We have a CCR2004-1G-12S+2XS which is routing/firewalling internet where we have a /28 subnet (10 ip public addresses)
We have one of our customers who would like to use their own firewall/VPN solution, so we would like them to use one of the 10 IP addresses.
The internet link it terminated in the Mikrotik router. What are the easiest way to “route” the traffic to the customers firewall which will be have it’s WAN port connected to a port on the Mikrotik?
One option would be to just do a NAT/DNAT rule, but then I guess we would have to give them an internal IP address?
Isn’t there a way that we can route traffic from a specific IP to a port on the Mikrotik? And never even run it by the firewall?
this really depend on how you want to handover the service and IP, the easiest way is make a PPPoE server and route the /32 public IP to your customer, there’s no sense to route /30 to them since it will consume 4 address to your existing ip block, another possible option if you are using v7.18 at least is to assign /31 to them but the downside it will consume a port in your firewall this is YMV.
If you opt to choose option #1 the PPPoE address could be like this 10.100.10.1 (Local IP) 10.100.10.2 (Remote) and Route the /32 public IP and they can assign this to their firewall as LAN address this is how most of us do in this situation, good luck don’t NAT of course the public IP you route to the customer since it’s routable
same approach to PPPoE if you opt to choose DHCP instead, I would prefer DHCP if you are giving > 1G bandwidth
Seems like a lot of hustle to setup PPPoE etc.. but essentially if I want to route it I need to split up the /28 subnet and waste some of my IPs?
Not sure I would like to do that because of the limited number of IPs we have… the other approach would be to just create a “DMZ” network for the firewall and NAT/DNAT the ports needed to that firewall… and of cause hope that the firewall works behind a NAT… (it’s a Check Point firewall)…
It depends on whether the /28 is routed to your MikroTik or if the ISP has a gateway inside the /28.
Option 1. The ISP routes the /28 to you and you create a smaller subnet on the same router for your customer. No other routing is needed.
Option 2. The ISP has a gateway inside the /28 they hand off to you. In this case, you have to turn proxy arp on the gateway interface to your ISP (do this in a maint window) and then you can route a smaller block out of that /28 to your customer.
Option 3. Create a VLAN for the /28 and put your ISP and the customer inside of the same VLAN. Give them the IPs you want to reserve for them. You’ll both share the same ISP GW.
A /28 are 16 addresses or 14 if the ISP like wate ip, or 12 if ISP like wate ip and for ptp are used the IPs of the pool, not 10…
You didn’t explain well, just gave vague clues.
If your provider gives you 198.51.100.y as its IP and assigns you 198.51.100.(usually y +1 or y -1) and also gives you 203.0.113.x/28, then:
if x is 0, better to not use 203.0.113.0 for various reasons.
if x is 240, better to not use 203.0.113.255 for various reasons.
But if x is any other number, you can use ALL 16 addresses without limits.
If your provider waste .0 and .15 and use 203.0.113.1 as own IP and assigns you 203.0.113.2
and also route to your 203.0.113.2 all the others 203.0.113.[3|4|5|6|7|8|9|10|11|12|13|14]/28, then:
you can use remaining 12 addresses 3..14 without limits.
If customers have own firewall better do routing and do not use at all any form of NAT.
I’m sorry for being vague, I just looked at my IP-letter from the ISP where it says:
(IP’s changed)
IP-addresses: 10.10.10.4-14
Gateway: 10.10.10.1
Netmask: 255.255.255.240
IP-Net: 10.10.10.0/28
But after thinking about it, I think the way I want to go is to route it.
So I guess I have to pick a port in the router to which I connect the other firewall.
I then give this port an IP of: 10.10.10.8/31
Which give me two IP addresses, one for my router (10.10.10.8/31) and one for the other firewall (10.10.10.9/31)
Question, do I even have to setup any special routing at this point? And do I have to add any firewall rules to allow all traffic via this route?
I think you’re going to have to describe the topology a bit more and/or provide some config. i.e. how is the customer connected today or planned to be?
Option 2. > The ISP has a gateway inside the /28 they hand off to you. In this case, you have to turn proxy arp on the gateway interface to your ISP (do this in a maint window) and then you can route a smaller block out of that /28 to your customer.
and so you need a proxy-arp somewhere if you want break off a /31 from the /28 (with ISP gateway)… The ISP assumes all your part of /28 is reachable via ARP, and remote customer link would not be (thus proxy-arp).
I agree, philosophically.
But another “Option 4” would be a firewall netmap NAT rule. i.e. from one public to some private IP netmap’ed to that public - that is likely simplest – now at the expense of conntrack & [potentially] higher CPU usage. Now plus be you’d only use one public with a netmap nat rule (not 2 IPs in /31 case).
and what happened to the .2 and .3???
a typo in the letter for sure???
Why throw away IPs for nothing?
Dozen of ways to not waste IPs… some examples:
On router assign 203.0.113.1/30 to etherX, route 10.10.10.9 trought 203.0.113.2 and assign 203.0.113.2/30 to customer firewall. Then customer can use 10.10.10.9 as want (and gateway for customer firewall is 203.0.113.1).
Put in bridge WAN and etherX vs customer, assign 10.10.10.4/28 to bridge (and your router have 10.10.10.1 as gateway) and assign 10.10.10.9/28 to customer firewall (that use the same 10.10.10.1 as gateway).
If you have more customers, each customer have it’s own firewall that prevent customer<->customer communicating or play with bridge orizon for block inter-customer traffic.
Put in bridge WAN and etherX vs customer, assign 10.10.10.4/28 to bridge (and your router have 10.10.10.1 as gateway) and assign 10.10.10.9/28 to customer firewall (that use the same 10.10.10.1 as gateway).
If you have more customers, each customer have it’s own firewall that prevent customer<->customer communicating or play with bridge orizon for block inter-customer traffic.
perfect solution. and perfectly explained
redesign and re secure the network. and don’t forget to tell the customer to secure their own devices too.
I am sorry to disappoint you and throw away some IP addresses, but the customer would like to have a public facing IP and control their own firewall.
So I choose the routed way with a /30 subnet. I have set it up and tested it and it works from the other connected firewall, even without the Proxy-ARP set on the interface. I just assigned the IP to the port where the other firewall’s WAN port is connected, and it just works…
To be honest I still do not fully understand why Proxy-ARP should be required…
A few final questions:
Do I need to add anything to the firewall rules when I basically just route the traffic? And if yes, is there a quick way to just allow everything? As mentioned all firewall tasks will be done from the other firewall attached here… (I of cause still have other rules from the test of the IP’s not routed via this port)
Is the routed traffic “offloaded”, or will the system use CPU power for this task?
Thanks Now it makes more sense. And you are right I was unable to reach the IP from the outside, until I put proxy-arp on the “main” outbound interface… apparently it’s not needed on the other firewall link..
Yup, that’s expected. Your ISP has their subnet set to /28, so it will use ARP to find any of your devices, but the customer-router isn’t “discoverable” via ARP since it’s not on same Layer2 segment as ISP. Thus proxy-arp “fakes” the ARP response to use RouterOS MAC so the ISP’s ARP can deliver packets to the far-end customer /32 IP. The customer router does NOT need proxy-arp since it can find its gateway (i.e. your router’s /31 or /30) via ARP normally on your L2 link to customer - but the ISP /28 segment is a “bridge too far” for ARP broadcasts.
Hi again, we finally got around to setting this up… apparently we have the issue that even after we have setup the /30 subnet and arp-proxy on the main wan interface, it seems that packets are not received with from the correct IP… they have the source address of the main interfacem and not the new /30 subnet… I think this could be a NAT issue, so I added a specific destination IP to all the dst-nat rules we have. But the src-nat with masquade is the only one I have not changed… maybe this is the issue? Also when I look at the routing table I see both the /28 and /30 subnets there, pointing to different interfaces… I guess this is standard, but not sure how the packages fint their wait to the correct interface as there are two possible interfaces.. ?
Please see this illustration if you carved out /30 from original allocated /28 and you enable proxy arp on your router (MYISP) facing your upstream (USG) it should work your customer (MYCST) should have a public IP I hope it make sense
Since you are assigning a public/routable IP there should be no NAT involved here just make it sure in the forward chain allow to and from from that carved out subnet
Hi, thanks for the nice description… and this is actually how it is set up… only thing is taht MYCST’s traffic end up as 165.2/28 traffic on the internet… I guess this is src-nat going on? I only have one src-nat rule which is the default masquerade set on the WAN interface. So just to be clear, if I create a forward rule with the src-addr. that allows 165.14 to any destination (none set) that should make sure no NAT is going on?
I guess the hard part is to debug this I am thinking of setting this up in a eve-ng setup which makes it easier to test different things without affecting production…
Don’t perform any NAT because it’s routable public IP then it should work so whatever IP you end up assigning to the customer when the customer use myipaddress.net they should be able to see their assigned IP /30 in my example it should be 165.14 they should not see any other IP other than 165.14 if they do indeed see other IP (165.2/28) as you describe then check your NAT rule on your router ensure that src-address from the carved out /30 is not included on your NAT rule. if you omit the src-address then that’s your culprit
Now it makes more sense. And you are right I was unable to reach the IP from the outside, until I put proxy-arp on the “main” outbound interface… apparently it’s not needed on the other firewall link..
