DrayTek Vigor 2960 Multi tenant setup using private and public IP addresses on LAN

This week in the lab we are going to setup a DrayTek Vigor 2960 for a small multi tenant office. Each office will have their own subnet and DHCP provided by our 2960. Each tenant will have the option of using public IP addresses on their own equipment on their LAN.

In our lab we have a suitable internet connection to support several users and a single DrayTek Vigor 2960 router. In our building network we are subletting three offices each with their own subnet. Port 1 on the 2960 will patch into the room for tenant 1 and port 2 patched into the room for tenant 2 and so on.

In our lab tenant 2 want to have a dedicated public IP for all of their traffic and a second public IP which they wish to assign to a router inside their network.

Review the network in more detail in this diagram.

DrayTek 2960 Network

To successfully implement this network we need to perform the following steps:

  1. Configure WAN IP’s
  2. Setup VLAN’s
  3. Configure Proxy ARP
  4. Configure Policy Route Rule
  5. Configure LAN’s
  6. Configure NAT Rules
  7. Assign Public IP to LAN

Configure WAN IP’s

Ok lets start off by configuring the WAN 1 interface click

WAN -> General Setup -> Select 1 -> Edit

DrayTek 2960 1

Configure the required  WAN IP, subnet, gateway and DNS servers. Since Tenant 2 requires their own dedicated public IP address we will assign them so for now configure that address as an IP Alias.

DrayTek 2960 2

Tenant 2 also requires the use of a public IP address on their LAN network. To enable this we need to add one of our public IP’s (it can be any in your public IP range which is not in use) as a routing subnet. Here click Add and we add and configure the mode as ROUTING.

DrayTek 2960 3

Setup VLAN’s

Each LAN needs to be setup with its own VLAN ID. Go to LAN->Switch->Add and set setup each port as shown giving each their own VLAN ID.

DrayTek 2960 4

Each VLAND ID will have the port number selected as a member and untagged. Below we configure VLAN 10 as follows so repeat for each port as required. VLAN 11 will include Port 2 selected as a member and untag and so on for each port.

DrayTek 2960 5

Configure Proxy ARP

Since we are using public IP addresses on the LAN side we need to configure a proxy ARP rule.

Routing->Static Route->Add

DrayTek 2960 6

When adding the Proxy Arp specify the LAN profile which requires the use of public IP addresses and specify the IP we used earlier on the WAN as a routing IP. If other tenants require the use of public IP’s on their LAN you can configure multiple rules using the same routing IP but specify a different LAN profile.

DrayTek 2960 7

Configure Policy Route Rule

Tenant 2 has requested their own public IP so we need a rule to route their traffic out via their own IP. Here  we configure a policy routing rule.

Routing->Policy Route->Add

Specify the source network which in this case is for tenant 2. Specify the ‘Use IP Alias’ and specify their own address we have assigned them:

DrayTek 2960 8

Configure LAN’s

Now lets finally configure the LAN’s

LAN->General Setup->Add

DrayTek 2960 LANS

Nothing too special here we configure our subnet and DHCP options for LAN 1

DrayTek 2960 LAN 10

Here we configure our subnet and DHCP options for LAN 2

DrayTek 2960 LAN 11

Here we configure our subnet and DHCP options for LAN 3

DrayTek 2960 LAN 12

Configure NAT Rules

If any of our tenants require any NAT rules on the firewall we can configure them all from the Draytek. Here we configure a rule for LAN2 opening port 3389 from their own public IP to a host on their LAN.

DrayTek 2960 13

Assign Public IP to LAN

The last thing to do now is to hand over the Public IP details to our Tenant on LAN 2.

We will choose a free public IP from our range so lets use the following They must configure the gateway as the IP we specified as the routing IP earlier while configuring the WAN interface which was


The DrayTek Vigor 2960 offers some powerful features for the small and medium business. In our lab we setup a small multi tenanted building using a single device servicing multiple tenants and even used public IP addresses on the LAN.


Author: Ian@SlashAdmin

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *