BGP connection, IP CCR to go out

MarkFlakes · August 7, 2017, 8:57am

Hello All,

On CCR I configured a BGP peering connection with 2 multihop remote as using a IP Private and I annunced correctly a /24 Public Subnet. CCR is connected to a BGP peers on eth1 and to LAN on eth3. On the Lan I configured some Private Subnets, using nat rules the subnets go out with a differente Public IPs.
Everything works fine but from CCR I can’t go out (if try from ping tool, when force src address with Public IP works properly). I need to activate some functions on CCR (NTP, log to email), the issue seems on IP address used by CCR to go out, Can I “force” the CCR to use a specific IP for yourself?

IP address scheme:
ETH1 - IP ptp BGP 10.103.11.54/29
ETH1 - Public.1/29 comment=CCR IP address
ETH1 - Public.2/29 comment=IP to masquerade Nat private business customers
ETH1 - Public.3/29 comment=IP to masquerade Nat private residential customers

ETH3 - Private1/22 comment=Subnet business customers
ETH3 - Privare2/22 comment=Subnet residential customers
ETH3 - Public.254/25 comment= Subnet Public IP customers

How I can configure CCR to go out using Public.1/29 ip? Thank you in advance
Kind Regards

locodog · August 7, 2017, 2:05pm

Problem is that your CCR only has private IP on interface and every packet you source from CCR will have private address as src-address.

You can solve this by adding src-nat:

ip firewall nat add chain=srcnat action=src-nat src-address=10.103.11.54 out-interface=ether1 to-address=public.1

Also I would suggest not to use masquerade, instead use src-nat for your customers also. And you don’t need to have public.2 and public.3 on ether1 interface (or any other) if you are using them to nat customers.

MarkFlakes · August 7, 2017, 3:18pm

Thank you for your suggestion.
My fear is that with adding src-nat with Public IP I can’t establish the connection with remote bgp peers (10.103.11.49&50), or am I wrong?

locodog · August 7, 2017, 4:19pm

Hmm, yes that would happen. Just add dst-address=!10.103.11.48/30 (or whatever ip of your peer(s) is) to nat rule.

ZeroByte · August 21, 2017, 2:33pm

Or you can specify a rule in the srcnat chain which exempts BGP peering:

chain=srcnat protocol=tcp dst-port=179 action=accept

Put this rule early in the srcnat chain, or at least before any rule(s) which would src-nat traffic from the router itself.