Setup network in an appartementbuilding with WAN IP per appartment

[Mike77]

Hi guys,

I've got a problem with the network setup in an appartement building. the building has it's own connection to the internet with a static WAN IP. This connection comes from a tower on the roof which is part of the national telecom backbone and a backup via a satelite connection. It's nice and fast

Because these things are placed on the roof the inhabitants of the building get free internet. The building has it's owne router with one cat6a connection for every appartment (32 connections). This router hands out local IP adresses via DHCP and has NAT passthrough. Every appartment has it's owne home router with it's owne IP range and DHCP.

Now there are two problems that I need to solve. A lot of the people in the appartments want to use VPN servers and cliënts and the second thing is that even more have theire owne domain names, that they want to point to theire IP adress.

The VPN servers don't work, because of dubble nat problems, a local class C IP adress and no static routes.
The domain names can't be pointed to theire IP, because they are behind the router of the appartement building.

Is there a way to solve this?

 

[System Error Message]

If you are the owner of the building you can use 1-2-1 NAT or you can just hand out the public IP address by having each router just give out that 1 AP address. Consider also enabling UPNP.

If you arent than you would need to look for a DDNS option that allows for NAT and firewalls. You could ask the ISP to enable UPNP as well. You could just directly connect everything instead to eliminate double NAT and do filtering on layer 2 like i do with my router. I have a similar setup but i have my mikrotik router doing layer 2 filtering instead and it can also obey the IP firewall on layer 2.

In order for VPN to work through NAT VPN passthrough needs to be enabled.

 

[sfx2000]

Now there are two problems that I need to solve. A lot of the people in the appartments want to use VPN servers and cliënts and the second thing is that even more have theire owne domain names, that they want to point to theire IP adress.

The VPN servers don't work, because of dubble nat problems, a local class C IP adress and no static routes.
The domain names can't be pointed to theire IP, because they are behind the router of the appartement building.

Is there a way to solve this?

Sounds like the ISP doesn't want folks running servers, eh?

DoubleNAT shouldn't prevent outbound VPN connections, only inbound... same goes with DDNS (which most want because they're running some kind of server on a dynamic IP) as that will always resolve to the highest order NAT'ed connection (which, like you noted above, causes problems)

Where the double-NAT can cause significant problems is gaming, and this would be the approach perhaps taken...

I'm assuming the 32-port switch may be a managed switch, which can be a very good thing in your favor, which is to create a VLAN entry for each tenant connection, and then do a 1-1 NAT for each VLAN...

 

[Cloud200]

See if you can buy a larger IP block.
At the minimum with 1 IP per apt you need a /26 address range or multiple smaller ranges.

 

[sfx2000]

FWIW - this is why hospitality networks can be rather troublesome...

I did a stint at an extended stay type of hotel, and it was exactly the same setup - one Public IP for the whole place, and then each building had a NAT'ed router for that building..

I ended up having to setup an SSH tunnel from the room to my house, and then I could get inbound connectivity - tough experience, and beyond the skills of most folks to setup...

work laptop to unmanaged 5 port switch to a linux box with Wifi (attaching to the hotel network) and ethernet back to the switch, setting up the SSH tunnel on the linux machine back to the house... then some iproute tuning to get it all working. Had to do this as the hotel blocked all OpenVPN, PPTP, and L2TP vpn connections... moved ssh to a high order port that wasn't blocked.

Doing this over a hotel network where at best it was 512kbps down/128kbps up and DHCP expiration back to the captive portal every 24 hours...

Had to do my development from the hotel room (this was back in my consultant days) due to multiple vendors and NDA's that kept all players from working in a common camp environment...

This is the kind of hassle that OP is going thru - best world case would be that the building would have a range of pubic IP's assigned, one for each client, but it sounds like this isn't likely to happen.

 

[Mike77]

If you are the owner of the building you can use 1-2-1 NAT or you can just hand out the public IP address by having each router just give out that 1 AP address. Consider also enabling UPNP.

Sadly I don't own the entire building. Just one appartment. So everything I want to do I first have to get past the board of the owners association. But that shouldn't be a problem. I just don't understand yet how it would be possible to just bridge the one WAN IP/Public IP to all apppartments. If I understand 1 to 1 NAT I'd need one WAN IP/Public IP per appartment.

That's one of the things I do not fully understand, nor know how to solve. normally I'd just put the building router in bridge mode, or put one of the appartments in DMZ, and that's that. But in this case I need 32 DMZ's and just have one WAN IP/Public IP.

But I'm actually wondering what would happen If I'd make the router of the building nothing but a DMZ. The ISP behind the tower on the roof should need to handel this right? Might even hand-out a couple (31) extra IP adresses

But I'm just starting at this and need to figuere out how it all works.

 

[System Error Message]

IF you have access to the router than see how it connects to the ISP. Some ISPs use MAC. If you can it is best to put it into bridge mode.
DMZ works for only 1 IP address and is similar to 1-2-1 NAT.

If theres only 1 public IP address to all apartments than give everyone a few ports to host things which does mean a lot of configuration but theres no other way around it. You'd have to do a lot of port forwardings.

 

[Cloud200]

Well, in theory one solution may be to only allow port forwarding over IPv6.
With a tunnel it is in theory possible to hand out an IPv6 address per apt . . . although I have never tried it myself.