I’ve looked hi and low but am struggling to find the config help needed to get my setup working.

I have a x.x.x.96/29 from my ISP. I use PPPoE to authenticate the DSL connection and get issued with an IP address, x.x.x.102.

I want to use one of the other public IP’s, x.x.x.x.101 hopefully for a device connected on another port on the CRS125-24G-1S (ether2).

It looks like from what I’ve read I need to get the PPPoE interface linked to a bridge and put both the switch ports (WAN port and Laptop Port) in the bridge. I think I’ve done this but it’s not worked as I hoped. It might also seem that I need to do something with proxy-arp or routing of the /32 address but I’m getting a bit lost with this as haven’t found anything too clear.

I am running a LAN in this switch too with NAT behind the PPPoE, I’ll leave this config out unless someone wants to see any of it.

Let me post some of the config.

PPPoE Config: -

/interface pppoe-client
add add-default-route=yes default-route-distance=10 disabled=no interface=br-zen keepalive-timeout=60 name=
pppoe-out1 password=******** service-name=ZenFibre user=user@zen

/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp speed=100Mbps

Bridge Config: -

/interface bridge
add comment=ISP-Bridge name=br-zen

/interface bridge port
add bridge=br-zen comment=defconf interface=ether2
add bridge=br-zen interface=ether1

Address Config: -

/ip address
add address=x.x.x.96 interface=br-zen network=x.x.x.96
add address=x.x.x.97 interface=br-zen network=x.x.x.97
add address=x.x.x.98 interface=br-zen network=x.x.x.98
add address=x.x.x.99 interface=br-zen network=x.x.x.99
add address=x.x.x.100 interface=br-zen network=x.x.x.100

Address Print: -

[admin@r01-edge01] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

1 x.x.x.97/32 x.x.x.97 br-zen
2 x.x.x.98/32 x.x.x.98 br-zen
3 x.x.x.99/32 x.x.x.99 br-zen
5 x.x.x.100/32 x.x.x.100 br-zen
6 D x.x.x.102/32 62.3.80.17 pppoe-out1
7 x.x.x.96/32 x.x.x.96 br-zen

Any help is greatly appreciated.

The point is that there are multiple ways how the ISP can handle delivery of a whole subnet via a PPPoE link. Some give you as a PPPoE client a single IP address from same or different subnet and ask you to set up RIP to propagate the public subnet to them so that they could route it to you, others route those addresses to the tunnel to you statically on their end, and yet other ones just give you as many PPPoE accounts as you have IP addresses in the subnet, assuming that you’ll bridge multiple devices with the modem.

So the first step is to determine how your ISP does that. The simplest way is to run /tool sniffer quick interface=pppoe-out1 port=80 and write the IP address the ISP has assigned to pppoe-out1 itself, into an address field of a browser on a machine connected to the internet some other way (mobile network, a PC of a friend not using your WiFi, …). If you can see packets coming with your.public.ip.102:80 as DST ADDRESS, your ISP is not blocking access to your TCP port 80. If so, the next step is to try the same with the .98 from that subnet; if you can also see packets coming, your ISP doesn’t require any efforts from you to send packets for all your IPs to you. If so, try with .96 and .103, because this will tell you whether you can use only 6 addresses or all 8.

If only packets for .102 can be seen, the ISP either uses the “one IP per PPPoE link” approach or needs that you use some dynamic routing protocol to announce that traffic for those addresses should be routed to you.

Do the test first and we shall proceed based on the result.

Hi @sindy , thanks for the reply.

I’ve done this before with the draytek I had before so I’m 99% sure they send traffic to all IP’s across the link. I’ve added all the addresses to the Mikrotik and can ping them all including .96 (Network Number) and .103 (The Broadcast). Meaning I should have use of all 8. I think they maybe routing all of them as /32’s behind the .102 address, as at one point I was getting a dest unreachable coming back from .102 when I was pinging 101.

I tried testing using the quick sniffer but it only shows src address as a field?

I did a sniffer packet instead filtering on the whole network and port 2222 (As it wouldn’t be seen by accident) and this is what I saw.

[admin@r01-edge01] /tool sniffer> connection print
Flags: A - active

SRC-ADDRESS DST-ADDRESS BYTES RESENDS MSS

0 A 37.120.190.20:36442 x.x.x.96:2222 0/0 0/0 1440/0
1 A 37.120.190.20:43862 x.x.x.97:2222 0/0 0/0 1440/0
2 A 37.120.190.20:40184 x.x.x.98:2222 0/0 0/0 1440/0
3 A 37.120.190.20:46602 x.x.x.99:2222 0/0 0/0 1440/0
4 A 37.120.190.20:37276 x.x.x.100:2222 0/0 0/0 1440/0
5 A 37.120.190.20:56560 x.x.x.101:2222 0/0 0/0 1440/0
6 A 37.120.190.20:39994 x.x.x.102:2222 0/0 0/0 1440/0
7 A 37.120.190.20:59280 x.x.x.103:2222 0/0 0/0 1440/0

Ok, back over to you,

Excellent. No headache with RIP or something.

It depends on the width of the window where you launch the /tool sniffer. If less-than-everything can fit, it suppresses the columns starting from the least important one, the priority being determined by some developer years ago.

So to the task of distributing the addresses further - as soon as you attach the other-than-102 address to a local interface as you did, the incoming traffic will be caught by the Mikrotik itself and won’t be forwarded anywhere. So the first step is to remove the address from the list of Mikrotik’s own ones.

The next step is to set up a point-to-point link to the laptop. The easiest and most surprising way is that you can set up a point-to-point link over Ethernet by merely assigning the address as a /32 one to an Ethernet interface on the laptop side, set the gateway address of the default route to 0.0.0.0 and set the IF parameter to the number of the Ethernet interface shown in the leftmost column of Interface List in the beginning of the route print output.

On Mikrotik side, you would assign any private /32 IP address to the /interface ethernet to which the laptop would be connected, and set the value of network parameter of the /ip address to the public IP assigned to the laptop’s interface.

Done. If the laptop is a linux or iOS one, the details of the setting will be slightly different but the principle remains.

Or you may take the effort and spin up your own PPPoE server and configure the laptop to use it.

Ok so that doesn’t sound too bad. Can Mikrotik make use of /31 networks? I know Juniper can, but not sure.

So If I am understanding you correctly. If I want to assign x.x.x.101 to the laptop that is connected to ether2, I do this on the Mikrotik… in addition to the config above.

/ip address
add address=1.1.1.1/32 interface=ether2 network=x.x.x.x.101

and on the laptop I set the IP as x.x.x.101/32 with gateway as eth1.

I’m guessing I still need the bridge (br-zen) configured as it is, or will ether2 need to be in a different bridge?

thanks again

IMHO a little simpler and more understandable example of /32 addressing:

RouterOS:

/ip address
add address=<local address>/32 network=<remote address> interface=<interface>

Linux:

ip addr add <local address> peer <remote address> dev <interface>

Windows:

address = <local address>
mask = 255.255.255.255
gateway = <remote address>

@Sob, simpler put but otherwise exactly the same at RouterOS side, and thank you for the Linux side syntax.
Btw, is the nick based on your first name or your last name?

Juniper can, Mikrotik cannot and they used to hold a standpoint that the way with /32 local address and /32 “network” address do the same job, which is almost true until you start fiddling around with dynamic routing protocols which don’t play along.

But here, even a /31 network would cost you one public IP which you may find a better use for

default gateway as a device name rather than IP address, right. Since you mention eth1 your laptop is probably a linux one so @Sob’s advice is what you need.

Either in a different bridge or, even better, in no bridge at all (you’re building a point-to-point link so you don’t need another equipment to listen there anyway). To be able to attach an /ip address to an interface, that interface must not be a slave of any other one (well, except /interface vrrp). So if you would make ether2 a member of some bridge, the /ip address would have to be attached to that bridge, not to ether2 itself.

Ok, many thanks for your help, your teachings have been very valuable.

My testing has been with a laptop, but my end game was always to use the google wifi ap (Don’t ask me why I’ve got this). That unfortunately doesn’t seem to be able to route to an interface. I’ve worked out free’ing up the first 4 IP addresses and assigning x.x.x.97/30 on the mikrotik, and x.x.x.98 on the laptop and that works too. So for now I have a way forward.

I’ll do some reading on setting up a PPPoE server as that could be a better way for me with this device and will use less Public IP’s.

Thanks for the help again, both of you.

Unfortunately, many devices don’t support /32 addresses…

Gateway on Linux doesn’t have to be device, if you add address like I posted, it can be:

ip route add default via <remote address>

Surname. No relation to any (in)famous people (AFAIK).