I have two routerboards, the main one with pppoe server, and the second one with pppoe client
I need to make some ports forwarding from public ip in the main rb to the second rb, which has dynamic ip(different after any restart). I can take ddns from cloud of second rb, which is immediately resolved ok from the main routerboard, but how can use it? The classical dst-nat to dst-nat rule resolved it once only.
There are thousands of threads explaining same thing, portforwarding where wan ip is dynamic & lan ip constant, I did find no post explaining when lan ip is dynamic.
I can make in main rb the pool one ip smaller, and to secret make this pppoe client takes always same ip, and I did it in the past.
Can I do differently (keeping client ip dynamic)?
I am not familiar with ppoe shenanigans, like how the pppoe client can get a different public IP behind the first router where one would think is the right public iP.
Nevertheless, if your second RB using IP cloud gets a unique public IP registered, the correct one and is reachable…
Then nothing is required on the first router, simply set up port forwarding rules on the second one..
thank you for helping me, I reading your recommended article, if this fit my case
I am trying to do the opposite. The wan ip is one constant but lan ip is dynamic
let give an example(that I need to do also).
I have the mikrotik with ONE wan ip public a.b.c.d, and a pppoe server on it, with ap 2000 clients.
I need to portforward port a.b.c.d:58291 to a specific client, port=8291, the ip of this client is dynamic,various through 2000 ips.
None of ISPs I know will port forward to clients with dynamic addresses. And it doesn’t matter if client addresses are public or private. If I was in your place, I’d fix client’s address (make static DHCP lease or something) and then forward port to that IP address. Many ISPs will charge extra for static IP address and/or port forwarding (if it’s out of ordinary for that ISP) and if you do the same, you’ll have financial incentive to do things right
I have no experience with PPPoE, but is there a possibility to forward to interface (PPPoE username) instead if the IP?
Or make a script that use the IP that the PPPoE get and changes the filter rules to use correct IP.
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
My experience is from client’s point of view … when PPPoE session successfully starts, ROS creates a L3 interface … it automatically receives IPv4 address and point-to-point routing. Default route the uses interface name as gateway. When it comes to NAT, it’s generic (to-address and to-ports) and doesn’t care about interfaces.
I somehow expect things to be similar on PPPoE server side (large number of PPPoE interfaces … possibly without dedicated addresses attached because for routing one needs destination and gateway (which can be PtP interface name).
I don’t know if it’s possible to configure ROS to run a script on PPPoE interface up event … and if it actually receives needed data (e.g. user name). If it’s not possible, then schedulled script might do the trick but since it would be scheduled NAT update would be delayed.
I still think @OP should go for static IP addresses for clients which need port forwarding …
My routerboard except secret username of the pppoe client, knows the ddns name of the client (xxx.sn.mynetname.net) also.
The routerboard resolves it ok, I can put it in address-list etc and the command:
is accepted, but it resolves dns name immediately, and once only.
As I tried, TO-ADDRESSES accepts ranges, where I can put for example the pool of pppoe server, and then with a second rule drop all except toward this address-list. if this method is possible may be cpu expensive(for which I must care too)
Or, if are there pppoe evens, and any script identifies old nat rule, delete it, and creates a new one.
I don’t know, any help I’ll appreciate much
PS
I did till now as suggested by you, restricting the pool of pppoe server, and enforcing client to take same address always out of the pool..
I am asking if something else is possible.
Make the nat rule you like with the comment same as the user name. 192.1168.1.8 = your public ip. (Nat rules may be adopted to your situation) 1.1.1.1 = dummy IP that will be changed hanson = pppoe user name that you like to give NAT for
Than add this code to the ppp->profiles->profile you user for your pppoeclients->scripts->on up
:if ($user = "hanson") do={
/ip firewall nat set [find where comment="hanson "] to-addresses=$"remote-address"
:log info message="NAT IP for user=\"$user\" changed"
}
This will then set the IP for the PPPoE client to the remote IP he did get when connected.
I only did a simple test, so some adjustment may be required.
If more than one needs this type of dynamic NAT, just repeat the script like this:
:if ($user = "hanson") do={
/ip firewall nat set [find where comment="hanson "] to-addresses=$"remote-address"
:log info message="NAT IP for user=\"$user\" changed"
}
:if ($user = "elvis") do={
/ip firewall nat set [find where comment="elivs"] to-addresses=$"remote-address"
:log info message="NAT IP for user=\"$user\" changed"
}
PS. they must have different ports, so a port can only be forwarded to one user.
Note. What gave me some headache was the variable remote-address. I could not get it to work, but after lots of googling find out that you need to quote it like this $"remote-address". A better approach would be to not use - in variable or support bash format like this ${remote-address}. Old documentation found here: RouterOS - RouterOS - MikroTik Documentation
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
Learning RuterOS script and a big world will open up.
With log message, you can use external tools (like Splunk) and monitor when PPPoE user logs inn and out.
\
Use Splunk> to log/monitor your MikroTik Router(s). See link below.
