Special Nat/Masquerade setup ? or proxy arp ?

RouterOS General
1

Hi Folks,

I’m pretty sure this is just a basic configuration issue - but I’m totally lost here…
I finally managed to correct (command line) the configuration of the D-Link 320B ADSL 2+ Modem, and when being on the same host as the assigned public IP, you can go to the Internet fine - no problem. I didn’t imagine that Modems could be such pieces of Junk under the surface.

I have the following setup (Note - IP’s logically modified). RB493G connected to a D-Link ADSL2+ Modem.
The “transfer Lan” between the RB493G and the D-Link 320B is the 192.168.1.0/24 - I can’t change the subnet on the ADSL-Modem. It always resets it to
/24 - if anyone knows a Decent ADSL2+ Modem Annex A that works on the Networks of ISP Free/France, please let me know. I’d gladly trash that one …
It took me days to figure out that it screwed the setup.

[smurphy@gw-sollan-RB493G] /ip>
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                           
 0   ;;; Service Network - 2 Ethernet Ports connected
     192.168.21.6/29     192.168.21.0     Bridge-Service                                                                                                                                                                      
 1   ;;; Local Area Network
     10.0.21.254/24      10.0.21.0        Bridge-Lan                                                                                                                                                                          
 2   ;;; Modem LAN / Transfer Network
     192.168.1.2/24     192.168.1.0     ether1                                                                                                                                                                              
 3 D 82.XXX.XXX.XXX/32  82.XXX.XXX.XXX  Bridge-World  

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.1.1               0
 1 ADC  10.0.21.0/24        10.0.21.254      Bridge-Lan                0
 2 ADC  82.XXX.XXX.XXX/32  82.XXX.XXX.XXX  Bridge-World              0
 3 ADC  192.168.1.0/24     192.168.1.2     Bridge-World              0
 4 ADC  192.168.21.0/29     192.168.21.6     Bridge-Service            0

Now - I do know - that this setup works. I have disabled all Firewall filters, nat and stuff, just to know if I can get a connection working, and it actually works.
As you see, the Public IP gets assigned dynamically over DHCP client configured on the RB493G. This setup works also when connected directly to my computer (Linux/Ubuntu).

Making a Ping, and providing the Ping command the public-IP as source - works:

/ping 8.8.8.8 src-address=82.XXX.XXX.XXX
HOST                                     SIZE TTL TIME  STATUS                                                                              
                                                                                
8.8.8.8                                    56  53 34ms 
8.8.8.8                                    56  53 33ms 
8.8.8.8                                    56  53 33ms 
8.8.8.8                                    56  53 33ms 
    sent=4 received=4 packet-loss=0% min-rtt=33ms avg-rtt=33ms max-rtt=34ms

And now comes the issue. I am not able to pass the LAN or Service Net traffic to the internet. It will just not pass … So - without source-IP -no chance to get any packet through.

I tried providing the Nat/masquerading rule a source-IP - but it didn’t work.

chain=srcnat action=masquerade src-address=82.XXX.XXX.XXX out-interface=Bridge-World

This heavily looks like an old typical proxy-arp setup to me using modem and serial lines.
However, I do have to configure the RB493G to use a DHCP Client, as the router dynamiclly then assigns the mac-address on his side. If use static IP’s - the Mac Address won’t be linked to the right IP.

Anyone could give me a hint before I jump ??? :}

2

Anyone has an idea ???
Thx

3

Why do you have two IPs -one private and one public- on you Bridge-World interface?

Could you send a diagram of your intended network setup?

4

What means your NAT rule?

chain=srcnat action=masquerade src-address=82.XXX.XXX.XXX out-interface=Bridge-World

As my understanding your nat rule means, if packet sourced as 82.X.X.X and is going out through Bridge-World interface, router will translate 82.X.X.X address to new address, which is configured on interface Bridge-World. You have only 2 IP address on Bridge-World, right? So rule will translate address 82.X.X.X to 192.168.1.2.
Without network topology, nothing to understand. Sorry

5

The Private IP is required, because of the bogus ADSL2+ Modem. It connects to the RB493G through the 192.168.1.x/24 LAN, and it cannot be changed. For Monitoring purposes - this is an advantage, as I can also directly access the WebInterface of the ADSL2+ Modem.

Gosh - I wished routerOS had some support for BuiltIn ADSL2+ Modems. That would take care of many issues …

There is nothing special on the Setup. Just my LAN and Service Network (some call it DMZ) to hook up to the internet passing by the ADSL2+ modem.

Due to a very strange provider side setup, I have no other choice than to take that setup, or leave the providers Box (using around 38W sustained power - which I don’t want) on the net.

6

Guess you’re right. here a modified version of my LAN (IP’s have been modified).
SolLanFR.png
The thing is - that the ADSL2+ modem provides through DHCP the public IP 82.X.X.X as IP to the RB493G, and the 192.168.1.1 as gateway for the next Hop as seen in my first post. below a stripped down version of it.

3 D 82.XXX.XXX.XXX/32  82.XXX.XXX.XXX  Bridge-World

Routing Table:
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0 ADS  0.0.0.0/0                          192.168.1.1               0
1 ADC  10.0.21.0/24        10.0.21.254      Bridge-Lan                0
2 ADC  82.XXX.XXX.XXX/32  82.XXX.XXX.XXX  Bridge-World              0
3 ADC  192.168.1.0/24     192.168.1.2     Bridge-World              0
4 ADC  192.168.21.0/29     192.168.21.6     Bridge-Service            0

This forces me to statically configure the Bridge-World Interface to also have that IP. I could configure it on the ether1 interface too - doesn’t make a real difference - however all my firewall filters etc. are bound to the virtual interfaces - as changing physical interfaces etc. is then very easy.

The Problem I have now is that the system will route requests from the RB493G right, but nothing that comes from the other networks, notably “Bridge LAN” and “Bridge Service”.
If I do remove the transfer lan 192.168.1.0/24 from the Bridge-World, nothing works.

It is very honestly the first time I see such a screwed ADSL2+ Modem, however it is the only I managed to get to RUN on the providers ADSL2+ connection, hence I don’t really have another option.

So - what I managed so far, is to have the Router RB493G to talk to my LAN’s Ok, the RB493G also talks to the Internet Ok. However, it can not route the traffic from my LAN’s to the internet and vice versa.
That is what I try to do.

Any Ideas ?

7

Oh now I get it, you’re running the dreaded pseudo-bridge config on your modem.

To be honest, it’s such a bad technology that I try to avoid it as best I can. You would probably be better off if you leave the public IP on your modem, and NAT everything to the router’s private IP (192.168.1.2). You would then let the modem do the NAT, and just use plain routing/firewalling on your mikrotik. You would need to set routes to your 192.168.21.x and 10.0.21.x networks on your modem.


If you cannot do that and still have to use the ugly pseudo-bridge hack, probably your issue lies with the NAT rule you have created.

chain=srcnat action=masquerade src-address=82.XXX.XXX.XXX out-interface=Bridge-World

..should be..

chain=srcnat action=masquerade src-address=192.168.21.0/29 out-interface=Bridge-World
chain=srcnat action=masquerade src-address=10.0.21.0/24 out-interface=Bridge-World
8

It is exactly as you say. What you proposed, I already tried - but the Modem does not provide me the solution to forward all requests to the bridge-Service network (WebServer, mail Server etc.). And I did not manage to get any of the other 3 Modems I have to work on this ISP’s ADSL2+ DSLam. So I’m stuck with this sick method.

Thx for your hints - will try it out later on (when I have finished my official work :slight_smile: ) …

[Update]
Just tried it out - and I am connected using the router now. However - I had to change one thing.
Disable the static transfer lan between the router and the modem, and add manually a default route pointing to the Bridge World interface.
Now - the LAN’s are routed fine …

Damn - I definitly will sh**t every manufacturer of ADSL modems who does setup that kind of bad stuff …

9

I see that you’re in Germany, have you tried with a FritzBox? You can convert those to transparent bridges and you will be able to set up PPPoE on the MikroTik router.

10

lol Sorry - I have not changed my location settings yet. I am in France (Moved over actually 3 months ago, but didn’t have time yet to check all).

11

I see, then it’s a totally different story :slight_smile: