Mikrotik device behind limited ISP modem

RouterOS General
1

Hello,
I have an ISP-provided modem/router and a MT device
and I want to use the MT device to isolate two subnets.
The subnets will get access to the internet via the ISP device
as show in the diagram below which depicts the current situation.

My problem is the double NAT situation which I want to get rid of.
Given that the ISP modem/router does not allow changing
its static routing table what would you suggest as a topology/configuration?

Replacing the ISP device is out of the picture since
it also provides VoIP for telephony and the provider doesn’t share its VoIP passwords.

Topology:

                    +--------------------+
                    |                    |
                    |                    |
                    |   ISP modem/router |
                    |                    |
                    |                    |
                    +------+------+------+
                     |DSL| | LAN1 |
                     +-+-+ +---+--+
                       |       |      172.16.0.2/24 masquerade/srcnat with its PPPoE iface
to                     |       |
wall <-----------------+       |
socket                         |
                               |
                               |
                             +-+----+ 172.16.0.1/24 masquerade/srcnat
                             | LAN1 |
                    +--------+------+------+
                    |                      |
                    |  MikroTik            |
                    |                      |
                    |                      |
                    |                      |
                    +--+------+--+------+--+
                       | LAN2 |  | LAN3 |
                       +------+  +------+

               172.16.1.1/24        172.16.2.1/24
2

Bridge the ISP device, that will make it a simple layer 2 forwarding device. Bridge mode depends on make and model aka Transparent bridging.

3

Hi DarkNate,
unfortunately the ISP device does not support bridge mode.
I am hoping for some creative solution that will allow me to get rid of the double NAT
given the plenty limitations of the ISP device.

4

There are two way to get rid of double nat.

  1. ISP sets its modem in bridge mode.
  2. You du use your MikroTik router as an Bridge/Switch, no nat at all.
5

Hi,
thanx for taking the time.
Well option 1 is unavailable, the ISP device does not support it.
For option 2, do you mean to bridge all interfaces and assign an IP to the bridge
on the same subnet as the ISP device?

6

This sounds like a Telia router in Lithuania, isn’t it?

7

It’s Vodafone branded, model H 300s in Greece

8

Another option is to have admin access to the ISP modem/router, and create your subnets there. Then in the Mikrotik you can create two bridges.

I had that same problem some time ago, having Internet and phone from the same box and no bridge mode possible. After complaing with the ISP, they replaced the fiber modem with another one that allow the bridge mode.

9

Another possibility would be to allow one LAN subnet to connect to ISP gadget (RB can act as a switch for that part) and have other subnets behind RB. That comes with lots of limitations though: all but one subnet still have to go through double nat, you don’t have firewall under control, it’s hard to prevent other subnets to communicate with theone handled directly by ISP gadget, etc.
If it’s not possible to dumbify ISP gadget, then the best would be to configure permissive port forwarding towards RB on ISP gadget and live with (potential) slightly lower performance. And complain to ISP because of lack of flexibility.

10

Try to break into the thing and setup a static route, or find VoIP settings?

11

Yes. Your MT Router will just be a switch with management.

12

mkx and mada3k thank you both for the input.
@mada3k: Yes I found out yesterday after searching a Greek forum that there is a way to enable some hidden administrative functions
by hacking the JavaScript based device UI.
So I could reveal the VoIP password and enable the configuration of static routes, yay!
So I am gonna look into that from a new standpoint and see how far I can go.

13

Is it PON? GPON/EPON? DOCSIS? DSL?

One method to bridge is either to use an explicit “bridge” mode on a per WAN interface on the CPE’s interface or simply make WAN as null and it will automatically bridge into a layer 2 device.

Source: Helped people all over my country (India) with bridging hundreds of different brands/models.

14

Add routes to your ISP router for the routes on the Mikrotik. Some basic routers even support RIP. Then don’t use NAT on the Mikrotik.

15

If you want to separate the LAN of the Mikrotik into multiple networks, possibly with some firewall rules between them, you can use arp-proxy at Mikrotik WAN side and separate LAN subnets on the Mikrotik. So the NAT would be done by the ISP router, and subnet separation by the Mikrotik.

Example:
ISP router’s LAN address: 192.168.3.253/22
Mikrotik’s WAN address: 192.168.3.254.0/30, arp=proxy-arp, no src-nat nor masquerade rule
Mikrotik’s LAN1 address: 192.168.0.1/23
Mikrotik’s LAN2 address: 192.168.2.1/24
Mikrotik’s default route via 192.168.3.253

The Mikrotik will answer with the MAC address of its own WAN interface to all ARP requests of the ISP router for any IP address within 192.168.0.0/22, so the ISP will send the packets for any of these addresses to the Mikrotik, which will forward them to the actual destinations.

If you can set up static routes on the ISP router after hacking it, the arp-proxy setting is not necessary, just set the routes to 192.168.0.0/23 and 192.168.2.0/24 via 192.168.3.254 on the ISP router.

16

Sindy that’s very intersting, thanx for sharing!

17

One method to bridge is either to use an explicit “bridge” mode on a per WAN interface on the CPE’s interface or simply make WAN as null and it will automatically bridge into a layer 2 device.

Source: Helped people all over my country (India) with bridging hundreds of different brands/models.

DarkNate, so how should I do this bridging actually? A tried with CPE, no luck. One time I disabled my bridge and got connected to the ISP router anyway.
But I do not want to be locked out from the RouterOS again, so I am interested how to set WAN to zero?

18

Could you explain what the issue specifically is with double NAT in your case? Or is it port forwarding that is the actual problem?

Before getting FTTP, I had a similar situation with a Fritzbox, (I was too lazy to worry about bridge mode on the Fritzbox and I had no inbound services anyway) but I was able to set the Mikrotik as the DMZ host on the ISP modem so that I could do port forwarding on the Mikrotik if I needed to, all ports were forwarded directly to it by the Fritzbox.

Double NAT isn’t the cleanest setup and should be avoided if practicable, but I’ve yet to see instances where it causes more issues than single NAT and am interested in understanding whether you were aware of any?

19

Spynapples, the ISP’s Cisco router does not forward any port when the connection is initiated from the internet. The Cisco router is protected with a password. Maybe I could break the password, but I do not want to mess with Cisco settings, because it might be problematic. Yes I am behind double NAT.

I noticed the following:

  1. When I am connected to the Mikrotik router my ethernet name is 78942A.
  2. When I am connected directly to the Cisco router, my ethernet name is Network 1
  3. When I am connected to the Mikrotik router, and the Mikrotik is connected to the Cisco and I disable the bridge in RouterOS, then my ethernet name becomes XYDESKTOP-ARF…something and I have internet access, but I am locked out from RouterOS, no wifi connectivity and then I need to reset the router.

The third case illustrates, that when I disable the bridge the the Mikrotik router bridges into a layer2 device as described by DarkNate, which is my Cisco router. So my question was how to set WAN to zero and not get locked out of RouterOS.