Our company has a 50Mb leased line going through a Vigor 2960 firewall. Another company is going to be renting part of our premises and would like to share our internet connection but I am not sure how to set this up. With our leased line, we have several static IP address but we are only using a couple of them and I would like to allocate one to the other company for their own firewall.

They will be supplying their own equipment but I only want them to have access to the internet and not our network. They are only looking to share 8Mb of our connection but I can throttle that at the port on the switch. All our switches are Cisco SG300.

We have some ports open on the firewall for http, ftp etc and they need some of these ports open for their own services. I had tried setting up another wan connection with the IP address I would allocate to them, so that the port redirection is forwarded to the correct network. I have spent days trying various configuration but have been unsuccessful so any help would be appreciated.

What about setting up their port as a new VLAN on the 2960, that way you can have them use that as their default gateway, and just assign the static IP you want them to have to your existing WAN as an alias and pass it through to them as a DMZ forward.

(the above is based on a 2860 using ADSL perhaps similar for 2960)

Would need their port setting up as VLAN1 and assigning to LAN2, and then you can tell them to set the LAN2 IP as their default gateway for them to use on their router:

http://download.adriandaz.co.uk/alias1.jpg
http://download.adriandaz.co.uk/dmz1.jpg

Think that should work, happy to clarify.

I am still having trouble with this can can't seem to get it to work. Our LAN is on a 10.10.10.0/23 subnet. I created another LAN on the 2960 with an IP address of 192.168.5.1. I have just been testing with a SOHO router with the router WAN IP of 192.168.5.2 and a gateway of 192.168.5.1. The router will not connect to the internet or communicate with the gateway. If I change the SOHO router IP address to 10.10.10.x with the gateway of 10.10.10.1 then it connects.

Using the Draytek diagnostics, LAN2 can ping internet addresses but not the SOHO router. I set up LAN2 as VLAN2 and not VLAN1 (does this matter) as the PVID of the Cisco SG300 switches are VLAN1. VLAN2 has been assigned to Port 2 on the Draytek as an untagged member.

Just to digress for a second, when I created the second VLAN and assigned it as untagged, this disabled the whole network for a minute or two, even though this was a different port and VLAN for our own network. Is this normal behaviour for the Draytek or 2960? I have done it twice and it happened both times.

It doesn't matter what I set the VLAN to on the SG300 switch, and whether it is access, general or trunk. I cannot get a connection with the 192.x.x.x address, only with the 10.x.x.x

My frustration continues. I think your method will work if I can get it set up.

Thanks for your help.

Ok, I have pretty much got this working now. This is just to update anyone who is interested.

I cannot use the DMZ Host as this prevents the communication for some reason. Instead I just set up Port Redirection for the ports they want to use. I would have preferred not to do it this way and allow the other company have greater control over their own configuration. Its not a deal breaker and I can work with it.

I also set up the address mapping so their public IP address appears as the alias.

On changing the VLANs, the Draytek did not disable the network this time so it seems that was not normal behaviour. I just need to be careful with this in the future in case it happens again.

Hi, I have been doing some further testing and believe I have made it work the way you first wanted it to...

Assign the WAN IP you want to allocate to them as an alias (do not tick the join NAT pool)

Under LAN > VLAN page, assign all your ports to a VLAN, except the port you are assigning them, lets say you are giving them VLAN2, then select a subnet for them, lets say LAN2 (I did not assign any VLAN tag or VID)

Under LAN > General setup, tick LAN 2 to enable it, and click details and select enabled and for NAT usage. (you will probably disable DHCP here too)

Go to Load-Balance/Route Policy, create a new rule with the source start and end of their router WAN e.g. 192.168.5.2 to destination any, select YOUR WAN from the list, and the IP ALIAS you are assigning them. Force NAT, then next,finish.

Lastly, under NAT > DMZ, assign the ALIAS IP to their new WAN IP (192.168.5.2)


Done

That is pretty much how I have set it up. I did not have a Policy Route option but I upgraded the firmware and the Address Mapping that I had set up was then changed to a policy route after the upgrade. Albeit there are slight differences, such as I do not have the option to Force NAT.

Still when I enable the DMZ Host there is no connection so I think I have to go with the Open Ports option.