DrayTek Vigor 2960 Multi tenant setup using private and public IP addresses on LAN
This week in the lab we are going to setup a DrayTek Vigor 2960 for a small multi tenant office. Each office will have their own subnet and DHCP provided by our 2960. Each tenant will have the option of using public IP addresses on their own equipment on their LAN.
In our lab we have a suitable internet connection to support several users and a single DrayTek Vigor 2960 router. In our building network we are subletting three offices each with their own subnet. Port 1 on the 2960 will patch into the room for tenant 1 and port 2 patched into the room for tenant 2 and so on.
In our lab tenant 2 want to have a dedicated public IP for all of their traffic and a second public IP which they wish to assign to a router inside their network.
Review the network in more detail in this diagram.
To successfully implement this network we need to perform the following steps:
- Configure WAN IP’s
- Setup VLAN’s
- Configure Proxy ARP
- Configure Policy Route Rule
- Configure LAN’s
- Configure NAT Rules
- Assign Public IP to LAN
Configure WAN IP’s
Ok lets start off by configuring the WAN 1 interface click
WAN -> General Setup -> Select 1 -> Edit
Configure the required WAN IP, subnet, gateway and DNS servers. Since Tenant 2 requires their own dedicated public IP address we will assign them 22.214.171.124 so for now configure that address as an IP Alias.
Tenant 2 also requires the use of a public IP address on their LAN network. To enable this we need to add one of our public IP’s (it can be any in your public IP range which is not in use) as a routing subnet. Here click Add and we add 126.96.36.199 and configure the mode as ROUTING.
Each LAN needs to be setup with its own VLAN ID. Go to LAN->Switch->Add and set setup each port as shown giving each their own VLAN ID.
Each VLAND ID will have the port number selected as a member and untagged. Below we configure VLAN 10 as follows so repeat for each port as required. VLAN 11 will include Port 2 selected as a member and untag and so on for each port.
Configure Proxy ARP
Since we are using public IP addresses on the LAN side we need to configure a proxy ARP rule.
When adding the Proxy Arp specify the LAN profile which requires the use of public IP addresses and specify the IP we used earlier on the WAN as a routing IP. If other tenants require the use of public IP’s on their LAN you can configure multiple rules using the same routing IP but specify a different LAN profile.
Configure Policy Route Rule
Tenant 2 has requested their own public IP so we need a rule to route their traffic out via their own IP. Here we configure a policy routing rule.
Specify the source network which in this case is 192.168.1.0 for tenant 2. Specify the ‘Use IP Alias’ and specify their own address we have assigned them: 188.8.131.52.
Now lets finally configure the LAN’s
Nothing too special here we configure our subnet and DHCP options for LAN 1
Here we configure our subnet and DHCP options for LAN 2
Here we configure our subnet and DHCP options for LAN 3
Configure NAT Rules
If any of our tenants require any NAT rules on the firewall we can configure them all from the Draytek. Here we configure a rule for LAN2 opening port 3389 from their own public IP to a host on their LAN.
Assign Public IP to LAN
The last thing to do now is to hand over the Public IP details to our Tenant on LAN 2.
We will choose a free public IP from our range so lets use the following 184.108.40.206. They must configure the gateway as the IP we specified as the routing IP earlier while configuring the WAN interface which was 220.127.116.11.
The DrayTek Vigor 2960 offers some powerful features for the small and medium business. In our lab we setup a small multi tenanted building using a single device servicing multiple tenants and even used public IP addresses on the LAN.