Need assistance subnetting a Class C with open source layer 3 router - Vyatta


We have a Class C of IPv4 public internet addresses and need to subnet them (much like a datacenter does) for various customer servers. The goal is to offer address space and keep everyone segmented for security/reliability reasons  (ie we don't want a customer to impersonate another IP and bring down another server outside of their subnet). Pretty common thing to do... or so I thought.

I have been on the search for a Layer 3 software appliance (this is all done on ESX) and have found Vyatta. The good news is that it accepts many of the same commands as a Cisco Router so any Cisco admins are welcome to jump in here.

I am not new to networking, but this is my first time with something as involved as Vyatta (I have been an Untangle user for years). I have been googling for the past 4 days and there is surprisingly little info on how to subnet a class C.  So I need help, mostly with the logic of the routing, but specific commands are very welcome as well.

For the purposes of this question I have provided a network diagram of what I want to accomplish, but with only two subnets.  if you could help me achieve this I can take it from there.

Subnetting Concept
With great thanks!

Richard AmissOwner/Developer/ConsultantAsked:
Who is Participating?
Richard AmissOwner/Developer/ConsultantAuthor Commented:

I have found a solution and want to update this question for anyone else needing to do subnetting.

In both Linux and Vyatta the solution is as simple as configuring a NIC with an IP in the original Subnet (set as WAN) and a NIC with an IP on the inside of the new subnet (set as LAN). The magic works when you simply enable Proxy-ARP on the WAN interface.

There is a great (albeit old) article on how Proxy-ARP in linux works here. It explains how each packet routes back and forth:

The setup commands in Vyatta are surprisingly simple:

eth0 (WAN)
set interfaces ethernet eth0 (WAN IP)/24
set interfaces ethernet ip enable-proxy-arp

set interfaces etehrnet eth1 (LAN IP)/XX

set system gateway-address (WAN gateway)
set system name-server

Thats it! The just setup the client as expected:

Example client device behind eth1
IP: Within the /XX subnet range as set on eth1
Subnet: (adjust to your subnet size)
Gateway: the ip set for eth1
In the one on the right, you started too low.
The gateway (L3 switch port) can't be, because that's the network ID.
So change the switch port's IP to /25, the IP of the computer in the drawing to /25, and its gateway to

If you're asking how to route the traffic in the Vyatta, the routing table needs to look something like

Destination      Netmask           Gateway

Open in new window

Fred MarshallPrincipalCommented:
Well, the diagram has IP addresses confused a bit.
As I see it the subnets are: with broadcast at
and with broadcast at

I know nothing about the Vyatta but wouldn't it need a couple of IP addresses?
Normally one on the upstream side or WAN and one on the downstream side or LAN.
(It would not have to have addresses on all the subnets.).

Anyway, since you are in private address space why not use NAT?  
Or, what you've shown AT LEAST suggests VLANs.

A VLAN is an electronic version of "separate copper".  That's really what the "LAN" in "VLAN" refers to.

If you NAT then you might have a separate, inexpensive, router for each subnet / LAN.  They can be any size you want really (in powers of 2).  You do understand subnetting, right?  So you could have:

64 in
64 in
128 ini
(less the network and broadcast addresses in the number of addresses above).
and I wouldn't use "Class" anything any more.... just subnet mask bit count or 32 minus that number as above (CIDR).

Maybe Vyatta can do that on a PC with a bunch of NICs.  I don't know.  But, your questions seem basic enough that perhaps having an architecture first would clear the way.  I'm most unclear on the architecture you're proposing except there's a Vyatta box in the middle.

Will you NAT?
Why combine private ranges if you do?
That's the sort of thing I mean by architecture.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Richard AmissOwner/Developer/ConsultantAuthor Commented:

Yeah, I realized after I posted that I messed up the diagram (I rushed it just as an example).  I do understand subnets and how to break them up.

I am ultimately looking to do VLSM like so:
Address		Mask	Assignable Range	Broadcast		/25 -	/27 -	/27 -	/28 -	/29 -	/29 -	/29 -	/29 -	/29 -	/29 -

Open in new window

Vyatta functions with commands similar to any cisco router device, except that it is software. I am running it as a VM, so yes, I can have as many NICs as necessary to make this work.

I am ok doing NAT, as long as I am not NAT'ing to a new private subnet. I literally need to divide the original subnet.

Some questions that might help you help me:
1) How should I address the WAN NIC?  As a single IP or address the entire Class C?
2) In my head it then makes sense to address each LAN NIC as a broadcast for each subnet and then route between the WAN and each LAN.

I have tried 1 and 2 above and nothing gets through.

I know how to route public to private space, but public to public has me stumped because I don't understand the logic of the route.

No matter what size you break them up into, the concept remains the same.
Use one of the addresses as Gateway, and tell your router to send everything with a destination in [network ID] [/netmask] through that gateway.

That's why when you get a /29 set from an ISP, you only get 5 IPs... they 'keep' one to use as the Gateway on their L3 switch that connects your subnet to the internet, so they have a way to route your subnet's traffic to you.
Fred MarshallPrincipalCommented:
I'm curious why you need to keep the private addresses that way but ,.. OK, I can go with it even if it is a bit odd.  You might think about that because it's odd and I'm/we're likely winging it a bit:

First things first:  The "primary router" connecting to the service has to have:
- a gateway address (which you have not mentioned or shown)
- an IP address for the "WAN' NIC.
I am going to assume that the gateway is
I am going to assume that the "WAN" NIC is
Now, I wonder if this would work:
Set the "WAN" NIC to
(The hope is that broadcast packets from to won't be missed or important .. but I don't know for sure).
Note that all of the rest of the /24 subnet is "wasted" in a sense.  But, in this case it doesn't matter.
Now you NAT into the subnets you want on the downstream side and use whatever private ranges you want.  They could all be the same!  They could all be size 512!  That's why I ask why you want to use the address ranges as specified.

Perhaps there's another way but it would be conjecture unless we knew what the objectives are here........

For example, you could assign IP addresses in each subnet as desired.
You could interface each subnet with a router (no NAT).  Assuming the routers have some routing/firewall capability perhaps you could block the other subnets.
Fred MarshallPrincipalCommented:
By "objectives" I mean things like:

We want to be able to reach from yyy.yyy.yyy.yyyy.
We want to block access from zzz.zzz.zzz.zzz at www.www.www.www
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.