I’m sure this is basic stuff for some of you, so I’m hoping you can help. I own a small WISP and I’m trying to go from a bridged network to a routed one. I’m large enough now that it’s needed, seeing as I’m running out of public IP’s.
My goal is to put a MT router at each site, public IP on WAN and private IP’s on LAN. So let’s say 100.100.100.0/25 for public side and 192.168.16.x/24 for private. All private IP’s at this site would use one public IP. So as I put routers at each site, each site would only use one public IP address instead of each customer having their own public IP address.
At my core router I have 192.168.0.0/16 and 100.100.100.0/25 for my LAN interface.
The way I’m thinking is to put one of my publics on the WAN of the MT router and NAT one to many through that. Being so new to MT, I’m having a real hard time getting the config right.
Does someone have a way to do this?
Thanks in advance!
You’re basically correct in your plan - that being to NAT the existing private IP space users, and forward the public IPs to wherever they may need to go.
You can leave your existing NAT rule(s) in place, I would imagine - just add some exceptions for your public IP range(s)
If you only have one contiguous block of IPs (x.x.x.0/22 for instance) then you can just specifcy src-address=!x.x.x.0/22 in your masquerade/srcnat rules.
If you have multiple ranges that cannot be described in a single IP prefix, then use an address list:
/ip firewall address-list
add list=PublicIPs address=x.x.x.0/24
add list=PublicIPs address=y.y.y.0/23
etc…
Then instead of using src-address=!x.x.x.0/22 on the masq/srcnat rule, use src-address-list=!PublicIPs
Thanks for the reply!!
To clarify a little.. The new site is up, but not running yet. No customers connected to it. I figured I better start this one with a router instead of coming back afterwards and doing it. Eventually, I will drop a router at each site. But for now, I just need to learn how to use these things lol.
So this is a default router. I did set a couple IP’s in it, but nothing is saved yet. It can be wiped and start over.
With that said, is there a how-to on how to do this? Or perhaps, do you have the commands I’d need to go through to do this? If I could just see one working, I could get a grasp on it and be able to do the rest, and know why it’s set like that.
Thanks again!
Brian
It’s unclear to me whether you’re referring to the configuration at a customer’s router, or at your central router.
I had to read your reply a couple times before it sank in. It seems like you are talking about many to many, as in using a block of Public IP’s on the wan side, that NAT to a block of Private IP’s on the LAN side. If that’s the case, that’s not what I’m looking to do. I want a single Public IP on the WAN side, and all a block of Private IP’s that NAT to that single Public IP.
The way my network is now, everything is a blind bridge, no routing until it hits the core router at my NOC. The core router hands a public IP address out to the end user’s router and that’s how the customer gets internet. I’ve become large enough that before long, a bridged network will no longer work and I’ll need to change it to a routed network. I have 9 sites that hop from one to the next in line. So from the NOC it goes to site1, then to site2, then on down the line. The way it is now, there is no router at each site, only a layer 2 switch, or a dumb switch. I want to eventually remove all the switches and replace them with routers, to cut down on broadcast traffic and to better utilize my block of IPv4 Public IP’s. So at each site, I’d like a Public IP on the WAN side and the customers connect to the LAN side on private IP’s. I want all the customers on the LAN side to NAT to that one single Public IP on the WAN side. My core router has both Public and Private IP on it’s LAN side.
Does that clear it up any?
I don’t really see this change necessitating anything different in your NAT rules because you already have a mix of public IPs that just get forwarded, and private IPs that must be masqueraded.
In your case, you’ll simply add a link to an access router which will basically act like a smaller, localized version of your existing core router.
You’ll just need to forward an IP address (or range of them) to each access-layer router with a static route, or if each router links to the core with a /30 ptp link, then the router can just use its uplink IP as the srcnat IP…