IT guy on my current job will not let me use his network due to HIPAA concerns, which I'm fine with.

I need access for HAI, cameras, WattBoxes, DMX (Pandora) etc.

His suggestion was to create totally seperate networks with seperate static IPs from ISP, Comcast in this case.

Client ordered the service which is suppose to be turned on tomorrow.
Currently there is a Netgear CG3000DCR gateway/router in the building. 

I'm going to use my Mikrotik RB750 for routing.

How do I use the different IPs? 
Will the CG3000DCR have different static IP on each of it's 4 ports?
Am I correct in ASS-UmIng that the CG3000DCR will have to have it's router part disabled, by putting it into bridge mode?
 

I am not sure how what you can do with the netgear Mario, but you certainly can pull that off with a Mikrotik 450G or larger.
How many static IPs are in use now?

All you really need is 1 static ip and route all the devices

Hai. :81
Service x :82
Cameras. :83-999

All on one static ip

Yes you have it basically correct. Isp modem goes in bridge mode and you run your own router with the wan set for one of the static IPs and setup like normal. All client access will be the same as if they are off site since their network will be totally seperate.

Just to clarify, i hope the IT person is running his own router and not relying on the Comcast pos.

+1

The Netgear CG3000DCR supports two public static IP subnets.

Are both of those already in use?

I would be surprised if they would allow you to put it in bridge mode.

Are there any unused LAN ports?

If so the IT guy ought to be able to route one of the new static IP addresses and create a dedicated sub-net for you on the LAN port.

moved to bottom of thread 

Currently 1 static IP, going to total of 5 but we only really need 2. Comcast sells them in blocks of 5.

Just so I understand: with 450G, one physical connection comes from ISP gateway/modem and Mikrotik handles separating each IP by physical port and/or software routing?

Not applicable in this instance because IT guy will have a fit if I tell him that he has to use my router to get to the internet, but good to know for future.

Ed, I understand that.
That's all going to be handled with the 750. 
My question is how to get IT guy his IP and keep one for myself? All while maintaining physical separation of networks and equipment.

So how do access my IP address and how does IT guy access his?
Where do I plug my RJ45 and IT his? (Please don't make this dirty, I need to get this working this morning :-)  ).

And, yes; IT guy is using some sophisticated firewall gizmo with all sorts of bells and whistles. He definitely knows his shit and Doctor trusts him explicitly; he's just paranoid and doesn't want others (me) unrestricted/unmonitored access to his HIPAA certified network. IT guy has been with this office/practice for some time, while I'm the new guy in this deal.

Is this software or hardware configuration?


No, right now there is only 1 IP to the building. All I wanted is a 2nd one, but Comcast issues them in blocks of 5.


Who is they? Comcast?
Comcast already switched the gateway to bridge mode but then I lost all Internet communication. Tech support lady was an idiot and coulnd't help. She was blaming issues in the pending upgrade from 1 to 5 static IPs.
I kept asking her for credentials, like PPPoE that I'm used to typing in with DSL,  if that's what they used so I could enter them into the router, and she was telling me that username/password were the default CUSADMIN & HIGHSPEED.
In bridge mode, I couldn't get anything working. Gateway would not issue an IP,  when my laptop was connected directly to any of the 4 ports on the gateway. Same with connecting the 750 into the gateway.
As soon as they put gateway into standard mode, IP was issued, but it was single IP on all 4 ports.
When I logged into the gateway, I did not see any way to route IPs by port.


Yes, only 1 out of 4 ports was used by IT guy, I was going to use any ONE of the other 3.


How? Is this software or hardware configuration in the gateway?
Do I leave the gateway in standard modem/routing mode? Won't that create double NAT issues?

Guys, thanks for replays.

To clarify, this is new install that I pre-wired.
It's a dental office.
IT guy owns the server, PCs, digital X-Ray imaging data transport.

I own the rest; A/V, security, access control, CCTV.


Comcast activated new service on Monday issuing 1 static IP and installed CG3000DCR for the Internet gateway/routing.

IT guy is control freak and doesn't want me to have unrestricted access on 'his' network.
His solution is for me to have a separate network altogether.
No, subnets, no dedicated DHCP or IP range.
His router/firewall shuts down after business hours; as in totally powers down until AM, meaning there is no way client can log into security system or CCTV for remote monitoring/viewing.

He doesn't want me on his network.
He also obviously doesn't want to be subservient to my network, so solution is to create two separate, independent (Layer1).

Comcast is issuing 5 static IPs.
He can have one, I can use the 2nd one; rest will go unused.

With all of that said, I'm simply looking for explanation of how to take Comcast issued static IPs and give one to IT guy and use the second.

So the question is this: with multiple WAN IP addresses issued to one building how do I make it work?

All of the static IP's that are assigned to the account would be available from the modem/gateway. If the modem/gateway only has 1 RJ45 output, like most, then you can easily drop a small network switch in between the modem and yours/his routers. Then you would assign one of the statics as your WAN IP and another for his.

This way when his network shuts down, yours is still running smoothly and completely separate from his.

What kind of modem did they provide? the CG3000DCR? If that's the case, then you should be able to just plug in to one of the gigabit ports and assign your 750 one of the static IP's. Provided that Comcast has actually set up the block for that modem.

Also, when you say he shuts down the network at night, does this include the modem? Cause it shouldn't.

Yes, CG3000DCR is what's provided and it has 4 ports.
So the IPs doesn't have to be assigned to specific port? 
So if Comcast give me 100.0.0.50 thru 100.0.0.54 then I just tell my 750 that the WAN is one (ie 100.0.0.51) and I'm off to the races?
In that case there won't be any issues with double NAT and the usual double router mess?
Will CG3000DCR have to do any port forwarding or routing?

I'm sure this will be all clear to me in 4 hours when I'm onsite but the cell coverage in the building is non existent so if I need to call Comcast tech support, it will be challenging to ask them questions and verity their idea of solution.
 

I think you have it now. Yes you put the modem/router in bridge mode and since the account is static IPs, usually you wont get dhcp anything if you connect your laptop directly to the netgear. If you have to talk to Comcast, ensure you are talking to the business support department since they will actually understand what you are trying to do. Here i deal with Shaw cable and very similar, they used to use Motorola modems and you ran your own router.Now they issue either an Smc or Cisco all in one w wifi, you put in bridge mode and the unit acts just like a plain modem. In that mode any ip info is being issued by the isp network and usually stops issuing dhcp addresses if you are subscribing to static ip setup.