Hi guys, I have a fairly large wireless network using RB411's and XR9 cards. A customer just requested a public static IP. I have several available, but how do I forward it to their router? You can see my network structure in the image below. Both IP's are available on the same port of the DSL modem to the first AP. How do I get it to the client???

Hi!

I needed to basically the same thing:

Refer to this post to see how the guys helped me out. It worked really well.

http://forum.mikrotik.com/viewtopic.php?f=2&t=22671

The thing that worries me is that you show that you are doing NAT twice! Is there any reason for that? NAT is evil as it is and a double NAT is usually to be avoided at all costs.

So this might make your routing of public IP real hard.

Also note that if you are in the habit of using masquerade instead of DST-NAT and SRC-NAT rules for your nat you WILL HAVE TO change away from masquerade.

Regards

Alex

How is NAT evil? I have routed NAT'ed links over 10 hops with no problem.

Passing the static address is a pain though. I had to create separate subnets with routing marks to make that happen.

Forgive the lecture if you know this stuff... But this background has helped me build better networks by avoiding use of NAT where ever possible.

NAT is evil because the hosts that are behind routers that are running NAT do not have end to end connectivity. NAT was developed inthe 90' s to try to conserve IPv4 Addresses, and while the internet was growing in popularity and most content was retrieved by browsers and so on (passive internet surfing) this was all ok. But now more than ever internet users are becoming more proactive in using the internet. Uses of internet that are not NAT friendly include:

P2P
VOIP
Gaming
Servers
Streaming
VPN Tunnels
And so forth.

All these protocols are made more tricky by NAT. Also to run NAT you must have connection tracker enabled = more CPU cycles for the router.

I am not starting to roll out IPv6 in our networks so that all hosts have genuine public IP's.

Any way thats my two cents worth.

Ciao.

Alex

Can you give a configuration example showing NAT at the gateway and pure routing on your hops?

OK,

So lets say we have three IP ranges.

10.0.0.0/24 for customers who do not require a public IP, and in this example as a small WISP we are going to use this subnet as our management network too. So, all our AP' s backhauls and so on will use these IP addresses. This is configured on ether 2 which is the internal interface.

Then we have a public IP Range given to us by our ISP that we configure on ether1 our external interface. e.g. 196.x.x.x/30

As a small wisp lets say that our upstream ISP will only give us a /27 (30 Ip addresses) of public IP's so they are in pretty short supply, but we can still build our network with private IP's and give out Publics to those who need them while others are using private IP's that are NATted at the gateway. Lets call it the 201.x.x.x/27 network.

To start with you set up your network so that it is fully up and running properly with the private IP subnet of 10.0.0.0/24.

At this point you MUST NOT use the MASQUERADE action in your src-nat rules in IP>FIREWALL>NAT to do the natting. The reason for this is that MASQ. will NAT all of your networks and because we want our public IP subnets NOT to be natted we must src-nat ONLY the private subnet. So here is an example src nat rule:


So now all our traffic that is generated by hosts with 10.0.0.0/24 addresses is SRC-NATted out of the ether1 interface on the 196.x.x.x address.

The next step is that we need to divide our /27 in to some subnets that we can give to our customers that do need public IP addresses.

So lets say we are going to divide it to a bunch of /30 subnets (so 2 IP' s per subnet with a total of 15 Subnets. That means that we can give 15 of our customers a single public ip address. Obviously you apply your own subnet plan here.

Now we have to do the static routing for these subnets so that the addresses can route OVER our private 10.0.0.0/24 Network to the customers CPE.

See diagram:


So I think that covers the topic in basic terms. Obviously on larger networks you dont want to do this with static routing and OSPF is the way forward. Thats why I pick this as a small WISP.

So in this example we are able to avoid any double NAT, give customers that need it a public IP, efficiently subnet our public IP's to make efficient use, create a demarcation point where CPE is managed by you and the customer router by themselves.

I am sure there are bits I have missed or whatever. Please point them out, but we do this on many networks that we build and it works really well.

I just have to re-iterate that the NAT rules on the gateway are key to getting this right. you must make sure that your NAT rules do not toiuch any of the public ip subnets that you have.

Here is an example of my NAT rules.


Here is the whole routing table. You can see that there are no NAT rules that effect the public subnets

use interface routing ie. pppoe and assign public or private address depending on the client.
your src-nat rule on your gateway must have a not rule for your public addresses.
You must have your ISP forward all public addresses to your gateway assigned addresses.

Private WILL route over public, it is as simple as that.


ALSO: you must have routing rules for your internal routers to route the traffic.