Community discussions

MikroTik App
 
DieselPower
newbie
Topic Author
Posts: 35
Joined: Fri Feb 15, 2008 12:01 am

Forwarding static IP over natted network.

Mon Jul 07, 2008 8:32 pm

Hi guys, I have a fairly large wireless network using RB411's and XR9 cards. A customer just requested a public static IP. I have several available, but how do I forward it to their router? You can see my network structure in the image below. Both IP's are available on the same port of the DSL modem to the first AP. How do I get it to the client???
You do not have the required permissions to view the files attached to this post.
 
alex_rhys-hurn
Member
Member
Posts: 348
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: Forwarding static IP over natted network.

Sat Jul 12, 2008 5:31 pm

Hi!

I needed to basically the same thing:

Refer to this post to see how the guys helped me out. It worked really well.

http://forum.mikrotik.com/viewtopic.php?f=2&t=22671

The thing that worries me is that you show that you are doing NAT twice! Is there any reason for that? NAT is evil as it is and a double NAT is usually to be avoided at all costs.

So this might make your routing of public IP real hard.

Also note that if you are in the habit of using masquerade instead of DST-NAT and SRC-NAT rules for your nat you WILL HAVE TO change away from masquerade.

Regards

Alex
 
User avatar
jwcn
Forum Guru
Forum Guru
Posts: 1495
Joined: Sun Aug 27, 2006 6:49 am
Location: Maryland, USA
Contact:

Re: Forwarding static IP over natted network.

Sat Jul 12, 2008 9:15 pm

How is NAT evil? I have routed NAT'ed links over 10 hops with no problem.

Passing the static address is a pain though. I had to create separate subnets with routing marks to make that happen.
 
alex_rhys-hurn
Member
Member
Posts: 348
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: Forwarding static IP over natted network.

Sat Jul 12, 2008 10:44 pm

Forgive the lecture if you know this stuff... But this background has helped me build better networks by avoiding use of NAT where ever possible.

NAT is evil because the hosts that are behind routers that are running NAT do not have end to end connectivity. NAT was developed inthe 90' s to try to conserve IPv4 Addresses, and while the internet was growing in popularity and most content was retrieved by browsers and so on (passive internet surfing) this was all ok. But now more than ever internet users are becoming more proactive in using the internet. Uses of internet that are not NAT friendly include:

P2P
VOIP
Gaming
Servers
Streaming
VPN Tunnels
And so forth.

All these protocols are made more tricky by NAT. Also to run NAT you must have connection tracker enabled = more CPU cycles for the router.

I am not starting to roll out IPv6 in our networks so that all hosts have genuine public IP's.

Any way thats my two cents worth.

Ciao.

Alex
 
User avatar
jwcn
Forum Guru
Forum Guru
Posts: 1495
Joined: Sun Aug 27, 2006 6:49 am
Location: Maryland, USA
Contact:

Re: Forwarding static IP over natted network.

Sun Jul 13, 2008 6:27 am

Can you give a configuration example showing NAT at the gateway and pure routing on your hops?
 
alex_rhys-hurn
Member
Member
Posts: 348
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: Forwarding static IP over natted network.

Sun Jul 13, 2008 6:50 pm

OK,

So lets say we have three IP ranges.

10.0.0.0/24 for customers who do not require a public IP, and in this example as a small WISP we are going to use this subnet as our management network too. So, all our AP' s backhauls and so on will use these IP addresses. This is configured on ether 2 which is the internal interface.

Then we have a public IP Range given to us by our ISP that we configure on ether1 our external interface. e.g. 196.x.x.x/30

As a small wisp lets say that our upstream ISP will only give us a /27 (30 Ip addresses) of public IP's so they are in pretty short supply, but we can still build our network with private IP's and give out Publics to those who need them while others are using private IP's that are NATted at the gateway. Lets call it the 201.x.x.x/27 network.

To start with you set up your network so that it is fully up and running properly with the private IP subnet of 10.0.0.0/24.

At this point you MUST NOT use the MASQUERADE action in your src-nat rules in IP>FIREWALL>NAT to do the natting. The reason for this is that MASQ. will NAT all of your networks and because we want our public IP subnets NOT to be natted we must src-nat ONLY the private subnet. So here is an example src nat rule:
chain=srcnat action=src-nat to-addresses=196.x.x.x to-ports=0-65535 src-address=10.0.0.0/24 out-interface=ether1 
So now all our traffic that is generated by hosts with 10.0.0.0/24 addresses is SRC-NATted out of the ether1 interface on the 196.x.x.x address.

The next step is that we need to divide our /27 in to some subnets that we can give to our customers that do need public IP addresses.

So lets say we are going to divide it to a bunch of /30 subnets (so 2 IP' s per subnet with a total of 15 Subnets. That means that we can give 15 of our customers a single public ip address. Obviously you apply your own subnet plan here.

Now we have to do the static routing for these subnets so that the addresses can route OVER our private 10.0.0.0/24 Network to the customers CPE.

See diagram:
routing.png
So I think that covers the topic in basic terms. Obviously on larger networks you dont want to do this with static routing and OSPF is the way forward. Thats why I pick this as a small WISP.

So in this example we are able to avoid any double NAT, give customers that need it a public IP, efficiently subnet our public IP's to make efficient use, create a demarcation point where CPE is managed by you and the customer router by themselves.

I am sure there are bits I have missed or whatever. Please point them out, but we do this on many networks that we build and it works really well.
You do not have the required permissions to view the files attached to this post.
 
alex_rhys-hurn
Member
Member
Posts: 348
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: Forwarding static IP over natted network.

Sun Jul 13, 2008 7:04 pm

I just have to re-iterate that the NAT rules on the gateway are key to getting this right. you must make sure that your NAT rules do not toiuch any of the public ip subnets that you have.

Here is an example of my NAT rules.
nat rules.png
Here is the whole routing table. You can see that there are no NAT rules that effect the public subnets
routes.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 667
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Re: Forwarding static IP over natted network.

Mon Jul 14, 2008 7:37 pm

use interface routing ie. pppoe and assign public or private address depending on the client.
your src-nat rule on your gateway must have a not rule for your public addresses.
You must have your ISP forward all public addresses to your gateway assigned addresses.

Private WILL route over public, it is as simple as that.


ALSO: you must have routing rules for your internal routers to route the traffic.

Who is online

Users browsing this forum: Amazon [Bot], CGGXANNX, Google [Bot], iustin and 100 guests