distributing /29 over a /30- Public LAN IP routable subnetting

Product Discussion Feature Requests
1

I have a customer with a balance 310 fiber 5G with an AT&T ADI fiber 1gig circuit. They have 5 suites they will be sharing this internet with, each needing a public address. (I bought this specific router for the customer upon recommendation from my peplink vendor after letting them know about these specific needs.) There is an ethernet cable going to each suite. ISP is currently giving 1 public WAN address via a /30 and a block of public LAN addresses on a separate /29 (all through single fiber port connected to 310) and we need to be able to have 1 public address available on each LAN port of the balance 310 to distribute to the suites. however i see no way of configuring this in the router. When i search for peplink IP routed subnet, i dont get any results for peplink but i do get the following result from draytek

https://www.draytek.com/support/knowledge-base/4796

I realize the draytek example is using the same subnet and peplink’s version of this is “Drop-in mode” so it’s not an apples to apples example but close.

So is “public IP LAN routed subnetting” possible with peplink routers?

Also, when i spoke to an AT&T network engineer, they told me I need to configure the router to handle these public LAN addresses via a secondary interface on the router but I dont think the peplink router is capable of this- routing of public LAN addresses, and Im assuming I would also need a layer 3 switch to handle this. He said normally this is done with a cisco router.

His other option is for me to order a /29 of “SWAN” addresses, which stands for secure WAN, meaning have all the WAN addresses available on the single WAN port instead of having to distribute public LAN addresses on a secondary interface.

If i do order additional WAN addresses instead of doing the LAN subnetting, how could I configure this in the balance 310 so that one public address would be available on each of the 4 LAN ports with no NAT (I would install additional routers/firewalls in other suites) and NAT on the 5th port so that i can connect the customer LAN equipment with private subnet and 5th public WAN address. I did attempt to configure this via port mapping but i still had to configure private LAN addresses not the public ones.

Can anyone shed some light on this?

2

updated post with more details

3

Delivering a /29 subnet over a /30 should be fairly simple but it is going to challenge some of the normal approaches to Peplink device config.

The basic steps are:

  1. Setup your fiber WAN using the /30. Change its mode from NAT to IP forwarding.
  2. Set your LAN IP to be one of the IPs from the /29.
  3. Get your customers to assign the WAN of their routers to be one of the outstanding /29 IPs, with the Peplink LAN IP as their gateway. I might consider using DHCP here and then setting a bunch of DHCP reservations for their firewalls. makes it easier to make changes remotely later if needs be.
  4. Set up firewall rules to block all inbound traffic to the Peplink’s LAN /29 IP from all IPs apart from those in the /29.
  5. Set the Peplink management Webadmin interface to an arbitrary port number and secure it well.
4 Likes
4

Thanks for the info

couple of questions

  1. Can i restrict the secondary WAN port to use on just one LAN port? customer wants to connect his AT&T ethernet hotspot to the secondary WAN port

  2. Will this setup allow port forwarding from the routers assigned a /29 address on the LAN ports?

  3. I assume the balance 310 will not be able to do NAT through one LAN port (so owner doesn’t need a second router) and therefore will need 5 additional routers. Is this a good assumption?

5
  1. Yes. You can have Nat enabled between a new vlan on the LAN that is only available on one lan port and the WAN 2.
  2. Yes. - Routers on the LAN of the Peplink with oneof the /29 IPs on their WAN interfaces will be directly on the internet so can control their own port forwarding.
  3. The ips in the /29 are ip forwarded so no NAT in this config using them. You could use SpeedFusion Protect Cloud or host your own Fusionhub to give you another public IP address that can then provide a natted subnet at the same time to a new vlan though if you want.
7

Thanks for the quick response

  1. The WAN2 port would just be a backup to the fiber connection (fiber priority 1, WAN2 priority 2). but according to the info you gave in 3, NATing a /29 address to private subnet on a LAN port wouldnt work correct? if so im a little confused…

  2. im thinking the easiest setup would be to just do separate routers for the 5 suites via /29 and owner can put his ethernet hot spot on that router. which means if he uses a balance 20x(which is mainly what i use for customers) then i will need to activate a virtual WAN license and set it as priority 2…