I have followed various posts on this forum, but am now stuck. I currently have:
ISP (1.2.3.1/24) - switch - Mikrotik eth1 1.2.3.2/24 - Mikrotik eth2 pppoe server using 10.1.1.1/16 pool - pppoe clients with 10.1.x.y/32 ip; src-nat’ed
I have a free public IP pool 1.2.3.2-1.2.3.200 (others are used internally) which I provide to some clients.
Till now I assigned those IPs to eth1 and dst-nat’ed all ports to the specific 10.1.x.y IP. However, I would like to assign the public IPs directly to the end-users and switch (route ?) instead. I have:
set up a new ip pool for 1.2.3.2-1.2.3.200
set up a new pppoe profile using this pool
set specific client IPs to use this pppoe profile
enable proxy-arp on eth1 and eth2
This works:
clients log in via pppoe and get their public IP
clients are able to ping 1.2.3.1 and 1.2.3.2
setting a computer to 1.2.3.201 and connecting it to the switch allows me to ping the client’s public IP
My issue is that clients are not able to ping beyond 1.2.3.1. I think the missing piece is that there is no instruction setting as the default gateway 1.2.3.1 for client traffic
I’m not quite sure if what I have in mind is possible and if so, what the missing settings are ?
on the file censore remainig sensitive data with * without remove any part , do not remove anything, just censore public IP and username (password are not exported)
/export hide-sensitive file=pippo
if you do not want to do that, you do not receive help
you can just have some reply from fortune-teller…
do not use public IP for local-address=1.2.3.2
create one pool of useless IP, just used for pppoe local-address:
100.64.0.1-100.64.0.254
or is like you use twice (multiple time) the 1.2.3.2 for each connected users
Nothing obvious, the default route is sufficient for all traffic which arrives at the Mikrotik. Are there any firewall rules which you have omitted to show?
Whilst you need proxy-arp on ether1 for the WAN IP range, it would not be necessary on ether2 if the LAN IP range did not overlap with the private PPPoE pool.
But I do not use it for the clients / pool. That starts at 1.2.3.3:
/ip pool add name=pool-pppoe-public ranges=1.2.3.3-1.2.3.200
No, that's it. I set up a bare system to test this
I tried enabling it just on one interface and I was not able to ping out. That's why I enable it on both. It was also suggested in PPPoE with Public IP
There is nothing wrong with using 1.2.3.2 for both ether1 and as the local address for the PPPoE client connections. Presumably 1.2.3.x/24 is just a fake range you are using to describe the situation rather than your real public IP addresses.
Ping out from where? It is necessary on ether1 so the Mikrotik can answer ARP requests from other directly connected 1.2.3.x/24 devices on behalf of the PPPoE clients, but it should not necessary on ether2.
Are there any IP clients connected to ether2 (as the IP address network for ether2 is incorrect)?
A pppoe client (say 1.2.3.3) is able to ping 1.2.3.2 and 1.2.3.1 but not beyond (i.e. routed via 1.2.3.1) - say 8.8.8.8 or google.com
It is necessary on ether1 so the Mikrotik can answer ARP requests from other directly connected 1.2.3.x/24 devices on behalf of the PPPoE clients, but it should not necessary on ether2.
Ok, thank you for clarifying
Are there any IP clients connected to ether2 (as the IP address network for ether2 is incorrect)?
I exported the config, reset it and re-applied the config and it worked immediately. Thank you all for your help for confirming that the config was in principle right.