Can you? and how can you connect multiple static IPs to one interface (eth1)
Is there a limit? Best way to do this in routerOS?
Just add it at the same way as the first IP.
On a default configuration LAN side gets IP 192.168.88.1 set on the bride interface like this:
/ip address export
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
Then you can add on extra or more IP like this:
/ip address
add address=192.168.88.2/24 interface=bridge network=192.168.88.0
Result:
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.88.2/24 interface=bridge network=192.168.88.0
And for public IP space?
ISP has provisioned two Static public IP addresses.
Is there a way to have both public IPs come through eth1 interface via pppoe client connection to ISP or how?
That would be the same, just use outside IF for your IP. (ether1 instead of bridge)
If on the other hand its DHCP, then you need another approach.
The topic is difficult to discuss without full information.
Please give the information your ISP gives to you.
The “clean” situation is where your ISP issues you a single public router IP (as a /30 or /31 network, or via PPPoE or DHCP or whatever) and then also gives you a properly-sized subnet (usually /29 but can be larger) containing the extra public addresses you requested.
The ISP will route the addresses in that extra subnet via your router public IP, and you can put the /29 range on an internal network e.g. to be used as DMZ.
When you want to use the extra addresses only for dstnat purposes you do not need to put them on an interface, but you could put them on an empty bridge for clarity.
The ISP gave out / 30, static IP assignment. Lets assume a clean situation, do I need to make another pppoe client connection to the ISP, one for each IP?
It sounds like NOT… Assign the additional static IP to the existing pppoe-client out connection on eth1 interface? Or how to?
Ask the ISP for the information. That is the only one who can tell you how they are going to do it.
Each PPPoE connection can only assign a single IP address to the client - it is a Point to Point Protocol.
If the ISP gives you a /30, which means 4 IP addresses, as a direct subnet, you’d end up with x.x.x.0 unusable for the network, x.x.x.3 unusable for the broadcast, x.x.x.1 or x.x.x.2 as the gateway at ISP end, x.x.x.2 or x.x.x.1 as the public address at your end. So effectively only a single public IP to use and the 3 remaining ones wasted.
PPPoE, on the other hand, doesn’t need the network address, the broadcast address, and the gateway address: as it is a tunnel, the gateway device is “whatever listens at the remote end of the tunnel”, so you don’t need an IP address to identify it. So if you deliver a /30 using individual PPPoE connections, you can use all 4 addresses.
So this clearly indicates that
- you have to run several PPPoE clients in parallel (but then the /30 is rarely the way to express that), or
- you get one of the public IPs via PPPoE, the ISP routes packets for the other one via that PPPoE and you have to set that address up statically on some other interface (a port-less bridge) or just use src-nat and dst-nat rules to make use of that address, or
- you get assigned a private address on the PPPoE client and the ISP routes packets for all your public IP addresses via that PPPoE (and you have to handle all of them like above)
Some ISPs require that you use RIP or BGP to advertise the public IPs to them so that they could route them to you.
So as @pe1chl said - until you get the information from the ISP how exactly you should use those addresses, there is no way to assist you with configuration.
It depends. When you get a /30 plus the single address on PPPoE and they route the /30 via the PPPoE you could actually use all 4 addresses when you configure carefully.
But until we know what is happening, nothing can be said for sure.
This was their response:
Network IP ..135.188/30
Subnet Mask ..255.252
Host IP’s ..135.189 & ..135.190 (Usable IP’s)
Broadcast ..135.191
What is your current WAN setup? As they give you a /30 and declare two addresses to be usable, they’d have to be totally incompetent if they wanted you to use one of the two as a gateway on their side.
So if your current connection is a PPPoE one, I would run /tool torch pppoe-out1 ip-protocol=icmp src-address=0.0.0.0/0 dst-address= ..135.189 freeze-frame-interval=10s (use the actual name of your PPPoE interface and the actual IP address) and ping that address from some other connection (or ask a friend to do that if you cannot login to some remote machine, or use ip-protocol=tcp port=80 instead of ip-protocol=icmp and try to open http://..135.189 from the browser of your mobile phone connected using 2G/3G/4G, i.e. not WiFi).
If torch shows packets to come, it means that the ISP routes packets for those IPs via your existing PPPoE connection without asking you to advertise them using a dynamic routing protocol, and that we may move further to making use of these addresses.
I do see ICMP results in torch when I ping ..135.189 on pppoe-out1 interface from my iPhone on 4G. Same result with ..135.190.
My current public static IP is same.same.209.206
So I am thinking I can use both ..135.189 & ..135.190 along with my current static of same.same.209.206; giving me three static public IPs?
If the /30 is routed to you, try also x.x.135.188 and x.x.135.191. There’s a good change they will work too. More specifically, they should work, unless ISP blocks them, but it would be really strange thing to do.
Those IPs both work as well for torch from my phone to pppoe-out1 via ICMP. Does this mean I can use those also?
Looks like it. If you do it right, you can be happy owner of five real functional public IP addresses (the old one and four news ones).
Easiest way is to just assign all four new ones to router (e.g to PPPoE interface, it doesn’t really matter much) and use them with NAT. But you can also route them to different internal servers if you want.
That is exactly what I am wanting and intending to do… Route traffic to different vlans from these public IPs to vmware servers and keep one ip then for SMS maintenance stuff..
Can I do this without losing connectivity for any amount of time on the pppoe-out interface?
You can add or remove an IP address on a running interface freely and it does not affect operation of other addresses attached to that interface.
But what you’ll need to do in particular differs significantly depending on the intended use of the addresses.
The clean way is to use ppp interfaces (PPPoE, L2TP, PPTP) between the Mikrotik and the actual user of the IP address, because for PPP interfaces the very notion of network, broadcast, gateway IP is redundant, there is no or little practical use for these items (unless you use dynamic routing protocols but that’s a different story). So when you have a PPP interface on that device, you either can configure the interface name rather than an IP address as a gateway, or, if you need an IP address as a gateway for some reason, you can assign to each end of a PPP link an IP address not related in any way to the one assigned to the other end.
So this way, you’d assign the four addresses to the virtual machines’ ends of the four ppp tunnels, and assign e.g. 10.0.0.1 to the local (Mikrotik) ends of these tunnels (a single address common for all is enough). I think that Mikrotik even dynamically puts that local address up when the first tunnel establishes if that address isn’t up yet due to manual configuration or other tunnel putting it up before.
Another way is to NAT these public addresses to private ones on the Mikrotik and do the reverse on the virtual machines; this is easy on Linux but I have no idea how to do that on Windows.
The ugly way to have the public addresses on the virtual machines is to use a larger subnet which includes your /30 with a margin at each end (so in your case, it has to be ..135.129/25), assign e.g. ..135.161 to the Mikrotik to be a gateway for hosts in that subnet, and configure each of the virtual machines to use one of your four IPs ..135.188 to ..135.191 in this subnet. This way you don’t need to fiddle with PPP tunnels, but you’ll lose access to the actual, outside-world users of ..135.160 through to ..135.187 and ..135.192 through to ..135.255 - while you’ll still have to fiddle a lot if you want to have each virtual machine in a different VLAN.
There’s also peer to peer /32 config where you can link two completely unrelated addresses, same way as with PPP, but on ethernet. You can have e.g. x.x.135.188 on server and 10.1.1.1 on router and it can work. It’s not supported by all devices, but works great with those that know it.
RouterOS: /ip address add address=/32 network=/32 interface=
Linux: ip addr add peer dev
Windows: just use as address, 255.255.255.255 as mask and as default gw
Status Update:
I did get this working but only with the two IP’s the ISP said were usable. 189/30 and 190/30.
What I did was this -
Added a new ppp profile with pool for 188/30 ( not sure if I necessary )
Assigned the ppp profile to the pppoe-out connection
Created a bridge and put the pppoe-out connection on it ( not sure if necessary )
Added 189/30 and 190/30 to the bridge interface in addresses
Added NAT rule to netmap public ip 189/30 to internal subnet 25.0/24
Added dst-nat rule for public ip 189/30 to internal subnet 25.0/24
Added srcnat rule for internal subnet 25.0/24 to public ip 189/30
And had to do these in order..
Tried the same with 188/30 and 191/30 but could not get it to work
As for me, most of it is wrong.
As packets with one of those IP addresses as destination one did come to you via the previously existing pppoe-out1, there was no need to play with the ISP-facing PPPoE setup, the original one was good enough and playing with it can only make things worse.
You can use any of the methods described above to set up point-to-point connections between the VMs and the Mikrotik, and assign one of those public addresses to each of the VMs, and this is all you actually need to do, except adjusting your firewall configuration to permit connections to/from these IP addresses.
Or you may use the addresses locally as aliases for some private ones using src-nat/dst-nat, but use of netmap, src-nat and dst-nat at the same time collide with each other.
So first, I’d revert to the original configuration.
Next, I’d add an “/interface bridge name=br-test protocol-mode=none”.
Next, I’d attach one of the addresses promised by the ISP as x.x.x.x**/32** to the bridge: /ip address add address=x.x.x.x/32 interface=br-test
Then, I’d run ping 8.8.8.8 src-address=x.x.x.x.
If it works, fine, and you can change x.x.x.x also to the two “bonus” IPs (one by one of course) and try again.
This will show you whether the ISP filters the outgoing traffic from the “bonus” addresses - according to what you wrote before, you have seen in the previous steps that they don’t filter the incoming traffic to these addresses and do forward it to you.
By adding the addresses as /30 on your side, you have made the “bonus” ones unusable by yourself.
To do dst-nat and/or src-nat, the addresses do not need to be up on the Mikrotik itself. It is enough that traffic for them is getting sent to you, which the ISP is doing.