Apologies in advance for the botched terminology. I have read the Server Fault Subnet Wiki but this is more of an ISP question.
I currently have a /27 block of public IPs. I use give my router the first address in this pool and then use 1-to-1 NAT for all the servers behind the firewall, so that they each get their own public IP.
The router/firewall is currently using (actual addresses removed to protect the guilty):
IP Address: XXX.XXX.XXX.164
Subnet mask: 255.255.255.224
Gateway: XXX.XXX.XXX.161
What I would like to do is break out my subnet into two separate /28 subnets. And do this in a way that is transparent to the ISP (i.e., they see me as continuing to operate a single /27).
Currently, my topology looks like:
ISP
|
[Router/Firewall]
|
[Managed Ethernet Switch]
/ \ \
[Server1] [Server2] [Server3] (etc)
Instead, I would like it to look like:
ISP
|
[Switch]
/ \
[Router1] [Router2]
| | | |
[S1] [S2] [S3] [S4] (etc)
As you can see, this would partition me into two separate networks.
I'm struggling with what the correct IP settings would be on Router1 and Router2.
Here's what I have right now:
Router1 Router2
IP Address: XXX.XXX.XXX.164 XXX.XXX.XXX.180
Subnet mask: 255.255.255.240 255.255.255.240
Gateway: XXX.XXX.XXX.161 XXX.XXX.XXX.161
Note that normally you would expect Router2 to have a gateway of .177, but I'm trying to get them both to use the gateway originally given to me by the ISP.
Is subnetting like this in fact possible, or am I completely botching the most basic concepts?
--
Edit
Several people have asked "Why". There are a couple of specific reasons why I want to do this:
My router/firewall locks up every 6-8 weeks. I've gone through a litany of devices: NetGear FVS318, Linksys RV042, Watchguard Firebox Edge X20e, and a Cisco ASA 5505. The same thing has happened with all devices, and it's apparently due to the dozen or so IPSec VPN tunnels that the device manages. Whenever it locks up, a network engineer needs to physically power-cycle the device.
I have one large client and about 1/2 the servers in the cabinet are theirs. I would like that client to be able to manage the firewall and VPN rules themselves instead of going through me. This way, I would give them root access to Router2 and they could manage everything themselves without causing any problems to Router1.