I have one public interface with /24 network assigned to me for use by provider of symmetric line.

First address on that interface is xxx.xxx.xxx.2/24 (and ISP device has .1 serving as gateway for my network)

1. Is in this case the /24 notification right? Or should it be /32?
2. Do I now set all other IP addresses to that public interface? So that interface gets 254 IP addresses?
3. If the answer to -2- is “Yes” what should the notification of these addresses? /24 or /32?
4. I have set proxy/arp enable on that interface because in that case I should not have the need to put all these IP addresses on that public interface. But actually it makes no difference, enabled or disabled. I still have to set each IP address on the public interface?
5. In firewall / NAT I src-nat addresses from my LAN to different public IP addresses. But only for some local addresses. All local IP addresses that need no own public address are src-nat’ed (“masquerade”) to the .2/24 main address of the public address. I do the scr-nat for the 1-1 address translation of local addresses needing public ones before (above) this masquerade rule in firewall / nat.
   
   
   Can anybody give me some help / suggestions here on what is the proper approach in notification of the public addresses and the use of the proxy-arp because this last seems not to be working in my case…

1- you can use /24 till /32 depending on your needs.
2- You can set public Ips to any interface you want

So, strange questions, but what are my needs?
Or, when should I use /24 and when /32? The main (first in use and belonging to border router) IP is .2/24 while I then use /32 for the addresses of local clients that get this address src-natted to. It works but is this the way to go?

What happens if I set all available (254!) addressess on that public interface with /24? This is a live network and I don’t want to crash the whole network..

And the proxy-arp? Do I enable this or not in this case. What proxy arp should do according to manual and some other is not working in my case…

maybe your ISP can route those public subnet to you via some intermediate network? it would be much more clear scheme…

can your provider route the /24 to you thru a /30 rather than bridge it to you? its much better this way.

It doesn’t matter if you use /24 or /32 netmasks for addresses that are not the primary address for the interface. Either one allows the router to accept traffic for the address as the IP address is local. The primary must have the correct netmask so that the router can decide where to send traffic for that local network (ARP out the interface the address is implemented on and send directly), and so that it can reach the router on the other side as it’s default route. I would use /24 simply because they are addresses on that network, and the network isn’t subnetted as a smaller netmask would indicate.

Proxy ARP simply means “whenever you see an ARP request for an IP address on a network that you also have an IP address on (the IP address must be on the interface that the ARP request was received on), send an ARP reply and map the requested IP to the MAC address on that interface”. That enables the remote router to send traffic for those IPs to your router even when they aren’t implemented on an interface. If you’re using proxy ARP you shouldn’t have to overload all those IPs to your router interface. Conversely, if you’re overloading all those IPs you do not need proxy ARP.

If this isn’t working for you get your ISP involved.

FWIW I agree that a point to point /30 with the /24 routed across would be much cleaner. It’s how most providers give you your own IP space.

hmmm… I thought, that router will respond the ARP request only if it has a route to that subnet via another interface, so that it may relay packets from one interface to another one…

Yes, sorry. More detail needed.
When you’re using proxy ARP you’re putting the IP address that isn’t the primary behind the router so that it is reachable by the router, which will then proxy ARP between the two networks to keep up the illusion that there isn’t a hop in between.
When you’re overloading the IP you put it on the external interface together with the primary and you can use it for NAT purposes (but you cannot use it behind the router).

Right? I don’t really use proxy ARP and it’s been a while since it came up in exams.

WirelessRudy, try the following:

/ip address add interface=Public address=x.x.x.1/30
/ip address add interface=Local address=x.x.x.254/24
/interface ethernet set Public arp=proxy-arp

and use x.x.x.254 as gateway for your client (x.x.x.5-253)…

Ok, this is what I have (Only releavant details are shown):

[adminrudy@RB1000 WAN Gateway] /ip address> pr
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 10.50.50.1/30 10.50.50.0 10.50.50.3 LAN This is my LAN GW address all users have as their default GW
1 xx.xxx.x2.2/24 xx.xxx.x2.0 xx.xxx.x22.255 WAN1 This is the primary IP address of the public interface of this router. In use for some months with masquerading in the ip / firewall / nat

3 xx.xxx.x2.4/32 xx.xxx.x2.4 xx.xxx.x2.4 WAN1 Some IP addresses in use and working for some LAN client PC's
4 xx.xxx.x2.3/32 xx.xxx.x2.3 xx.xxx.x2.3 WAN1 Some IP addresses in use and working for some LAN client PC's
10 xx.xxx.x2.5/32 xx.xxx.x2.5 xx.xxx.x2.5 WAN1 Some IP addresses in use and working for some LAN client PC's
12 xx.xxx.x2.17/32 xx.xxx.x2.17 xx.xxx.x2.17 WAN1 Some IP addresses in use and working for some LAN client PC's


/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic


4 ;;; src nat The Box-PC IP 172.25.48.3 to xx.xxx.x2.3
chain=srcnat action=src-nat to-addresses=xx.xxx.x2.3 src-address=172.25.48.3 out-interface=WAN1

5 ;;; src nat TriMon-PC IP 172.25.48.4 to xx.xxx.x2.4
chain=srcnat action=src-nat to-addresses=xx.xxx.x2.4 src-address=172.25.48.4 out-interface=WAN1

6 ;;; src nat Dual-Mon-PC IP 172.25.48.5 to xx.xxx.x2.5
chain=srcnat action=src-nat to-addresses=xx.xxx.x2.5 src-address=172.25.48.5 out-interface=WAN1

7 ;;; src nat Targa Phone - VB with IP 172.25.48.17 to xx.xxx.x2.17
chain=srcnat action=src-nat to-addresses=xx.xxx.x2.2 src-address=172.25.48.10 out-interface=WAN1

11 ;;; masquerade all traffic of WAN1 to public interface IP (xx.xxx.x2.2)
chain=srcnat action=masquerade out-interface=WAN1


[adminrudy@RB1000 WAN Gateway] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

7 A S ;;; DEFAULT ROUTE (Main 10/10 line)
0.0.0.0/0 84.232.92.1 1
18 ADC 84.232.92.0/24 84.232.92.2 WAN1 0
19 ADC 84.232.92.3/32 84.232.92.3 WAN1 0
20 ADC 84.232.92.4/32 84.232.92.4 WAN1 0
21 ADC 84.232.92.5/32 84.232.92.5 WAN1 0
23 ADC 84.232.92.17/32 84.232.92.17 WAN1 0

[adminrudy@RB1000 WAN Gateway] /interface ethernet> pr
Flags: X - disabled, R - running, S - slave

NAME MTU MAC-ADDRESS ARP

0 R LAN 1500 00:0C:42:20:81:A4 enabled
1 R WAN1 1500 00:0C:42:20:81:A5 proxy-arp
2 R WAN3 1500 00:0C:42:20:81:A6 enabled
3 R WAN2 1500 00:0C:42:20:81:A7 enabled

++++++
Now, if I remove the IP .4 from the interface and also set ARP at "enabled" I still can use that PC and it is still outgoing with .4 IP address (I just run a IP test on the internet).
This should not be possible?


My present setup with /32 IP addresses (only main .2/24 address) and the src-nat and the ARP is working but I am a bit worried if this is the proper way to do it....

how long have you monitored? maybe ARP entry on the ISP side just haven’t timed out…

Well, you might be right. Because now, some 2 hours later, the PC had no more connectivity to the internet.
BUT, when I then set ARP on the interface to “proxy-arp” I still could not go out to the internet!
So the line

Proxy ARP simply means “whenever you see an ARP request for an IP address on a network that you also have an IP address on (the IP address must be on the interface that the ARP request was received on), send an ARP reply and map the requested IP to the MAC address on that interface”.

is not what I see happening here.
Only by enabling that .4/32 address on the public interface again I almost inmediately could browse again…

Well sorry, but I am not quite sure what you mean with this line here. “behind”? and “overloading”?
Please, explain to me what you mean.

Chupaka;
I am afraid I don’t understand this suggestion. What difference does it make what local IP address the router has in regard to the IP address of the Public interface?
And why do you suggest to use .254 as the gateway for my clients? I use, and always used .1 as the gateway in all my networks? Is this wrong? I see that for instance dhcp servers always issue addresses from top to down and always asked myself why that is. I tend to start counting from .1 (for the gatway) and then clients usually start from .2 or .10 and higher up to the highest address possible for the network.

Don’t get confused by my example in the local addresses. IN realality they come from different networks, hence the reason I have not 1:1 netmapping enabled. The shown addresses are only examples for this subject.

as I wrote above:

I hope it’s true… =)

that’s because I want your clients have YOU as gateway, not your ISP =)

a bit of offtop: I hope I’ll soon write to support about that feature of IP Pool…

that’s why three people said that you should ask your ISP to route that subnet to you, not to bridge… maybe one phone call will chang all your life making it better?

By ‘overloading’ I mean putting more than one IP on that external network on the external router interface. By ‘behind the router’ I mean using the IP addresses on a device that is literally behind the router (i.e. reachable through the router’s internal interface).

Here a Cisco graphic: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml. In you case only .1 resides on one side of the router, and everything else is behind it (if you’re using proxy ARP).

That page also lists disadvantages of proxy ARP. It really would be much, much cleaner if you were just routed the public IP space you want to use for customers. Any ISP should be able to do that for you.

p.s. if your ISP rejects to route, do as I posted above: http://forum.mikrotik.com/t/use-of-public-ip-address/38437/9

you will be able to make 1:1 NAT in that setup, if it will work at all ))

OK, now we talk routing here.

My setup for clients is:
default route 0.0.0.0/0 is the IP address of the local interface of the router making the connection to my ISP.
This IP address is 10.50.50.1/30 and all attached local devices have an IP address in the same subnet.
(/30 because in real there is only one other router that collects all connections from 10 different network (physical as well as IP) and it performs download QoS etc.)

Then this gateway router has a public address xxx.xxx.xxx.2/24 and in the routing table we have the default route 0.0.0.0/0 set to point to xxx.xxx.xxx.xxx.1/?? (I presume /24) which is the IP of the ISP’s next device.

When I had just one rule in ip/firewall/nat that “masquerade’s” outgoing traffic of that public port it means all outgoing traffic gets the xxx.xxx.xxx.2/24 address of my router. In the ARP table this IP is bond to the mac of that public interface.

What I am doing now it one by one assign some of my users with a public address.
So I have to make a src-nat rule for their local IP to be src-natted to a new given public IP in my ISP’s assigned /24 network.
Then I set this IP address as /30 on the public interface of my router.
I have to make sure this specific client srce-nat rule comes before the genereal ´masquerade´ rule for al the other traffic.

It seems to work, but arp enabled or proxy makes no difference. The moment I remove the specific /30 IP from the public interface the device that was using it (src.nat rule) is unable to connect to ISP network after some time..

So far it works. I only presume that when I use all 254 available IP addresses this way I have them all on the public interface which I then can see the remark from ´fewi´ the interface becomes overloaded with IP’s makes sense.
I am afraid that performance might go down? There must be a better way of doing this while I cannot use netmap since I have several different networks locally.

and to add to last statement of you both:

As far as I can see the ISP only ´sees´ my public interface of my connected device. The ISP is not aware of any networks on my local side. That is why/because I have a “router” and not a bridge connected to the ISP device.

So I don’t understand the meaning of migrating all the other (so not the one for the router itself) public ISP IP address to the local side of my router?

Is the principle not the same as in a AP? Clients work in same network as the client side’s interface IP and all clients refer to this AP’s IP as default gateway. Then the AP routes all traffic to the next router upstream to reach the internet. This upstream network of my AP has the same caracteristics as my ISP’s public network between my gateway and their first next connected device?

The ISP needs not to know my networks since my router will take care with the routing table and conn. tracker where to send return traffic coming from the internet back to the client. So in my humble opinion, they don’t have to route.

this last statement of mine looks a bit nasty, but it isn’t. It is a friendly one!