Cannot seem to root using a static IP on CPE

Hi I have a problem with routing, I am trying to route to a router connected to the internet, I have 5 subnets in 2 public ranges and on this router 2 subnets of 2 ranges are being used, one on the WAN and one on the LAN and 2 subnets on one range on the upstream router.

I have a static IP on the WAN which is ..137.2/28 on my LAN port I have ..138.125/25, the static IP I am trying to use on a CPE router is ..138.4/25

I have a static route set of 0.0.0.0/0 gateway ..137.241 ( which is the gateway IP and is on the next router up stream ) the netmask on that is 255.255.255.240 which is /28

I can not get any internet through the router or any other traffic.

Now if I set up with the above settings, except that I have now created a bridge ( Bridge 1 ) with a single interface, the same interface that I am trying to connect through with the ..138.125/25 which is now assigned to the bridge and I setup a PPPoE server on it, the PPPoE server then points to a Freeradius/Daloradius server for Authentication, the Freeradius/Daloraradius server assigns the same IP I am trying to use as a static IP, lo and behold everything works perfectly.

The difficult job works ( PPPoE ), what should be the easy static IP job does not, I am missing something I just do not know what.

Anybody any ideas.

I really don’t have a clear picture of your design. This really should be straightforward.
From what I read here, though, it sounds like you don’t quite understand subnet masking. You mention your WAN ip is .137.2/28 but that your default gateway is .137.241/28 - unless you mean that your router’s wan interface is 241 and the isp’s router is in that network as well, you’ve got something wrong…

.241/28 is not in the same network as .2/28

Then you mention the LAN interface is 138.125/25 - and you’re configuring a client router as 138.4/25
This is also a case of two different subnets.

PPP works in a lot more circumstances because it sets up the routing automatically, plus the local and remote IP don’t even have to be in the same class A network, let alone same /25…

If you put x.x.138.125/25 on interface ether2 and then connect ether2 to a switch, any device you connect to that switch will need to have x.x.138.126 - x.x.138.254 as its IP address. Furthermore, the device’s default gateway should probably be x.x.138.126… If x.x.138.138 is a router, and that router’s LAN interface is 192.0.2.14/24, then you should make a static route 192.0.2.0/24 gateway=x.x.138.138 (not gateway=192.0.2.14)

If you haven’t gotten this working after some more tinkering around, please post the output of these commands:
/interface export compact
/ip address export compact
/ip route export compact

We won’t worry about firewall because it sounds like you’re not doing NAT or anything like that.

Typo keys did not respond to my light touch, :- the WAN is ..137.242/28

And yes it should be straight forward, try as I may it will not work, as I said if I set it up as PPPoE server no problem

The ranges I have been given by the ISP are ..137.240 - 255 /28 or 255.255.255.240, 14 useable IP’s which are .241 - .254, the gateway on upstream router is 137.241 mask is 255.255.255.240

Other Ranges are ..138.0-128 /25 mask is 255.255.255.128 ( 126 usable ) and ..138.128-192 /26 mask is 255.255.255.192 ( 62 Useable )

Useable IP’s are 138.1 - 127 and 138.129 - 191

WAN on Mikrotik is 137.242 mask is 255.255.255.240

The reason I have .125 on LAN port and therefore gateway for the downstream router is that I intend to use .126 and .127 on other ports that are no longer in the switch bank or possibly VLANS or on other routers.

It is confusing me how I am supposed to make it work.

Please give me the information I requested.

This is a bit of a strange allocation to me, but it’s not something ‘un-standard’
Basically, your router is on the internet with the IP x.x.137.242 - It can ping, send emails, fetch files with fetch, etc - the router itself is a fully functional host.

The internet is handing those IPs ranges you listed to your ISP, who then routes them to your mikrotik.
If you did nothing, then any packet going to one of those addresses would bounce its merry way along the internet until it hits your router - which at first does not know about these ips, so it will use the one and only route it really has - the default GW, and send them back to the isp, which will send them back to you, back and forth like a tennis ball, until the TTL expires on the packet and it disappears.

Since these addresses come to you as two blobs of space, you can either apply them directly to interfaces, or apply any subnet of them to an interface, or you can create a route statement to pass some or all of them on to another host.

Suppose you want to use the /25 to chop up and route to customers, and use the /26 as your “wan area” for customers. Put .138.129/26 on an interface - and then connect that interface to a switch. Anything you plug into that switch must now use one of those useable IPs from that range, and must use .138.129 as its default gateway.

Suppose customer147 puts x.x.138.147/26 on their wan interface and connects to your router on this network, and sets its default GW to .138.129 - then they will now be just like your router was at the beginning of this explanation. Now you can route them 4 IP addresses - create a route x.x.138.0/30 gateway=x.x.138.147

Now those 4 addresses go all the way from the Internet to this customer’s router, and they may now use them for NAT or whatever.

The point to learn from all of this - all hosts on a network switch, or vlan, must use the same IP range in order to get to each other using that network. If you plug two computers into a switch with one being 10.10.10.100/24 and the other being 192.168.100.100/24 then they cannot talk to each other even though they’re plugged into the same switch.

So when you put .138.129/25 on an interface, then connect that interface to a switch - anything else you connect to that switch must be in that range of IP addresses, or else it will not be able to talk to your mikrotik, or the Internet through your Mikrotik.

Thanks a lot for the help.

What you say is similar to what I have done, except I am using the 138.125/25 on the LAN interface of the router as the gateway for anything connected to the other ports of the switch, I want to assign 138.1 to 138.124 to customers CPE’s as single static IP addresses on their WAN ports with 138.125/25, but it does not route unless I set it up as a PPPoE server.

At the moment I am using the 138.129 to 138.191 on another router on a different physical Network segment ( No possibility of interaction between segments. ), that router is configured as a NAT router ( because of number of users ) and a lot of them are assigned those public IP’s using a 1:1 NAT.

It started off very small hence the NAT router but it has grown larger than I initially planned for.

P.S. The other router has 137.243/28 as the WAN IP and 137.241/28 as the gateway.

Ok - so if you’re 100% certain the IP addresses are set correctly (make sure the network=____ is correct too - if you change IPs this can get messed up) on each interface and the IP/Mask/default GW is correct on the client devices, then it’s time to look for more exotic things - arp is enabled, no firewall / nat rules interfere with the communication, ip forwarding is enabled in system… etc.
Can you ping the hosts from the mikrotik?
Can they ping the mikrotik?
Can they ping the Mikrotik’s wan IP?
Can they ping the Mikrotik’s default GW?
Is it something silly like faulty DNS configuration on hosts / firewall filter blocks DNS / DNS server won’t answer requests from 138.0/25 ?
Does the Mikrotik’s MAC show up in the arp tables of the hosts?
Do the hosts’ MACs show up in the Mikrotik’s arp table?

fwiw - pppoe might be a better solution anyway, since it gives you much more control over what the users get for IP addresses, speeds, connect times, etc - just don’t use bridging + dhcp for your pppoe. Instead, blackhole route the entire pool, assign client IPs from that pool, and set local IP = x.x.137.241 on the profile. (you don’t even need to make .1 = the pppoe server!)

I will get back to you with the info you asked after I have done the tests, I am not using DHCP to assign the PPPoE addresses on this router they are all setup in Daloradius/Freeradius server.

I had to assign a bridge before the built pppoe server would work, so how do you black hole it?.

This router is a mile away on a mountain so have to be very careful when I make changes.

You don’t need the bridge interface.
To black-hole the addresses, create a static route e.g. dst=x.x.138.0/25 type=blackhole
This will discard any packets to any addresses that aren’t active on PPPoE sessions.

If the router is connected to the other Mikrotik at the site, you can MAC telnet from one to the other even if you screw up the IP addressing / firewalling / etc. As long as they’re on the same broadcast segment, you can do it. (and of course as long as you didn’t disable mac telnet service)

Have setup static on Laptop with ..138.4 /25, Gateway ..138.125, DNS just used 8.8.8.8
Cannot ping MikroTik gateway, cannot ping anything beyond MikroTik.

Can ping Laptop from Mikrotik Gateway

MAC addresses are in ARP tables on laptop and on Mikrotik

Thanks a lot ZeroByte, I must have had a brain freeze of something, it was just the static route from MikroTik to the IP address, static works now, believe it or not I have never used the static routing of public IP’s on the MicroTik before, I went straight in to PPPoE. on a bridge. or 1:1 NAT on my other routers, I just could not relate static routing on other makes of router to the MikroTik routing and would probably have been staring at it for days, thanks again for nudge in the right direction.

i.e. dst = ..138.4, ( The Laptop ) and Gateway = LAN

Now this PPPoE black hole, now I really need you help on this one.

I gave it a try last night, and ended up locking myself out of the router, resulting in a trip up the mountain this morning, fortunately did not cut anybody off.

I have a bridge with one interface, the LAN that nobody is connected on at the moment, except my test router and test Laptop. via a switch

The bridge has a PPPoE server setup on it, which uses radius authentication, and the PPPoE is working, it is using the default profile has the local address is ..138.125, the Gateway address of the MikroTik, the remote address points to a pool but is not used as the addresses are assigned by the radius server and the bridge setting is set to the created bridge call this bridge 1. ( I have 3 Bridges on 3 Ports and 3 PPPoE servers configured ). TCP-MSS set to yes, dns set to My ISP’s DNS and My Local DNS.

Ok, so in the PPPoE setup, I set the interface to the LAN and not the bridge and under profile, do I remove the bridge setting? ( I have tried both neither worked ).

Anything else to change from the working PPPoE setting.

Tried the blackhole but it shows Blue instead of Black when I set the dst as ..138.0/25 if I leave off the /25 it turns black

when I black hole do I set the gateway to the interface or leave blank.

Still not working must be missing something.







.

I think you’ve let this get more complicated than it needs to be.
I don’t see how removing a LAN side bridge could kick you out if you’re coming in from the WAN side.

If you have 3 interfaces that you want to all be served by the same pppoe service, then yes, use a bridge - and connect the 3 interfaces to that. This is true whether you’re doing static IP, dhcp, pppoe, or anything else.

So then the bridge (or direct ethernet interface if there’s only one) is what you set the pppoe server to listen on.
The only other thing that you might set is the default profile - the rest can be defaults

Then make sure you have an IP pool for x.x.138.1-127 e.g. customerPool1

On the profile, set the following:
local IP = x.x.137.242 (the WAN interface, if I’ve gotten that wrong here)
remote IP = customerPool1
dns server = 8.8.8.8 (or whatever you use)

optionally you can set filters and limits, but those have nothing to do with the basic functionality.

no need to define any secrets except maybe one for administrative purposes which will work even if the RADIUS server is down. Of course make sure “use radius” is selected in ppp authentication and accounting.

[quote=“ZeroByte”]I think you’ve let this get more complicated than it needs to be.
I don’t see how removing a LAN side bridge could kick you out if you’re coming in from the WAN side.

I was coming in from LAN and forgot to set a local IP on the interface there was one on the Bridge.

So when I disabled the bridge, no comms, there is no access via WAN at the moment it is blocked as the backup link is not available.

It is hard to explain, up on the mountain are a number of Wireless access points and bridges, there are 2 x MikroTik routers which connect all those radios to the backhaul which is also a 5.8Ghz radio, one of those bridged radios on the mast connects to My workshop.

I have 3 interfaces but they are not linked together I do not want them bridged, they have different subnets

I have done what you say set the profile, Set Local IP to WAN IP, set the remote IP to customer pool, it still does not work, it only seems to work if I create a bridge even if that bridge only has one interface.