I have successfully set up a PPPTP tunnel for a set of users to VPN into my MikroTik box and have successfully DHCP’d a 192.168.10.x ip to all of them and they can all successfully reach the internet. I thought I successfully set up NAT, but in fact, have PAT successfully running as each of them shows the same IP address to the outside world.
What I need to now do is have each of these users in their own VLAN in order that I can assign them a Public IP and so that I can do port forwarding or create DMZ’s for each of them. I believe I need to use VLAN’s for this?
I’m looking through the MikroTik documentation, and I read that I simply add and enable a VLAN interface with a VLAN-id on a physical interface on the MikroTik router, and I could assign the public IP to the VLAN interface that I’ve created.
Is this all I need to do to accomplish my goal listed above?
For PPTP tunnel users, you do not need VLAN’s. You need to setup one-to-one natting for the users after you setup static/reserved IP addresses for them.
JJCinAZ,
thank you so much for the response.
Ok, so it would seem that my issue is with NATing. I’m not doing it correctly.
As I’ve stated, PAT occurs and we can get to the internet through a VPN connection. The LAST hurdle is that we have a block of
private IP’s 64.x.x.x (we have 256 public IP’s to use)…
Let’s say we have 15 customers/companies that want to use “our services” (in this case, it’ll be our ADSL services for internet connectivity). What we thought we needed to do was to assign one of these public IP’s to each of these customers by way of a VLAN. But you’re saying there’s no need to use VLAN’s.
So you’re saying that I need to do the following 2 steps:
1 - setup static/reserved IP addresses for them.
where do I set these at and assign them to a “user”?
2 - setup one-to-one natting for the users
As I’ve said, I’ve been doing PAT, how exactly to I do 1:1 NAT’ing on this MikroTik 3.0? I’m sorry to ask basics, but I’ve
been through the MikroTik docs and I’m obviously way off
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=ether2
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D – dynamic
and then assign whatever user to an interface? Can I just keep adding interfaces to the 1 physical interface on my MikroTik router?
2 - setup one-to-one natting for the users
If I want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, I should use destination address translation and source address translation features with action=netmap.
but here’s originally why I thought I would need VLAN’s…by each of these aforementioned customer’s, I meant a company. So if a company has 50 users, I can’t 1:1 NAT all 50 user’s through the 1 public IP that I’ve given them. So I thought i would create a VLAN for each of these “companies” so that any number of users within that company would just VPN into that VLAN. Is there still a way to do this without VLAN’s?
Explain the use of the “PPPTP” [sic] in your first post. Did you mean PPP or PPTP? If you’re acting as an ISP and you are trying to route through the public’s to your customers AND you have a layer-2 connection to the customer, you can use VLAN’s to assign to customers. Then you can either route a /30 subnet to the customer or you can bridge their VLAN onto your public interface and tell them to use a specific IP with the same gateway as you use (not the recommended way to do it).
my apologies, I didn’t realize that I had misspelled that…these are PPTP connections
I am acting as an ISP and we do have a layer 2 connection to our customers. I prefer to use a /30 subnet for each of the customers.
Would you be willing to handhold me through this? I’ve not been able to get the VLAN config to work. I’m not even sure how to start.
Thx for your responses.
I’m currently in Africa (moved from the states a few months back), did a bit of Cisco work in the states, but in Africa Cisco is beyond expensive so I’m having to learn MikroTik…any help is appreciated. I see you’re out of Tucson, so I’ll hope to see your response in about 8 hours
I’m still having a problem configuring this to work. I keep retracing my steps and it doesn’t work.
my steps:
1 - create a company with a Public IP (IP->addresses)
2 - create a VLAN (Interfaces-> VLAN tab)
3 - Assign the VLAN to an interface (Interfaces->Interface tab)it is here that we’ll have 15 different VLAN’s connected to
the outside interface
4 - create an internal DHCP pool for the internal interface on the MikroTik router from which these VPN clients will pull an
internal private IP address (IP->DHCP Server)……on the DHCP tab, you will create the DHCP server and give it the
Gateway IP address (src. Address) and assign it to a particular internal interface….in this case 192.168.10.1
5 - Create the VPN Group to attach to the created VPN Pool
6 - Now list the range of addresses to lease for this particular pool that you named VPNpool1 (IP->Pool)
7 – Now label the network for this DHCP network (for your VPN clients) & assign it the gateway that you put in the
previous step (IP->DHCP Server->Networks tab)
8 - Create the “Profile” and attach this Profile to the chosen VPN Pool of DHCP addresses by way of making the “LOCAL
ADDRESS”, which is the ip address of the GATEWAY address (or SRC address) of the named DHCP Server AND the SAME
name given for the Remote Address (which is ALSO the name of the “address pool”)
9 - Add the user to the PPTP server list, make sure that is is “enabled”…so when you go to “Interface”, then you click the
“+” button, and the dropdown list appears, choose “PPTP Server”…here you name the Server/Interface, then add the
user to the Server/Interface.
10 - On the PPTP server a user must be set up for the client
ppp secret> add name=tao3 service=pptp password=tao3 local-address=x.x.x.25 remote-address=
Be sure to pick the correct “Profile” for this user
11 - Now the DHCP pool is set up, the VPN server (PPTP) is set up, and a user has been created.
my problem is the VLAN info doesn’t work…if I take out the 1st 3 steps, then I can all have all kinds of clients VPN into the Mikrotik box, pull a private address and can access the internet, and all the addresses are PAT’d to our outside public IP address. But I can’t get a private IP assigned to VLAN’s, and I can’t get the VLAN’s to work.
Let me try to address your issue about NAT which is where we started I think:
1: Ideally you should always attempt to route a public IP direct to the customers CPE or router. This is best practice. Obviously with only a /24 of public IP addresses you wouldnt want to waste IP addresses as you route them over your own infrastructure.
You can route the public IP’s over a private IP network. Search the forums.
So subnetting to /30 would mean that you can only service 64 clients before you need to go and get another /24. Not always easy these days especially in Africa. If you want your own ip’s then you need to talk to AfriNIC in Mauritious. ( I am in Africa too…)
2: On the other hand doing what I call a 1 to 1 Nat would allow you to service 254 Customers with the same /24 block of public IP’ s, so I can understand your wish to do this.
3: So for your NAT rules.
You need to add all your /24 IP Addresses to the WAN or ISP interface. So to answer your question, yes you can add as many IP addresses to your external interface as you like. In the old Linux Routing terms this was adding IP Aliases.
Now that you have done this you need to Nat it to whatever the private IP is of your customers. This process doesnt care wether you use VLAN, PPTP, PPPOE or plain routed private IP. the last is the simplest and probably the fastest method performance wise.
You need TWO NAT rules for EACH customer private IP. One NAT rule handles the inbound traffic and the other the outbound. You are going to use BOTH SRC-NAT and DST-NAT.
Here is an example:
/ip firewall nat
1 ;;; SRC NAT Rule for OUT BOUND Traffic
chain=srcnat action=src-nat to-addresses=196.204.22.22 src-address=192.168.123.253/24 out-interface=ISP
Example 1 ;;; DST NAT Rule for IN Bound Traffic
chain=dstnat action=dst-nat to-addresses=192.168.123.253 to-ports= protocol=tcp dst-address=196.204.22.22
Example 2 ;;; DST NAT Rule for IN Bound Traffic
chain=dstnat action=dst-nat to-addresses=192.168.123.253 dst-address=196.204.22.22
Now, note that you can choose to NAT sinlge ports or the entire range of ports.
Some things to remember: VOIP and Customer originated VPN does not always play nicely with NAT.
And yes, I know what you mean by the price of Cisco in Africa. Although the longer I spend with Mikrotik the less I find myself missing Cisco products…
Alex,
thx for your assistance. Basically, you’re saying that I don’t need to bother with VLAN’s, just match an internal private IP to an external public IP on the outside MikroTik interface…
let me play with the config a bit and see if I can’t get that to work and I’ll comment again tomorrow. Thx again.
Alex,
it’s been crazy around here and haven’t had time to dive into this yesterday or today (TIA )…is there a way I can get your e-mail via your profile and share mine without publishing it on this forum?
