I am trying to handout public Ips, what I have is a /28 and /24 that are public and are routed to me on a /30. I use the /28 to NAT everyone who doesn’t pay or need a public ip. and I want to handout my /24 for people that do. I have the following route in so that all my traffic that needs to be NAT uses 0.0.0.0/0 2.2.2.x and the defult rules that the DHCP Client makes for the 3.3.3.0/24 network. What I would like to do is statically assign my /24 to my hotspot users. but when I do its like the user gets blackholed and the packets are never to be seen again. It seems like that when I assign the /24 it trys to route using the 0.0.0.0/0 2.2.2.x and not the 2.2.2.0/24 2.2.2.99. What am I doing wrong or is this making any sense at all?
- Make sure you routing mark the packets from the /24 in IP firewall mangle.
- Make sure you exempt them from NAT
- Make sure your default route for them has the routing mark from step one.
Should the mangle be on tower router? Can you give me an example?
Sent from my Galaxy Nexus using Tapatalk 2
The routing marks need to be on the head end router. NAT exemption must be on both.
Also are your vlans bridged between WAN and LAN on the head end router? Do you have one WAN interface on the head end router with both connection in as VLANS or do you have 2 physical interfaces in use?
On the core the 2 vlan have there own physical interface and I only have one WAN interface.
Then do the routing marks on both routers mark traffic according to source address. Then follow up with assigning a route that checks for the mark.
Can you give me an example?
IP firewall Mangle
add action=mark-routing chain=forward disabled=no new-routing-mark=“Name” passthrough=no src-address=10.X.X.X/28
IP Routes
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.X.X.X routing-mark=“Name” pref-src=0.0.0.0 scope=30 target-scope=10
So lets say I want to handout 2.2.2.91 on my Hotspot network. Is this what it would look like?
Core Router
add action=mark-routing chain=forward disabled=no new-routing-mark=“public” passthrough=no src-address=2.2.2.91/24
IP Routes
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.1 routing-mark=“Name” pref-src=0.0.0.0 scope=30 target-scope=10
Then on my tower router
add action=mark-routing chain=forward disabled=no new-routing-mark=“public” passthrough=no src-address=2.2.2.91/24
IP Routes
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.1 routing-mark=“Name” pref-src=0.0.0.0 scope=30 target-scope=10
Source would be 2.2.2.0/24
also the second line you have routing mark=“Name”
“Name” need to be the name of the routing mark… Which from the first line is “Public”.
The first line tags traffic with a mark that you name. The second rule tells the router where to send the traffic.
Now in your last question you said hand out… That will only route the traffic with that address range… It will not hand out the addresses. For that you need to configure the DHCP server.
I get an error when I try to add chain=forward in IP firewall Mangle
Routing-Make allowed only in output and prerouting chains (6)
Right I’m sorry been doing Queue Trees all day on forward chains… You need prerouting
Sorry to bug you again but when I add the command below on my core, it tells me that 2.2.2.1 is unreachable. worked fine on my tower router.
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2.2.2.1 routing-mark=“public” pref-src=0.0.0.0 scope=30 target-scope=10
Why are tower and core going to same gateway?
Tower to Core then Core to Upstream Provider
It is probably saying unreachable as it is already a distance 0 route on the core.