Hi, I’m helping to setup the network at a local LAN Party with a couple of hundred participants.
We have 1Gbit uplink from our ISP, and two C classes of IP’s.
x.x.213.0/24 and x.x.214.0/23
I am wishing to setup a local router to handle most stuff, but I’m not that familiar with VyOS (or ISP grade networking for that matter) that I can manage without some expertise.
What I’m wishing to accomplish is:
Every participant connecting with wire to our switches gets a public ip address (x.x.214.0/23).
Every participant connecting with wireless to our access points get a private ip address (172.16.x.x/20).
Our ISP has the uplink at VLAN 1649, and we were planning to use VLAN 20 for participants on wire, and VLAN 30 for participants on wireless.
The ISP has established a x.x.213.1/30 and x.x.214.1/30 route for us to use.
It’s the that comes now I’m not familiar with. How to setup the VyOS to be fully transparent on the public domain, and have a firewall for the VLAN 30 with NAT.
I tried to setup a eth0.1649 with x.x.213/214.2/30 and eth0.20 with x.x.213.3/24 and x.x.214.3/23 and with dhcp servers. The dhcp server delivers ip addresses, but I’m not sure at all if this is going to work…
I don’t have the opportunity to test this live until wednesday (11th February) and it would be really nice if someone could help me out get the details right before friday (13th February) when the LAN Party starts.
Not sure I’m correctly interpreting the address space, but normally you’d get a single /30 for the uplink. You were allocated two /24s, but one subnet has a /23 mask?
Maybe I explained it wrong. I’m totally new to carrier grade networking with routing.
I haven’t actually got the /30 yet, but I was guessing it was on the same range, so that may be totally wrong. We have the x.x.213.0/24 and x.x.214/23. So our total IP range would be x.x.213.0-x.x.215.255.
They normally just set up a gateway for us at x.x.213.1 and x.x.214.1, but this time we want to route the traffic ourselves since we also are going to use the private ip range for wlan.
I can contact my ISP again and ask for what /30 I would be given, but let’s say it’s at x.x.212.1/30 in the mean time (they don’t reply fast).
Do you need a static range for servers, and does the outside need to be able to initiate connections to the inside (i.e. someone from the Internet connects to a server at the LAN party)?
Nice, glad to hear I’m not completely on the wrong track.
I was planning that the outside would have full access to all participants on the PUBLICINET range. I will also have a static range of servers on the x.x.213.0/24 (I see that I wrote x.x.213.2/30 on the /30, but it should be x.x.212.2/30 as I don’t know what /30 we will get at this point) also fully exposed.
On the PRIVATEWLAN range it should be fully blocked from the outside, i.e. no incoming connections, only outgoing.
I’m really surprised on how well this configuration worked out. I was really skeptic on the fact that the gateway would become a bottleneck in our system, but it turns out that it is the best performing setup compared to all the other systems.
I checked the system monitor when we had around 800 (300-400 heavy users and 4-500 mobile) clients connected, and it only used about 1-200MB og RAM and was very low on cpu usage.
I summary, I would recommend VyOS to everyone setting up gateways for this kind of events!