clarification about ways to use additional subnet provided by the ISP

wassy83 · September 12, 2019, 10:48pm

Hi to all,
I have been moving into the world of networking/mikrotik recently and there is an argument that I really can’t understand. I would appreciate very much if someone could remove my doubts or advise me on the right documentation.

I requested my ISP for a new optical fiber connectivity with an additional subnet of 8 ip. They sent me an email containing this information

pppoe authentication:
user = user
password = password
MTU = 1500
pppoe interface ip = xxx.xxx.xxx.xxx
additional 8 ip subnet= yyy.yyy.yyy.yyy/29
dns server = zzz.zzz.zzz.zzz

after receiving these data I set a basic configuration:

Created the pppoe interface linked to the eth1-WAN and after succesfull autenticated I received the ip xxx.xxx.xxx.xxx
Added to the eth2-LAN interface an ip 192.168.25.1/24
Added into the nat a masquerade rule for my local lan 192.168.25.0/24

with this basic setup everything is working and all my hosts can surf internet using the pppoe interface’s ip xxx.xxx.xxx.xxx

now I want to understand what are the different ways to use the 8 ips subnet. Searching into mikrotik documentation I found this https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Forward_all_traffic_to_internal_host
and this way of mapping the ip address is working as expected.. I can use all of 8ips which is very good but I think that this still remains a sort of nat, and I want to understand how can I add directly these ips to my hosts without using NAT. I know that in this way I will not be able to use all 8ips but only five cause 3 of 8 ips will be used for gateway, broadcast and network.

So searching the forum about this I found a comment that opened a little my mind:

It’s not exactly true that you can use only five addresses, it depends on how exactly you use them. E.g. it you assigned all of them to router (doesn’t really matter to which interface), you can use all eight (with NAT or for services on router). Or you can route individual addresses (with /32 netmask) anywhere inside your network and also use all eight. Five is the limit when you assign whole subnet to internal interface. It’s probably also the most common way, and even when doing this, there is still a way to use more, because even though .240 and .247 are wasted on internal interface as network address and broadcast, when someone from internet tries to connect to them, you can catch that traffic using dstnat and forward it elsewhere. And the other way around, you can also use these addresses for srcnat.

now my doubts are:

how can I use in my setup, after establishing pppoe connection, these 5 ips directly as ips for my internal hosts without using NAT/mapping things?
Can I use both ways together, let’s say mapping a public ip to internal host but still be capable of using at least one of these ips directly in the nic config of the internal host?
what is the meaning of this? “Or you can route individual addresses (with /32 netmask) anywhere inside your network and also use all eight”

the second question is for me the most important, cause I really like to use the mapping way, but in this particular case I need to add only to a cisco router(so only for one ip) a dedicated public IP without using NAT cause this cisco have an external company monitoring that needs this kind of setup, but as I said I don’t want to loose the ability to map all the other ips.

many many thanks l hope that someone can dedicate a minute to take away these doubts or at least pointing me to the right documentation

Sob · September 13, 2019, 3:48am

It’s simple. Let’s say you got yyy.yyy.yyy.0/29. So ISP did on their side, expressed as RouterOS config:

/ip route
add dst-address=yyy.yyy.yyy.0/29 gateway=xxx.xxx.xxx.xxx

And all eight addresses are routed to you.

With traditional subnetting, you’d take one address and assign it to some internal interface and then you’d connect other devices there, so you’d have:

yyy.yyy.yyy.0 - network address
yyy.yyy.yyy.1 - gateway
yyy.yyy.yyy.2-5 - available for devices
yyy.yyy.yyy.6 - broadcast

Two addresses (network, broadcast) are completely wasted and third (gateway) almost too, because router already has xxx.xxx.xxx.xxx on WAN and doesn’t need another public address.

One way to deal with it is NAT. Simply add all eight addresses to router and use dstnat for NAT 1:1, forwarding individual ports to different devices, or whatever you want. But NAT is ugly.

Another possibility is to route addresses somewhere else. You can have internal device with e.g. 192.168.25.10, do:

/ip route
add dst-address=yyy.yyy.yyy.0/32 gateway=192.168.25.10

and selected address will be routed to that device. It can then assign it to some loopback interface and use it for outgoing connection (incoming too, of course). If will work even with larger networks, you can route the address through multiple internal networks. There will be gaps in traceroute from outside, but it doesn’t break anything.

Next trick is point to point addresses. It’s possible to connect two competely unrelated addresses like yyy.yyy.yyy.0 and 192.168.25.1. Let’s say router has the latter on LAN, so you do on router:

/ip address
add address=192.168.25.1/32 network=yyy.yyy.yyy.0

Then you do the opposite on other device and it will work. It works for sure with RouterOS, Windows (NT6+; use the other address as gateway and mask 255.255.255.255) and Linux:

ip addr add <local address> peer <remote address> dev <name>

Possibly others too, but some devices don’t support this.

Another NAT-less method is PPPoE, you create the server, connected device will be PPPoE client and since it works with point to point /32 by default, it will be compatible with anything.

And finally there’s the combination. If you return to traditional subnetting with three wasted addresses, that’s true inside. But from outside, nothing knows that e.g. yyy.yyy.yyy.6 is broadcast. So if you do:

/ip firewall nat
add chain=dstnat dst-address=yyy.yyy.yyy.6 action=netmap to-addresses=192.168.25.10
add chain=srcnat src-address=192.168.25.10 action=netmap to-addresses=yyy.yyy.yyy.6

you will use yyy.yyy.yyy.6 for NAT 1:1 and it will work. Or you can forward only some ports, it’s up to you. It’s because src/dstnat doesn’t care about where the address is (or even if the router has it at all). It simply evaluates given conditions and changes addresses and/or ports. If it’s dstnat, routing happens after that, so the original address doesn’t matter anymore. And reverse is true for srcnat, packet is from some internal address to some external public address and only after it passes through router, its source address gets changed. Router doesn’t care at all that it’s the broadcast address on another interface, at this point it doesn’t conflict with anything. Even when response comes back, and it’s for what’s internal broadcast, conntrack steps in and changes it back to internal address, and only then the routing happens, so it again doesn’t conflict with anything.

wassy83 · September 13, 2019, 10:15am

It’s simple. Let’s say you got yyy.yyy.yyy.0/29. So ISP did on their side, expressed as RouterOS config:
/ip route
add dst-address=yyy.yyy.yyy.0/29 gateway=xxx.xxx.xxx.xxx
And all eight addresses are routed to you.

With traditional subnetting, you’d take one address and assign it to some internal interface and then you’d connect other devices there, so you’d have:

yyy.yyy.yyy.0 - network address
yyy.yyy.yyy.1 - gateway
yyy.yyy.yyy.2-5 - available for devices
yyy.yyy.yyy.6 - broadcast

Two addresses (network, broadcast) are completely wasted and third (gateway) almost too, because router already has xxx.xxx.xxx.xxx on WAN and doesn’t need another public address.

One way to deal with it is NAT. Simply add all eight addresses to router and use dstnat for NAT 1:1, forwarding individual ports to different devices, or whatever you want. But NAT is ugly.

Another possibility is to route addresses somewhere else. You can have internal device with e.g. 192.168.25.10, do:
/ip route
add dst-address=yyy.yyy.yyy.0/32 gateway=192.168.25.10
and selected address will be routed to that device. It can then assign it to some loopback interface and use it for outgoing connection (incoming too, of course). If will work even with larger networks, you can route the address through multiple internal networks. There will be gaps in traceroute from outside, but it doesn’t break anything.

Next trick is point to point addresses. It’s possible to connect two competely unrelated addresses like yyy.yyy.yyy.0 and 192.168.25.1. Let’s say router has the latter on LAN, so you do on router:
/ip address
add address=192.168.25.1/32 network=yyy.yyy.yyy.0
Then you do the opposite on other device and it will work. It works for sure with RouterOS, Windows (NT6+; use the other address as gateway and mask 255.255.255.255) and Linux:
ip addr add <local address> peer <remote address> dev <name>
Possibly others too, but some devices don’t support this.

Another NAT-less method is PPPoE, you create the server, connected device will be PPPoE client and since it works with point to point /32 by default, it will be compatible with anything.

And finally there’s the combination. If you return to traditional subnetting with three wasted addresses, that’s true inside. But from outside, nothing knows that e.g. yyy.yyy.yyy.6 is broadcast. So if you do:
/ip firewall nat
add chain=dstnat dst-address=yyy.yyy.yyy.6 action=netmap to-addresses=192.168.25.10
add chain=srcnat src-address=192.168.25.10 action=netmap to-addresses=yyy.yyy.yyy.6
you will use yyy.yyy.yyy.6 for NAT 1:1 and it will work. Or you can forward only some ports, it’s up to you. It’s because src/dstnat doesn’t care about where the address is (or even if the router has it at all). It simply evaluates given conditions and changes addresses and/or ports. If it’s dstnat, routing happens after that, so the original address doesn’t matter anymore. And reverse is true for srcnat, packet is from some internal address to some external public address and only after it passes through router, its source address gets changed. Router doesn’t care at all that it’s the broadcast address on another interface, at this point it doesn’t conflict with anything. Even when response comes back, and it’s for what’s internal broadcast, conntrack steps in and changes it back to internal address, and only then the routing happens, so it again doesn’t conflict with anything.

Dear thank you for your patience, you really opened my mind. Unfortunalely there is something that I’m missing here:

With traditional subnetting, you’d take one address and assign it to some internal interface and then you’d connect other devices there, so you’d have:

this is a little unclear to me which is the practical way to do this cause, as I told you, to obtain these IP addresses I first have to enstablish a pppoe connection that is already assigned to my wan interface, at this point you are telling me that I have to assign one of these public ips to another port of my mikrotic in example

/ip address
add address=yyy.yyy.yyy.2 interface=ether5

now on this port I can connect some workstations using the schema

yyy.yyy.yyy.0 - network address
yyy.yyy.yyy.1 - gateway
yyy.yyy.yyy.2-5 - available for devices
yyy.yyy.yyy.6 - broadcast

but obviously this is not working cause something is missing due to my inexperience, Also I tried to create a bridge beetween WAN and ether5 and assigned the yyy.yyy.yyy.2 to this bridge but still without success.. please be patient and give to me another adives..
thank you thank you

Sob · September 13, 2019, 11:11am

Subnet yyy.yyy.yyy.yyy/29 is static, right? So you can assign those addresses to router and other devices even if PPPoE is not up, only they won’t have access to internet before PPPoE is connected.

Don’t try to find anything complicated about this, it’s the simplest thing, exactly the same type of config as having the usual 192.168.x.y/24 on router as LAN, and other devices with 192.168.x.z/24 and 192.168.x.y as their gateway. Only difference is that you’ll have yyy.yyy.yyy.yyy/29 instead of 192.168.x.y/24, and you won’t use srcnat for connections from these addresses to internet.

And if you really need to deliver only one public address inside, I’d rather choose the first solution with routing to internal address and using the public one on loopback (cisco must be able to use that) or PPPoE.

wassy83 · September 13, 2019, 11:35am

Subnet yyy.yyy.yyy.yyy/29 is static, right? So you can assign those addresses to router and other devices even if PPPoE is not up, only they won’t have access to internet before PPPoE is connected.

Don’t try to find anything complicated about this, it’s the simplest thing, exactly the same type of config as having the usual 192.168.x.y/24 on router as LAN, and other devices with 192.168.x.z/24 and 192.168.x.y as their gateway. Only difference is that you’ll have yyy.yyy.yyy.yyy/29 instead of 192.168.x.y/24, and you won’t use srcnat for connections from these addresses to internet.

And if you really need to deliver only one public address inside, I’d rather choose the first solution with routing to internal address and using the public one on loopback (cisco must be able to use that) or PPPoE.

ok I understood tnak you so much.. I added the subnets as you suggest, Now I can surf the internet with the isp’s subnet and I can reach opened ports through these ips, The problem is that when I’m going outside with any internal host I still have the pppoe interface’s ip..in example if I check with host.dyndns.it my current ip from a workstation with ip yyy.yyy.yyy.42 with gateway yyy.yyy.yyy.41 it will give to me the pppoe’s interface IP..hmmm I missing a step..

wassy83 · September 13, 2019, 11:51am

ok I found this last step.. it was simply the initial masqerade rule that obviuously was giving me the pppoe interface as out ip. Ok now everything is clear,

just one last question:
I will try an environment like the last one you suggested, so only one ip let’s say yyy.yyy.yyy.42 will be delivered to the cisco using the classic subnetting way, all the others (including the broadcast one but except the gateway one I suppose..) will be managed through nat 1:1/mapping.

The question is, can I reach the yyy.yyy.yyy.42 from my external mikrotik that are connected to this one through vpn l2tp? it’s just a static routing problem to fix on both mikrotik and cisco side right?

Sob · September 13, 2019, 1:04pm

To be clear, I meant to use the public address routed to internal device (/ip route add dst-address=/32 gateway=<device’s internal address>) where it will be on some loopback interface.

I wouldn’t assign whole subnet to internal interface (as address yyy.yyy.yyy.x/29). It’s the correct (or most common) way, but it’s limiting. You can work around the problem with wasted addresses with NAT, still use all of them, it will work, but it’s not really clean and can be confusing, especially if someone takes over the config after you.

VPN shouldn’t have any problem, as long as routes are correct. There could be some with combined solution, i.e. with whole /29 on internal interface and NAT for wasted addresses, you’d need to make sure that it works for both WAN and VPN access.

wassy83 · September 13, 2019, 3:11pm

thank you dear you really opened my mind. have a nice day
regars from italy