Mumsel
October 7, 2024, 8:40pm
1
Hi everyone,
I’ve got a public /29 subnet from my Dutch ISP Freedom Internet, which is delivered over the PPPoE client, which is my WAN interface. I would like to use one of the addresses for my server (directly without NAT), and the others for various VLANs, like a separate public IP for a guest network (with NAT) and so on. I’ve added the /29 subnet to the IP addresses list on the PPPoE client interface. Is this right, or should it be assigned to the bridge?
How do I configure this? I’ve been trying stuff with routes and netmap, but nothing worked so far.
Thanks in advance for helping.
Is your ISP the gateway (they have the first usable address of the subnet for their router) or do they route the /29 block to you?
Mumsel
October 8, 2024, 7:07am
3
The first usable ip address is the “network address”, so I assume that’s for their router.
If that’s really the first usable address, it could be that they’re routing the /29 block to you and they’re using different addresses for the PPPoE link?
Mumsel
October 8, 2024, 7:17am
5
That’s correct, the IP address that I get on the PPPoE client is different from the /29 block. The block is an extra add on.
This is the translated text:
For €17 per month (incl. VAT) you will receive a subnet prefix /29 with 8 consecutive IP addresses (IPv4) of which:
the first and last IP addresses are kept outside the network for technical reasons;
Your subnet will be placed next to your fixed IPv4 address, which you received from us with your internet subscription. In the confirmation email you will receive the series of IP addresses of your subnet and it will be clearly stated which IP address you can and cannot use.
188.x.x.248 - network IP address
That is the more fortunate situation because you can do the following:
For the server you can add one of the addresses directly on the Ethernet port facing it.
/ip route
add dst-address=188.x.x.y/32 gateway="NAT_subnet_gateway"
After which you would assign the used public IPs to a loopback interface
Mumsel
October 8, 2024, 9:53am
7
I added a route and a loopback, but it doesn’t work. What am I doing wrong?
# 2024-10-08 11:51:32 by RouterOS 7.16
# software id = IQBM-9R8X
#
# model = RB5009UPr+S+
# serial number = HGE09Y6HGZ0
/interface bridge
add name=Loopback
add admin-mac=D4:01:C3:93:B6:CC auto-mac=no comment=defconf name=bridge
add disabled=yes name=bridge1
add disabled=yes name=dockers
/interface veth
add address=172.17.0.2/16 gateway=172.17.0.1 gateway6="" name=veth1
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard-inet
/interface vlan
add interface=ether1 mtu=1508 name=bridge-WAN vlan-id=6
add interface=bridge name=vlan-guest vlan-id=100
/interface pppoe-client
add add-default-route=yes allow=pap comment="Freedom Internet" disabled=no interface=bridge-WAN max-mru=1500 max-mtu=\
1500 name=pppoe-client service-name="Freedom Internet" use-peer-dns=yes user=fake@freedom.nl
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool2 ranges=10.0.100.2-10.0.100.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
add address-pool=dhcp_pool2 interface=vlan-guest lease-time=8h name=dhcp-guest
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=dockers interface=veth1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-client list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=77.247.178.54 endpoint-port=51820 interface=\
wireguard-inet name=peer1 persistent-keepalive=25s public-key="Zee6nAIrhwMYEHBolukyS/ir3FK76KRf0OE8FGtKUnI="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=10.0.100.1/24 interface=vlan-guest network=10.0.100.0
add address=172.17.0.1/16 interface=dockers network=172.17.0.0
add address=188.213.95.249/29 comment="Freedom subnet" interface=Loopback network=188.213.95.248
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
add address=188.213.95.249/29 comment="Freedom subnet dub" disabled=yes interface=bridge network=188.213.95.248
/ip dhcp-client
add comment=defconf interface=bridge-WAN
/ip dhcp-server lease
add address=192.168.1.15 comment="AP Woonkamer" mac-address=60:22:32:25:67:8D
add address=192.168.1.16 comment="AP Slaapkamers" mac-address=18:E8:29:9C:9C:A4
add address=192.168.1.14 comment="AP Garage" mac-address=FC:EC:DA:19:B2:40
add address=192.168.1.24 comment="Unifi switch mini" mac-address=60:22:32:35:F4:0B
add address=192.168.1.12 comment=HomeAssistant mac-address=2C:CF:67:06:A1:BA
add address=192.168.1.2 comment=T330 mac-address=50:9A:4C:86:F2:2A
add address=192.168.1.3 comment="T330 iDrac" mac-address=50:9A:4C:86:F2:2C
add address=192.168.1.21 comment="Airco KH" mac-address=EC:0B:AE:FF:23:6C
add address=192.168.1.22 comment="Airco Woonkamer" mac-address=E8:16:56:04:2B:76
add address=192.168.1.23 comment="Airco Leo" mac-address=E8:16:56:00:25:0D
add address=192.168.1.33 comment="Apple TV LAN" mac-address=A8:51:AB:9E:AC:82
add address=192.168.1.35 comment="Philips OLED TV WLAN" mac-address=E0:75:26:61:97:E0
add address=192.168.1.41 comment=Hue mac-address=EC:B5:FA:16:A3:BF
add address=192.168.1.42 comment="Ikea Dirigeria" mac-address=68:EC:8A:02:33:7D
add address=192.168.1.43 comment="Ring deurbel" mac-address=34:3E:A4:87:A5:B9
add address=192.168.1.44 comment="Ring Chime pro" mac-address=90:48:6C:B0:E1:BD
add address=192.168.1.45 comment=Vaatwasser disabled=yes mac-address=38:B4:D3:AD:67:5D
add address=192.168.1.46 comment=Koelkast mac-address=68:A4:0E:04:8F:79
add address=192.168.1.47 comment=Wasmachine mac-address=00:1D:63:82:E0:22
add address=192.168.1.48 comment="Air purifier" mac-address=04:78:63:95:E2:83
add address=192.168.1.49 comment="Nest thermostaat" mac-address=18:B4:30:71:FD:72
add address=192.168.1.40 comment="P1 gateway" mac-address=3C:39:E7:27:B2:12
add address=192.168.1.39 comment="HW Energysocket" mac-address=3C:39:E7:2A:B2:F6
add address=192.168.1.31 client-id=1:48:b0:2d:e8:cf:a7 comment="Shield LAN" mac-address=48:B0:2D:E8:CF:A7 server=\
defconf
add address=192.168.1.34 client-id=1:a8:51:ab:8a:f5:ad comment="Apple TV WLAN" mac-address=A8:51:AB:8A:F5:AD server=\
defconf
add address=192.168.1.38 client-id=1:58:d3:49:40:c:2c comment="HomePod Badkamer" mac-address=58:D3:49:40:0C:2C \
server=defconf
add address=192.168.1.37 client-id=1:e0:2b:96:ad:b2:9 comment="HomePod Keuken 2" mac-address=E0:2B:96:AD:B2:09 \
server=defconf
add address=192.168.1.36 client-id=1:e0:2b:96:b4:5f:70 comment="HomePod Keuken 1" mac-address=E0:2B:96:B4:5F:70 \
server=defconf
add address=192.168.1.30 comment="Nintendo Switch" mac-address=20:1C:3A:11:91:3E server=defconf
add address=192.168.1.32 client-id=1:48:b0:2d:e8:cf:a5 comment="Shield WLAN" mac-address=48:B0:2D:E8:CF:A5 server=\
defconf
add address=192.168.1.5 client-id=1:dc:4a:3e:ae:e9:f comment="HP Laserjet" mac-address=DC:4A:3E:AE:E9:0F server=\
defconf
add address=192.168.1.80 client-id=1:a2:ae:8f:34:79:53 comment="MacBookPro Karel" mac-address=A2:AE:8F:34:79:53 \
server=defconf
add address=192.168.1.81 client-id=1:d4:57:63:ec:8b:7f comment="MacBook Hannah ISH" mac-address=D4:57:63:EC:8B:7F \
server=defconf
add address=192.168.1.82 client-id=1:0:d2:b1:a7:aa:3c comment="Dell Staedion" mac-address=00:D2:B1:A7:AA:3C server=\
defconf
add address=10.0.100.50 client-id=1:e2:b8:89:ad:2c:ca comment="iPhone KW sr" mac-address=E2:B8:89:AD:2C:CA server=\
dhcp-guest
/ip dhcp-server network
add address=10.0.100.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.100.1
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.12
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe-client
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2 to-ports=80
add action=dst-nat chain=dstnat dst-address=!192.168.1.12 dst-port=53 in-interface-list=!WAN protocol=udp \
src-address=!192.168.1.12 to-addresses=192.168.1.12
add action=dst-nat chain=dstnat dst-address=!192.168.1.12 dst-port=53 in-interface-list=!WAN protocol=tcp \
src-address=!192.168.1.12 to-addresses=192.168.1.12
add action=masquerade chain=srcnat dst-address=192.168.1.12 dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.12 dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=wireguard-inet src-address=10.0.100.0/24
add action=dst-nat chain=dstnat dst-port=32400 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2 to-ports=\
32400
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip proxy
set anonymous=yes enabled=yes port=5656
/ip proxy access
add action=deny path=*.flv
add action=deny path=*.avi
add action=deny path=*.mp4
add action=deny path=*.mp3
add action=deny path=*.zip
add action=deny path=*.rar
add action=deny path=*.msi
add action=deny path=*.mkv
add action=deny path=*.7z
add action=deny path=*.tar
/ip route
add dst-address=100.64.0.0/10 gateway=172.17.0.2
add disabled=yes distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=188.213.95.254/32 gateway=10.0.100.1 routing-table=main suppress-hw-offload=no
/ipv6 address
add address=::d601:c3ff:fe93:b6cc eui-64=yes from-pool=global_pool interface=bridge
/ipv6 dhcp-client
add interface=pppoe-client pool-name=global_pool pool-prefix-length=48 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.time.nl
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Probably because the VLAN should also be src-natted:
/ip firewall nat
add action=src-nat chain=srcnat src-address=10.0.100.0/24 to-addresses=188.213.95.249
Mumsel
October 9, 2024, 8:24pm
9
Thank you so much for your help!