External IP with Public IP assignment

apophyth · June 6, 2015, 10:39am

Dear MK Enthusiasts,

I need your help, I’m a little confused with a scenario.

I’ve got a CCR connected to my provider with private interconnection IP ( /30 ). My provider route a /27 to this ip.

I want to deliver /27 to my customers with few service ( queue / basic FW )

I add last IP of my /27 on an interface, and give public IP to my customers, my interface become their GW.

I’m a little confused with NAT translation ( masquerade ), my customers with public IP don’t see their own external public IP, but mine.

0    chain=srcnat action=masquerade out-interface=sfp1 - INTERCO log=no log-prefix="" 
1    chain=srcnat action=masquerade out-interface=sfp5 - CUSTOMER PUBLIC NET log=no log-prefix=""

Can you please advice me to resolve this situation ?

Thanks

Armel

pukkita · June 6, 2015, 11:14am

Why are you doing NAT if you are working with public IPs?

disable those masquerade rules, that’s all needed.

you may need to remove all connectionsin ip > Firewall > Connections or reboot after that.

apophyth · June 6, 2015, 11:21am

Even if my interconnexion IP is in a private range ?

I’ve got a management network ( private ).

Does I need to put a masquerade rule with address list ( lan ) ?

Thanks a lot

Armel

pukkita · June 6, 2015, 1:56pm

I’d need an schematic and actual export prior to assess that.

apophyth · June 11, 2015, 3:01pm

Sorry for my late reply :

Here is my conf :

/ip address print
ADDRESS            	NETWORK         	INTERFACE
37.x.x.185/29  		37.x.x.184  		ether3_PUBLIC                                                                                        
172.19.0.37/30    	172.19.0.36     	ether2_INTERCO    
     
/ip route print    
DST-ADDRESS       	 PREF-SRC        	GATEWAY            	DISTANCE
0.0.0.0/0                          172.19.0.38            		 			1
37.x.x.184/29  			37.x.x.185 	 	ether3_PUBLIC          255
172.19.0.36/30     		172.19.0.37    		ether2_INTERCO    0

I can ping server from outside, but can’t ping from server to outside ( IP or DNS ). No FW rules, no NAT rules.

If I make NAT ( masquerade ), all is working fine, but when I look about my external IP, it’s the nated one, not the real of the server.

Thanks for your help

A.

pukkita · June 11, 2015, 3:42pm

Are you saying that with NAT disabled, if you browse whatismiip from a host with a public IP, the ip displayed is 37.x.x.185?

What gateway has the server set as default?

apophyth · June 11, 2015, 3:48pm

Yes, thanks, off course.

WITHOUT MASQUERADING, I can ping server from outside, but can’t ping from my server to outside, no websurfing or any service. Very strange. No FW rule or any extra NAT rules.

Armel

pukkita · June 11, 2015, 3:51pm

can you please post the server routing table?

apophyth · June 11, 2015, 5:36pm

Nothing specific.

For now, it’s a laptop with public ip…

I can ping it from outside, but laptop can’t ping anything… I’ve rebooted router, clear my session table.

I’m a bit lost

Armel

pukkita · June 11, 2015, 9:19pm

Yours is a routing problem, without more details I cannot point you in the right direction.

a “route print” plus a “ipconfig /all” on a cmd if it’s a windows laptop will make things easier.