FragglePete

I have a fantastic diagram on how VLAN's work if you would like to see!

You want routing rather than NAT unless you have two seporate chunks using the same ip addresses and need to use double NAT and routing. Using seporate ip ranges and routing should be much simpler.

Thanks @SYNACK - The problem is the we're on a particular scope from SWGfL, so can't route from one subnet to this subnet through their gateway, that's why we need to use NAT. I think I got that right anyway!

Pete

You could use a single NAT stage at the interface to the LA network and have all the internal stuff behind it. A decent layer 3 switch (possibly with the advanced firmware option - depending on vendor) could let you run one to one NAT so outside you have the LA subnet lets say 172.16.1.1 to 172.16.2.254 then inside have your network split into chunks that add up to at avalible range from the LA. This way you do not need to use NAT overloading (all on one IP and stacked by messing with port numbers).

This way the LA does not see anything different and can't throw fits but you still get to use propper routing and subnets inside despite the primative conditions imposed by the upstream network.

You do need to use different subnets for each VLAN otherwise it breaks tcp/ip routing to the point that it does not work.

Again, thanks @SYNACK - I'm going to try and work out exactly what you mention; not sure how, would appreciate a nudge in the right direction. Our Core switch is a HP Procurve 5406zl.

Pete