We have PMP450 APs and SMs currently. And our first tower and first handful of subscribers were configured by a consultant of ours. I have just followed suit with how it was configured for all other subscribers that we have gotten since then. We are still just barely getting things going, we have a second tower with only about 5 or 6 subscribers on it and are about to add 2 other tower locations. Anyway, I went to PMP450 certification training recently, and the instructor had mentioned that you never give the subscriber modules a public IP address. Well, how we began was with SMs getting public IPs. See we are a FTTH ISP already, and before that we had DSL. The modems always got public IPs, so when we went fiber, the customer's router got a public IP. So naturally, when we started up the fixed wireless, the SMs got a public IP. Since this concerned me, I contacted Vernon Tindell from Cambium to ask him about this. He told me that it is best practice to not have public IPs on SMs. And that he likes to put a router at every tower location.
I have talked to a couple other people who have deployed fixed wireless, and they use switches at each tower location and use public IPs on SMs.
So could everyone please chime in here for me and let me know how you do it? I am so confused at this point. We have so few customers right now, so if i needed to make a change, now would be the best time.
Let me premise this by saying that not everyone's configuration will work for everyone else. We each have our own ways of doing things that work for us, so my way not be the best.
We use VLANs for all customer traffic. None of our SM's have public IP's. Public IPv4 addresses are tough to get these days, let alone hundreds or thousands. For the most part, we make each one of our tower sites (and minor sub-sites off those) belong to their own VLAN. Some SMs get a private IP (management VLAN), and most subscribers get private IPs on that site's customer VLAN (most SMs are left at default IP unless we need to manege them directly). Then we NAT all of those customers behind one public IP. Some customers require public IP's, so they are on a different VLAN (even if they are on the same tower as private IP space). VLANs let us logically keep private and public IP spaces separate.
To outline how we're set up: (~2500 client devices split among PMP100, PMP320, and ePMP 2.4 and 5.8, and PMP450i)
We try to put a router at each tower, though we don't have 100%. (one that lack a router have gateways on - and DHCP from - the upstream router)
We use statically assigned 10.a.b.c for all radios.
Second octet 'a' is specific to each tower, so we route all 10.12.b.c/16 for example to the router at the appropriate tower. (which has 10.12.12.1, 10.12.14.1, etc gateway IPs for those subnets)
Then 'b' is different for different tech, so .12 is ePMP5.8 while .14 is 900MHz PMP450i. (we currently use .10 through .15 for radios, .20 through .25 for VOIP ATAs)
For the last octet 'c', we keep APs in .2 to .15, SMs .16 and higher. (makes for easier nmap scanning and such)
All the radios are typically set to Bridge mode, and the customer's router pulls public-IP DHCP from us. (of course we also have to subnet our public blocks and route them to each tower as needed)
Any tech/admin needing to access the radios from off-network can reach them through VPN to our core router.
For reference, I use an IP scheme similar to @newkirk. Also, we do not serve DHCP. Every customer has a staic private/public IP - that's what we use for accounting.
We use one (two redundant) routers for edge routers that aggregate all of the VLANs and traffic. This makes our tower network a pretty flat layer 2 network. I have often thought about changing to a router at each site, but it's apile of work for me, and I would need to keep the layer 2 part for our public IP VLAN.
We use pfSense routers for all of our routers. I like the flexibility in configuration and monitoring. I used to use cheap hardware (APU boards), but have moved to official Netgate hardware in recent years and haven't had any issues at all.
Our wireless network mirrors the others you mention in your post. We use switches at the tower, and the SMs get public IPs. Not sure if this is the best way to do it, but it has worked well for us and haven't had any serious issues from this. The SMs are not accessible via the public IP, even with NAT configured. On rare occasion we have had issues bridging SMs though, which is why we use NAT on the SM and give the SM the public IP.
We use pppoe with radius tied to the billing portal, software for all sm s and any account conected to the system no mater the hardware used. All routed ospf network. Each Tower has a BH Router and a router that hanndles pppoe for the customers. The pppoe hands out 1 public IP to the SM or customer router if in bridge mode. allows full use of a public ip block. ex 10.10.10.0 /24 we will have 254 ip address to hand out. Alos allows very quick change in the system for new ip blocks , netwotk topagraphy changes ect with little effort. Very simple setup and allows for fast growth.