Subnet a subnet – Valuable Tech Notes

Apologies in advance for the botched terminology. I have read the Server Fault Subnet Wiki but this is more of an ISP question.

I currently have a /27 block of public IPs. I use give my router the first address in this pool and then use 1-to-1 NAT for all the servers behind the firewall, so that they each get their own public IP.

The router/firewall is currently using (actual addresses removed to protect the guilty):

IP Address:  XXX.XXX.XXX.164
Subnet mask: 255.255.255.224
Gateway:     XXX.XXX.XXX.161

What I would like to do is break out my subnet into two separate /28 subnets. And do this in a way that is transparent to the ISP (i.e., they see me as continuing to operate a single /27).

Currently, my topology looks like:

     ISP
      |
[Router/Firewall]
      |
  [Managed Ethernet Switch]
  /       \         \
[Server1] [Server2] [Server3] (etc)

Instead, I would like it to look like:

       ISP
        |
    [Switch]
    /      \
[Router1] [Router2]
  |    |    |   |
[S1] [S2] [S3] [S4] (etc)

As you can see, this would partition me into two separate networks.

I'm struggling with what the correct IP settings would be on Router1 and Router2.

Here's what I have right now:

              Router1              Router2
IP Address:   XXX.XXX.XXX.164      XXX.XXX.XXX.180
Subnet mask:  255.255.255.240      255.255.255.240
Gateway:      XXX.XXX.XXX.161      XXX.XXX.XXX.161

Note that normally you would expect Router2 to have a gateway of .177, but I'm trying to get them both to use the gateway originally given to me by the ISP.

Is subnetting like this in fact possible, or am I completely botching the most basic concepts?

—

Edit

Several people have asked "Why". There are a couple of specific reasons why I want to do this:

My router/firewall locks up every 6-8 weeks. I've gone through a litany of devices: NetGear FVS318, Linksys RV042, Watchguard Firebox Edge X20e, and a Cisco ASA 5505. The same thing has happened with all devices, and it's apparently due to the dozen or so IPSec VPN tunnels that the device manages. Whenever it locks up, a network engineer needs to physically power-cycle the device.
I have one large client and about 1/2 the servers in the cabinet are theirs. I would like that client to be able to manage the firewall and VPN rules themselves instead of going through me. This way, I would give them root access to Router2 and they could manage everything themselves without causing any problems to Router1.

Best Answer

If you're not using NAT, i.e. if you want to actually do routing and put real servers on those IP address, then you can't subnet your network in a way that is transparent to your provider; they will need to modify their router configuration and their routing tables to account for your new network setup, possibly giving you two gateway addresses and/or two routers (or by setting up a new route if you put one subnet "behind" the other and your firewall in the middle).

Howewer, if you keep using NAT and simply give half of the addresses to a firewall and half of them to another, then their external IPs will appear to your ISP as still belonging to a single subnet, and everything will keep working fine.

Best Answer

Related Solutions

What are the implications of expanding an internal subnet mask

Use a subnet mask to limit the number of users on a router

Related Topic