I have a /27 of public IP’s assigned to me by my isp xxx.xxx.203.128/27 with xxx.xxx.203.129 being my default gateway. Behind the MT unit with the public IP’s I have an extensive wireless network. In order to allocate a /29 network to one particular client, I have created an EoIP tunnel from their CPE to a bridge interface on the gateway router. The CPE has a single bridge interface, with ether1 and the EoIP tunnel as ports. the gateway MT device at the moment has a bridge with the EoIP tunnel as a port.
QUESTION - How do i route between xxx.xxx.203.136/29 allocated to the bridge interface on the Gateway box, and the xxx.xxx.203.128/27 on the WAN interface?
OR, is there another way of getting the public IP addresses to the client?
The “proper” way I would do this is to tell your provider that assigned you the /29, to set their router to point the /29 to YOUR MT, instead of configuring it on the LAN interface of your internet connection. This is very common for compaines to do, but what you want is them to route you the /29, not place it for you.
Once they do that, then you can just tell your MT that your /29 is at this router, (maybe access point) or better yet the clients MT. Thats it! They have full access to their /29 with full routing. No tunnels, just routed.
Yes - that is the proper way to do it - not always possible though. I have seen this done before - can’t remember exactly how it was configured though.
I have an issue using a similer setup with my isp. Can someone please suggest how to make this work correctly for me. My providor is using NAT and directing all ports from my public IP to my private IP, but some things still do not work. Specifically netmeeting, and also some games. I am able to use remote desktop, file and printer sharing, and other services. I suspect it is related to port mapping, and opening dynamic port ranges, but I don’t know enough about RouterOS to know for sure. Currently my provider is trying to to assign my router to my public IP, but this is not working at all, only NAT is working.
Any thoughts, Ideas, or suggestions to help make this work or troubleshoot the issue?
Emailing me directly is ok as long as it’s also posted to help others with the same issue.
My ISP tried the static route option, but for some reason it did not work. I’m not sure he has had one set up this way yet. He is willing to if we can find out how to properly set it up.
Very new to all these NAT types, what do I ask him to find out if mine is set up as 1:1? Is there some test I can do to find out the type of nat I am using?
Another way is to just bridge your public network, using a IPIP or EoIP Tunnel. This extendes your “public” network out to wherever the bridge is. Works, hate doing it. Course, I hate bridging too.
I have found out my isp has me set up using NAT 1:1 using the action=netmap command. so now that leaves me with more questions, since this is not working with some protocols.
Can a machine in the private network use a public ip, and route correctly?
If so then how do they set it up?
What do I need to do on my router to make things work correctly. Do I add my public ip and my his default gateway in place of my private IP?
does the traffic go thru their firewall or is it just routed to me directly?
Check your route to my host: riomartin.bloomasia.com
You should see the last 202.138.248.88 (three hops with same ip address).
Those are private ips under my LAN (192.168.x.x) NATed to public ip.
Actually public IP can be route to private IP.
I can guarantee you to this, because i have done it before.
I just have /29 routeable public IP from my ISP 2 years ago.
I have 8 deparments that needs public IP. Hell out .. this is my doom (i think).
But i found the solution to separate it using /32 and each department got its own public ip.
from my core router @ NOC to their router as client, i’m using private ip address block (192.168.x.x)
Thats not the big problem, when you trace from outside you will get like this:
eg: my public ip 202.138.238.0/29
tracing route to client 202.138.238.1
192.168.1.1 (my Core Router @ NOC)
192.168.100.1 (my Distribution Router @ POP )
202.138.238.1 (my Client Block IPs)
So, nothings wrong with that isnt it. As long as you able to reach the final destination (202.138.238.1) then you dont have to mind whether the path flowing to private or public IPs ..
You could contact my YM if you needs actual setup @ your environment
Nothing wrong with routing publics over private networks. Do it all time time.
On thing I will say, is that I have used Netmap and originally dst and src nat rules extensively, and have passed virtually everything though them. Including, Cisco IPSEC traffic, Soncwall private traffic, and more. I have NEVER found anything that netmap and dst/src NAT rules affected in any way. I have had many admins tell me, I need a actual public on my cisco or sonic wall, nope, never needed it. So I would look towards your ISP blocking ports even on your public.
As far as internals, you can do /30s, /27s etc. It all depends on how your ISP is setup. Al ot of the ones here in the states, typically, place publics on the LAN interface of the terminating equipment. So if you had a 45 meg T3 or even a fiber link, and you got a /24, they would put a gateway on the ethernet side of the terminating equipment, that gateway being in that /24 they gave you. This is VS, them pointing the /24 to your existing IPs.
What I would suggest is to get a /30 from your ISP, this would be between your router and theirs. Then have them point your /29 or whatever it is, to your /30 address.
Then, behind your /30, you can do WHATEVER you want. The best method I like is to use PPPoE and OSPF, and put /32s out there, no publics wasted. but you can do /30s /29s whatever you can do to subnet your original network that was given to you.
I agree, what everyone is suggesting should work fine, but for some services it’s not. Below is what I know so far. I haven’t had a chance to test anything else since we have been stuck on troubleshooting the issues with netmeeting, and the games I currently own. If I bring my laptop to work, I am able to host and join games just fine. Is there some firewall rule that needs to be changed to allow the way the ports are being opened? I have read a lot about services opening dynamic port ranges don’t work with some firewalls.
JB
Services that work:
Ping test
file and print sharing
Remote desktop. (on any port I want)
MS vpn
Msn messanger
Services that don’t work or are working via server assist:
Netmeeting (important for doing support on friends and coworkers workstations)
Games (Important for sanity)
Don’t work:
Mechwarrior IV (does not work at all.)
Age of empires II (workaround is to enable vpn to work server, and us vpn as my default gateway, and use IGzones.com)
Microsoft Age of Mythology
Work: (Note these are all server assisted games so I don’t like to show them, but thought I should just to be through)
Guild wars
Diablo II
Battlefield 2142
World of Warcraft
Realmonline (I know really old, but wife likes it)
9 * * * Request timed out.
10 * * * Request timed out.
11 9 ms 10 ms 11 ms pe1-7-evt-wa.fibercloud.net [205.234.64.157]
12 9 ms 9 ms 9 ms rooftop-emt-evt-wa.fibercloud.net.64.234.205.in-
addr.arpa [205.234.64.158]
13 12 ms 13 ms 14 ms 205.234.78.233
14 56 ms 14 ms 15 ms 205.234.78.233
15 17 ms 15 ms 15 ms 205.234.78.233
