Hi, trying to set up a new hardware router to replace a virtualized pfSense box that is setting behind a UVerse 2wire 3801hgv gateway. I have a /29 static IP block. I need the Mikrotik box to behave much as a standard home NAT router, just with more flexibility and security.
The biggest stumbling block at first is the Uverse gateway’s method of issuing static IPs. Yes, I said “issuing” - it provides them via DHCP, one (and only one) per MAC address. I’m assuming that I need to set up VRRP interface(s) on the external (gateway) port and then use the Uverse router configuration to tell it “see this MAC address here? Give it the first of my static IPs” and repeat for each MAC address on the interface. Am I totally off base here? I know I’m not using it for its intended purpose, as I’m not using multiple routers or any kind of failover or redundancy, but a similar mechanism is used on pfSense via CARP addresses.
Beyond that, it’s not obvious how to set up the wireless connection to just be a plain access point. I suppose later I could make it be on a separate subnet and filter traffic on it, but for now I’d be happy if it just acted like an AP and served DHCP requests from the DHCP server already on my LAN.
Worst case I can do what I did with the PFSense box - put 5 IP addresses on 5 ports and hook them all to the gateway, then make one of them the default route. It’s ugly but it works.
Any help appreciated. RouterOS appears to take me a little closer to the hardware than I’m used to and I’m feeling exceptionally stupid at the moment.
Scott
To update: I’ve got the unit configured to accept a single DHCP address from the Uverse gateway, and an address on the inside interface, have secured the router per the wiki article and have masquerading up and running. If I redirect an internal machine’s gateway to point to the MikroTik box (my existing gateway is still up and running), everything works and works well - performance appears to be better and steadier than the virtualized pfSense box by a measurable amount.
That still leaves me with the need to get my static IP block directed to the router. Currently it’s just getting an address assigned that is not from the block assigned to me.
Scott
All the Router with DHCP server usually assign one IP for MAC address, is absolutely normal and is like one standard…
You really need all IP address?
If you forget all IP address (except one), all be made very easy and help-able by forum.
I think no one in forum suggest to you to attach 5 (4!..) cables from RB to VDSL Router to obtain 5 IP address…
You really must configure properly U-Verse, first,
or all you do are only a big mess
where no one want get an headache to help you.
Sorry, after some consideration, I really can not help you.
I hope you can however find some help from this forum.
Yes, I really need all of the IP addresses.
Yes, they really do issue those IP addresses through DHCP, and will only allocate one per MAC address. This is a well-known shortcoming of Uverse’s static IP implementation (or at least in the way they implemented the 2wire 3801HGV).
Uverse gateway IS configured correctly. I may be new to MikroTik, but I do know what I’m doing in the abstract.
If I forget all but one IP address, I already have THAT up and running. I would normally say “If it was easy I wouldn’t need to ask”
Hopefully someone else will be able to answer the question. Thank you for taking the time to respond, though.
Scott
I have previously reply to your post to focus this two item:
-
Is perfectly normal and not cause surprise to any “they really do issue those IP addresses through DHCP, and will only allocate one per MAC address” it’s the normality for such type of devices.
-
“Uverse gateway IS configured correctly” Yes… and NO… If are correctly configured (obviously for your need) they “route” all the public IP to RB attached on one ehternet on RB
I do not know if U-verse is able to do netmap, but I hope this is a hint for you:
In this Example:
8 Public IP 1.1.1.0/29
1 Private LAN IP 192.168.0.254/24
netmap inside U-verse:
1.1.1.1 → 192.168.0.1
1.1.1.2 → 192.168.0.2
1.1.1.3 → 192.168.0.3
1.1.1.4 → 192.168.0.4
1.1.1.5 → 192.168.0.5
1.1.1.6 → 192.168.0.6
(and vice-versa)
DHCP server in U-Verse disabled
only one cable to U-verse to RB on ether1
on the RB one bridge with ether1 [IP 192.168.0.253/24]
route on rb: gateway 192.168.0.254
in another bridge (ip 1.1.1.8/24) you can put wifi and other ethernet ports.
create dhcp server on second bridge, with pool: 1.1.1.1.1-1.1.1.1.6 [and 1.1.1.8 as gateway and netmask 24]
add netmap on firewall nat
/ip firewall nat
add chain=dstnat action=netmap dst-address=1.1.1.1-1.1.1.6 to-addresses=192.168.0.1-192.168.0.6
add chain=srcnat action=netmap src-address=192.168.0.1-192.168.0.6 to-addresses=1.1.1.1-1.1.1.6
If all of this configuration can be done on U-verse, the device on your lan act as directly connected with Public IP to Internet.
You still be able to full configure firewall for your devices, BUT remember to use Private IP in the rules!..
- Or sipmly let the U-verse to do all the works:
put one single cable to u-verse to rb,
make one bridge on rb and put all interface on this bridge,
add one dhcp client on the bridge,
let the U-verse assign the ip to your devices (or put static ip on your devices)
you still able (after activating firewall in bridge options) to use firewall for do anything you want.
Whit this config you are able to use 1 IP for RB and other 5 for another 5 devices without put 5 (4!) cables from U-verse and RB.
Okay, the problem is a lot easier to solve than I had supposed, and has nothing to do with establishing additional addresses. I was focused on making the static IP addresses appear on the outside interface, when they don’t need to do that at all.
When the AT&T/Pace/2Wire 3801HGV is configured for “Cascaded Router”, it forwards that entire subnet of static IPs to the Mikrotik box. I don’t need the addresses on the outside interface of the Mikrotik, I just need to create my dstnat and/or srcnat entries based on which interface the packet is entering or leaving on.
Everything is working EXACTLY the way I expect it to now.
Whew, what a relief!
Scott