Hetzner Subnet on Mikrotik CHR

Ennercy · November 19, 2023, 10:53pm

Hello,

i’m currently running a Mikrotik CHR on a hetzner bare metal server with a /28 subnet routed onto the Mikrotik CHR router and wanted to use now parts of the subnet directly in VMs (Plesk for example) without the need of NAT.
The bare metal server runs ESXi 8 where the CHR runs on with a dedicated mac provided by hetzner and a single /32 ip where the subnet is routed onto.

The subnet is 144.76.x.x/28 and the gateway (Mikrotik CHR) is 49.12.x.x
I’ve created a seperate interface already where the VM is connected to the CHR.

Does someone have a hint how i can approach this?

Thanks

patrick7 · November 19, 2023, 11:41pm

Configure your WAN IP on the CHR WAN, and the routed subnet on the CHR LAN?

Ennercy · November 19, 2023, 11:54pm

well the thing is that due to the gateway being on a different subnet my windows test vm errors out about that.
I’ve tried already enabling proxy-arp as suggested in other threads + using a bridge with the ether3 interface where the windows test vm is attached to but no luck.

this issue here seems somewhat similar but sadly the referring thread is not existent anymore.
http://forum.mikrotik.com/t/q-hetzner-routing-using-mikrotik-solved/106210/1

patrick7 · November 19, 2023, 11:56pm

Your Windows VM will have your CHR as a gateway, so perfectly fine in the same subnet

Ennercy · November 20, 2023, 12:03am

so is the approach with the bridge correct then?
create a new bridge and add ether3 towards it with proxy-arp enabled?

i assume i would also need to add a static route so that the chr knows on what to do with the ip? (144.76.xx.65 via 49.12.xx.196)

tdw · November 20, 2023, 12:27am

Have you read https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#subnets

The additional subnet is routed to you. The traditional method would be to assign one of the addresses to a ‘LAN’ subnet on the CHR to which the VMs are attached, and assign them other addresses from the subnet with the CHR address as their gateway. For a /28 this gives you 13 useable addresses.

Ennercy · November 20, 2023, 12:32am

yeah i’ve already checked the hetzner guide on that but due to vmware esxi’s nature it doesnt have any built in bridge functionallity so i’m required to use a router vm - i’m linking the example below maybe this brings in more insight on my approach - sorry that i didnt include it in the first place

https://docs.hetzner.com/robot/dedicated-server/virtualization/vmware-esxi#subnets

tdw · November 20, 2023, 3:42am

If you configure a router VM as they suggest the CHR should have two ethernet interfaces, then it is a case of translating https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#subnets

iface eth0 inet dhcp
would be
/ip dhcp-client
add add-default-route=yes disabled=no interface=ether1 use-peer-dns=yes

iface eth1 inet static
address 192.168.182.30
netmask 255.255.255.240
would be
/ip address
add address=192.168.182.30/28 interface=ether2

The VMs can use 192.168.182.17 to 192.168.182.29 with a gateway of 192.168.182.30 as in the example.

Ennercy · November 20, 2023, 11:12am

I think the issue was that i put them all onto the ether1 interface combined with the main ip of the CHR.
I’ve applied one of the subnet ips to the dedicated vm interface and configured as said and it works now - brilliant!

one remaining question i got is do i need to keep proxy-arp enabled on ether1 or can i safely revert it back to default aka enabled?
i’ve tested it and in both ways it seems to be working fine with either options but i’m not sure.

thank you very much and appreciate the help

tdw · November 20, 2023, 2:01pm

Proxy-ARP is not required, you can set it back to the default.