Hello
Please help on this i really need help as fast as possible.
first i will tell my configuration.
on picture i have rb600a and rb411ah.
rb600 is connected to 4 sector antennas, and on antennas there are connected clients, with, nsl5, rb411, wireless pci cards and so on. some of them dont support routing so they are connected to rb600 directly.
with rb411ah i am using p2p link and rb411ah is connected to rb600a with ethernet.
all rb600 ports are bridged and on p2p link i have wds.
also i am using mac authentication on wireless with usermanager v4.4.
so i need solution.
Now i have public ips range /24. i want to use this ips for all clients.
it will be easy with clients who have router, becouse they cannot access my network they are behind of router. but clients with pci wireless devices can access my network becouse all ports are bridge on rb600 and they can use some programs and catch packets and do some atackes. i unchecheked default forwarding but of course it didnot help, becouse all ports are bridge. another solution is to disable bridging and use masquraiding but with masquraiding how i can use public ips.
is there any solution for example to block users to access network with bridgeing or use masquraiding or other routing things.
Enable proxy-arp on the public and private interfaces, assign a dummy ip address to the private interface, create a static route for the ip addresses you want on the private interface.
Thank you for helping
but i have one more question.
i have 30 user on one side, so i need to add 30 static routes yeas?
and also is it possible to use dhcp for public ip-is?
for example if client connects to ap he will get ip 192.168.0.10, and gateway interface will get X.X.X.X ← public IP, i meen i want to use dhcp on both sides, on privet network dhcp server and on public dhcp clients.
You could route in subnets if you wanted to. So if you have a /24 of 1.2.3.0/24 and wanted to take 30 squential ips one interface, route like this:
ip route add dst-address=1.2.3.224/27 gateway=wifi0
That should put hosts 1.2.3.224-1.2.3.254 on interface wifi0.
You should be able to use DHCP, just setup the pools with those ips.
The IP of the wifi0 interface should just be some dummy ip like 10.0.0.1. Or, you could run those hosts static and have a NAT ip being served dynamically.
FWIW, I havent used this method in a wireless environment, but I have used it for 7-8 years to firewall my servers. Should work the same with wireless.
Assume my public IP block is 10.0.0.0/24. My default gateway from the ISP is 10.0.0.1, my mikrotik is 10.0.0.2, I have host 10.0.0.100 plugged into ether2 and 10.0.0.200 plugged into ether3.
The client plugged into ether2 will have its ip set to 10.0.0.100/24 with default gateway of 10.0.0.1 (Not the IP of the mikrotik, 10.0.0.2).
The client plugged into ether3 will have its ip set to 10.0.0.200/24 with default gateway of 10.0.0.1 (Not the IP of the mikrotik, 10.0.0.2).
/interface ethernet
***Set interfaces to proxy-arp (only important thing here is arp=proxy-arp
set 0 arp=proxy-arp auto-negotiation=yes comment=“” disabled=no full-duplex=yes l2mtu=1600 mac-address=00:0C:42:43:70:30 mtu=1500 name=ether1 speed=100Mbps
set 1 arp=proxy-arp auto-negotiation=yes comment=“” disabled=no full-duplex=yes l2mtu=1600 mac-address=00:0C:42:43:70:31 mtu=1500 name=ether2 speed=100Mbps
set 2 arp=proxy-arp auto-negotiation=yes comment=“” disabled=no full-duplex=yes l2mtu=1600 mac-address=00:0C:42:43:70:32 mtu=1500 name=ether3 speed=100Mbps
/ip route
***Default route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.1 scope=30 target-scope=10
***Routes for hosts on ether2/3. This tells the router that when 10.0.0.1 asks “who has 10.0.0.100/200?”, it replies saying “I do”. It is proxying the arp request on behalf of the 10.0.0.100/200 clients. Hence the term proxy-arp. The mikrotik isnt really 10.0.0.100, it just knows how to get there, so it “lies” and says it is the client IP.
add comment=“” disabled=no distance=1 dst-address=10.0.0.100/32 gateway=ether2 scope=30 target-scope=10
add comment=“” disabled=no distance=1 dst-address=10.0.0.200/32 gateway=ether3 scope=30 target-scope=10
/ip address
***Public IP of router
add address=10.0.0.2/24 broadcast=10.0.0.255 comment=“” disabled=no interface=ether1 network=10.0.0.0
***Fake IP addresses on ether2/3 so they will route IP traffic
add address=192.168.1.3/32 broadcast=192.168.1.3 comment=“” disabled=no interface=ether3 network=192.168.1.3
add address=192.168.1.2/32 broadcast=192.168.1.2 comment=“” disabled=no interface=ether2 network=192.168.1.2
(You might be able to use the same 10.0.0.2 IP address on ether2/3. I know that in the past it didnt work, but on MT, it might. I have seen other implementations where it did work).
/ip firewall filter
***Allow SSH into MT via ether1, but not from clients on ether2/3
add action=accept chain=input comment=“” disabled=no in-interface=ether1 connection-state=new protocol=tcp dst-port=22,8291
***Allow DNS queries to MT from clients. FYI, the clients will have to use the 192.168.1.2/3 IP addresses for DNS. They wont be able to talk to 10.0.0.2 directly. Maybe itll work if you put 10.0.0.2/32 on the ether2/3 interfaces. I havent tried it.
add action=accept chain=input comment=“” disabled=no in-interface=ether2 connection-state=new protocol=udp dst-port=53
add action=accept chain=input comment=“” disabled=no in-interface=ether3 connection-state=new protocol=udp dst-port=53
***Drop all other input into the MT
add action=drop chain=input comment=“” disabled=no in-interface=ether1
add action=drop chain=input comment=“” disabled=no in-interface=ether2
add action=drop chain=input comment=“” disabled=no in-interface=ether3
***Forward all traffic from internet to clients and clients to internet and clients to clients
add action=accept chain=forward comment=“” disabled=no in-interface=ether3 out-interface=ether1
add action=accept chain=forward comment=“” disabled=no in-interface=ether3 out-interface=ether2
add action=accept chain=forward comment=“” disabled=no in-interface=ether2 out-interface=ether1
add action=accept chain=forward comment=“” disabled=no in-interface=ether2 out-interface=ether3
add action=accept chain=forward comment=“” disabled=no in-interface=ether1 out-interface=ether2
add action=accept chain=forward comment=“” disabled=no in-interface=ether1 out-interface=ether3
You can firewall it however you want. Its up to you. The above example just forwards all traffic. This was real seat of the pants. I may have forgot something…
I have the same setup…but there is a problem: as soon as I set an extra ip on my client, I get an ip conflict message. this is while there is no such a IP in my network. I think i know why. MT checks reachable ip by route table not ARP table. when i remove default route, no conflict any more.
long time ago I had this problem and I was forced to switch to cisco because of this problem…
I hoped it would be resolved in new versions…
I have the same setup…but there is a problem: as soon as I set an extra ip on my client, I get an ip conflict message. this is while there is no such a IP in my network. I think i know why. MT checks reachable ip by route table not ARP table. when i remove default route, no conflict any more.
long time ago I had this problem and I was forced to switch to cisco because of this problem…
I hoped it would be resolved in new versions…
I dont understand what you are saying. When you set a 2nd IP on your client? I know this works because one of my servers is a XEN server with a few guests with bridged NICs. One guest has 5 public IPs for HTTPS sites. Those 5 IPs show the same ARP entry on MT because they are on the same “NIC”.
The only problem you might run into is with an ISP that holds their arp cache for a very long time and wont respond to gratuitous arps.
yes, you are right.
but this is true for the IPs that are routed to the client.
for example I have routed 10.0.0.128/29 to my client. as long as the client sets IPs within this range, there is no conflict. as soon as client sets for example 192.168.254.1(this ip is not set anywhere in my network) he receives ip conflict with the MAC of MT.
This means when MT receives an ARP request, it checks its availability in route table.if the ip is already routed to the client, it does not say it is mine; but if the ip matches any other ip in route table which is NOT routed to client, it will reply with conflict!
any ip that client sets maches 0.0.0.0/0 in route table and 0.0.0.0/0 is routed to ISP not client, so MT replies with conflict to whatever ip that client sets except the IPs that is routed to him.
when I remove 0.0.0.0/0 from route table, there is no conflict anymore.
I have to route client’s internal ip(192.168.254.0/24 in this case) to him so as he will not receive conflict!!!
proxy-arp in MT differs from that of cisco.
MT thinks it has access to whatever ip which has a route to it while this is not true.
I can post MT config and cisco config to prove this…
