Double Router Static IP Forwarding

mjmabs · March 26, 2016, 1:08am

Looking for a little help in setting up a CCR1016-12S-1S+ for Multi-Tenant Routing.

We are having a new Fiber Internet Circuit installed and the Carrier provided a /30 WAN IP Range and both a /28 and /29 Public Static IP Range. I have the CCR configured with the WAN Interface Address and utilizing a 172.16.X.X between the two tenant routers I am able to get basic ping and trace routes to work.

What I’m struggling with is routing the Static IP blocks from the WAN (Outside Internet) to the two Tenant Ports. Would this be accomplished by NAT on the CCR1016 Router or something else?

Basic Diagram Below:

CCR1016 Router Tenant 1 MikroTik Router
WAN IP (12.247.X.X/30) sfp1 → Tenant 1 (172.16.1.1/30) sfp4 → Tenant 1 (172.16.1.2/30) ether1 → /28 Static (12.0.X.X)

Tenant 2 MikroTik Router
→ Tenant 2 (172.16.2.1/30) sfp5 → Tenant 2 (172.16.2.2/30) ether1 → /29 Static (12.1.X.X)

pukkita · March 26, 2016, 10:38am

Post a proper diagram, even hand drawn will do.

mjmabs · March 26, 2016, 3:23pm

Here’s the Diagram, using 172.16.X.X address to preserve the full Static IP Blocks for the Tenants.
NetworkDiagram.jpg

mjmabs · March 26, 2016, 3:26pm

Forgot to Mention running 6.34.3 on all Routers.

pukkita · March 26, 2016, 3:29pm

On both tenants routers, you need to add CCR as the gateway (CCR end /30 ip) for the default (0.0.0.0/0) route:

Tenant1:
0.0.0.0/0 gateway 172.16.1.CCR_endIP

Tenant2:
0.0.0.0/0 gateway 172.16.2.CCR_endIP

On CCR you need to add two routes:
12.0.0.x/29 gateway 172.16.1.tenant1_endIP
12.1.x.x/28 gateway 172.16.2.tenant2_endIP

That’s all, no nat needed.

@acemary: Welcome to the forum! I’d make a seperate post for your question on the Begginer questions forum, even a little searching will surely return lots of posts with questions identical if not similar to yours.

mjmabs · April 8, 2016, 8:56pm

@pukkita based on information you provided the inbound side of the traffic is working great. However I am having trouble with the outbound side of the traffic if I don’t have a srcnat “masquerade” in place no outbound traffic from either Tenant Router can proceed out but this doesn’t allow protocols that require two-way communications to pass the Tenant Static IP’s such as GRE. I would assume I either need to provide some sort of NAT,Mangle, or Routing Protocol to pass traffic back outbound.

Any ideas?

ZeroByte · April 8, 2016, 9:33pm

You shouldn’t need to do any NAT in your network if the customers’ (tenants’) devices have public IP addresses configured on them directly. You just forward packets to the proper device based on the public IP.

mjmabs · April 10, 2016, 2:21am

@Zerobyte, can you provide an example of what you mean? If I turn Nat Masquerade off on the Carrier Router nothing from the Tenant Router can access the outside world.

No matter what I try I cannot seem to preserve the Static IP passthrough from the Tenant Router via the Carrier Router to the outside world. But the reverse from Outside via the Carrier Router to Tenant Router works just fine.

At Carrier Router Level, I have the following defined:
0.0.0.0 via 12.247.X.X via sfp1 (Default Route)
172.16.1.0/30 via gateway sfp5 (Tenant A) Pref Source 172.16.1.1
12.33.X.X/28 via gateway sfp5 (Tenant A)
No Firewall Restrictions for 172.16.1.0/30 or 12.33.X.X/28

At Tenant Router Level, I have the following defined:
0.0.0.0 via 172.16.1.1 via sfp3 (Default Route)
172.16.1.0/30 via gateway sfp3 (Carrier) Pref Source 172.16.1.2
12.33.X.X/28 via gateway sfp3 (Carrier)
Additional I have src-nat and dst-nat configured for 12.33.X.X/28 Hosts here

pukkita · April 14, 2016, 11:13am

Then something is worng with routing (BGP filtering?), or nat… Post the /ip firewall nat of carrier and tenant routers… it should be being masqueraded somewhere.

Do a traceroute from outside to your 12.33.x.x ranges, and viceversa.