I’m trying to figure out how to get my Mikrotik to route some public IPs (no NAT) in a 1.2.3.24/29 block of 8 addresses I have from the ISP. I’ve read a little about the distinction as to whether the /29 is assigned (bridged) or routed, and I think mine is bridged.
My detailed configuration is attached, but I basically have four ports arranged in two bridges - one LAN bridge (172.18.1.0/24) with my internal port and wireless, and one WAN bridge with my uplink port and my interface to the servers with public ips. The LAN bridge traffic is on a private subnet and is NATed out the WAN bridge (containing the uplink) on one (.29) of the 8 public ips.
Currently, the LAN clients have connectivity, but the public ip servers do not. I can ping to the servers from both the internet and the from the LAN, but they think they have no route anywhere and cannot ping out. Those servers are configured with the default gateway provided by the ISP.
How should I configure the IP Address setup or Routes to get these public ips routable? I do not have proxy arp on, but shouldn’t since the interface to the servers is bridged to the uplink interface, right? I tried breaking the bridge and using proxy-arp on both interfaces instead, but that didn’t seem to work either…
My thanks in advance
mt-config-2013-05-21.txt (6.17 KB)
Is the gateway being used by the servers within the public /29 range? Is it the same as the gateway being used successfully by the router? What are the various addresses X used on the /29 - i.e. a.b.c.X?
Thank you for replying.
The gateway from my isp is 1.2.3.1 in my example, and the public /29 block is 1.2.3.24-31 inclusive. The natted internal clients are using it without a problem, but the public ip servers cannot connect using that gateway (although I intend them to).
As you can see from the config, in the IP Address settings, I have one public ip (.29, the nat outlet) configured with a /24 subnet. Without this, my default route to 1.2.3.1 (the gateway) becomes unreachable. Adding the other public ip addresses (either with /32, /29, or /24) to the IP Address settings does not make them able to route. I suspect the problem is that the dynamic routes created by my definition of the IP Address are incorrect. Logically, it seems I should define a single ip address of 1.2.3.24/29 or /24 on the WAN bridge, but this makes my gateway unreachable.
Is this an Ethernet connection to the upstream? Have they told you what the true network mask is on that broadcast segment?
If you need to add additional IPs to the WAN interface you can do so with /32 addresses. What are the network/netmask etc. settings on the servers?
To answer your questions:
- The connection from the Mikrotik upstream goes:
MT → DSL modem → my wall
The DSL modem is set to bridge mode and is completely transparent to me.
-
The configuration tool of the ISP reports my network mask on the 1.2.3.0 network as being 255.255.255.0 (which is /24). I will confirm this reflects the true broadcast domain and reply if it does not.
-
Understood that adding /32 addresses should work to add IPs for additional servers on the WAN bridge
-
Each of the servers is configured:
ip: 1.2.3.x where x = 24 to 28
mask: 255.255.255.0
gateway: 1.2.3.1
I have not changed the configuration of these servers from what it was when they were directly connected via a switch to the DSL modem.
OK - let’s focus on one server. Can you double check that a particular server works when connected to the DSL modem via a switch then put the RouterBoard back in circuit and upload its current config along with the IP settings for that server.
Ok. I’ve made some progress - the configuration below works for both the public servers and the private clients, but induces nearly 1000ms of additional lag for the public servers (vs being switched directly to the uplink). This induced lag, combined with normal network load, initially made the MT’s pings timeout entirely. I initially failed to notice that the pings were timing out (as opposed to producing a routing error).
The file attached to this post is the relevant excerpts from running “export.” Nothing is set under /ip arp.
So the question now is:
why does this configuration create so much lag? Is this the right way? Would rules (either bridging, or firewall) help this?
Here is my current setup:
Ports and bridges
public ip servers on switch A
|
ISP <---> MT --- private clients on switch B
eth10 |
wireless wlan
Where two bridges are configured:
WAN bridge: switch A and eth 10
LAN bridge: switch B and wlan
IP setup:
I have a block of 8 IPs (1.2.3.24-31) from the ISP, and my DSL modem is set to bridge me to the ISP.
The internal private network is configured for the 172.18.1.1/24 subnet on the LAN bridge; outgoing connections are SRC-NATed to an IP address defined on the WAN bridge of 1.2.3.29/24. For each of the private servers, I have also defined an IP address (e.g. 1.2.3.25/24 and 1.2.3.28/24) on the WAN bridge. The private network is serviced by DHCP with clients receiving a gateway of 172.18.1.1.
Public Server configuration
The public servers are configured exactly as if they were connected to the DSL via a switch…
IP: 1.2.3.25
Subnet Mask: 255.255.255.0
Gateway: 1.2.3.1
Thank you again for your help
mikrotik config 2013-05-26 working with lag.txt (7.06 KB)
So, after playing around a bit, it turns out this configuration does not work. The public ip servers were getting an error that another device was using their IP address. Turns out, I think it was the MT.
I've modified the configuration from the last post by removing definitions for the public IP addresses from /ip address:
[admin@MikroTik] > /ip address export
may/26/2013 16:18:11 by RouterOS 5.25
software id = 0TCC-EHR8
/ip address
add address=172.18.1.1/24 comment="Internal private range" disabled=no
interface="LAN bridge" network=172.18.1.0
add address=1.2.3.29/24 comment="NAT outlet" disabled=no interface=
"WAN bridge" network=1.2.3.0
It seems not to matter if I have a static route for the 1.2.3/24 subnet or not, since a dynamic route is generated by the definition of the 1.2.3.29/24 IP address.
Still getting huge amounts of additional lag.