to set it up? does anyone else use VDS in this way? and will it work?



Thanks
Keith

I have to understand something first. Are you connecting him back to your Internet via the ISP that he can see, or are you simply building a remote connection for your customer to hit his ISP?

I'm building a remote network for our customer linking him to his ISP, the network will never connect to our network.

Thanks,
Keith

Well, never sey never :-)

Just in case, why dont you use subnets that both you or his ISP do not use...
You may get to admin there network, so using VPN would be a good idea.

Lonnie,

Do you have an more thoughts on this design, Or maybe I should just push back and tell them I will be doing IPMAP & NAT.


And tell them that the firewall they put in place at the wired clients site will need to handle NAT at two points on the network for their VPN tunnel.


Thanks
Keith

If you can use VDS to create a large flat network then it will work just fine. I like the approach because it keeps your backbone routed and away from customers.

Another thought was whether they want all units on the same space or if they just need certain offices connected to share printers or files.

It almost sounds like they are building a general ISP. What sort of business do they run?

As for VPN, I thought that you could maybe (from time to time, when needed) connect your on network/computer thru their internet connection by PPPoE or VPN. For that (if I recall this right), your networks should not have same subnets, or it would create conflict.