Use of public IP space on local hosts. 1:1 NAT?

saibarker · March 2, 2020, 9:04pm

Hi,

I have a customer who wants a /29 public subnet to be assigned directly to hosts statically.

e.g they have a server and want it publicly visible as 103.107.xxx.xxx by assigning 103.107.xxx.xxx directly to the servers NIC.

Normally customers have a single Static IP /30 which gets assigned to the wan of their router and local networks are natted through that address.

This time he wants to use the usable addresses from the /29 on individual hosts using the builtin firewall of the server’s OS as the only protection between the host and outside world

Is this 1:1 nat or something else?

How can I enable this in Mikrotik?

Thanks,

Sob · March 2, 2020, 10:43pm

It’s routed subnet. If your current config is:

/ip address
add interface=<to customer> address=a.a.a.x/30

and customers has a.a.a.y on their router, you’ll do:

/ip route
add dst-address=b.b.b.b/29 gateway=a.a.a.y

and whole /29 will be routed to customer.

saibarker · March 2, 2020, 11:47pm

It’s routed subnet. If your current config is:
/ip address
add interface=<to customer> address=a.a.a.x/30
and customers has a.a.a.y on their router, you’ll do:
/ip route
add dst-address=b.b.b.b/29 gateway=a.a.a.y
and whole /29 will be routed to customer.

Ok, so…

ISP Router (CCR):

/ip address add interface=customer-facing address=10.200.0.1/24

Customer router:
WAN: 10.200.0.20/24
Gateway: 10.200.0.1

/ip route add dst-address=103.107.xxx.xxx/29 gateway=10.200.0.1

Sob · March 3, 2020, 12:09am

Yes. And then customer can do anything with whole /29. Use the traditional way, assign one address to internal interface with /29 mask and have five addresses for other devices. Or there are various ways how to use all eight addresses. It’s up to them.

saibarker · March 3, 2020, 2:06am

Ok, So I have tested that but its not working. Do I need any NAT rules? Currently I have nothing in /ip firewall nat

evince · March 3, 2020, 8:35am

No, you do not need NAT rule as you have a public subnet.

Depending to how is configured your connection, you can assign your wan ip directly on your devices.

First, you need to assign an ip address to your “bridge” if you have 1, and the use this address as gateway on your devices.

saibarker · March 13, 2020, 1:35am

Still not working…

CPE:

/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=10.255.0.2/30 interface=ether1 network=10.255.0.0
add address=103.107.224.161/29 interface=ether2 network=103.107.224.160
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN
/ip route
add distance=1 gateway=10.255.0.1
add distance=1 dst-address=103.107.224.160/29 gateway=10.255.0.1

ISP CCR1036:

/ip address add address=10.255.0.1/30 comment=TESTING interface=Local_Trunk network=10.255.0.0

Sob · March 13, 2020, 2:06am

Route must be on ISP’s router:

/ip route
add distance=1 dst-address=103.107.224.160/29 gateway=10.255.0.2

Not on customer’s.

saibarker · March 13, 2020, 3:08am

Works a treat!

Thanks a lot for your help

saibarker · March 13, 2020, 3:18am

How would I go about static routing a public subnet to a PPPOE client with a dynamic remote address?

Thanks,

Sob · March 13, 2020, 12:49pm

It should be “Routes” option in PPP->Secrets.

saibarker · March 13, 2020, 2:23pm

Your a legend!

Would you recommend providing customer static routes / public IPs via PPPOE? I have heard alot of people advise against it but never given a reason why.

Thanks,

Sob · March 13, 2020, 2:41pm

I don’t have clear answer. PPPoE is used for internet access, it works, other addresses can be routed over it, … so from this perspective I see no problem. But I’m not ISP, maybe they could have some problem I’m not seeing. For example, I don’t know how’s compatibility with common client routers, many have very limited interface and I can imagine that some may not support routed subnets over PPPoE. I’m a customer and big RouterOS fan, so I don’t need to care about these things, RouterOS can do it and that’s all I need.

saibarker · March 14, 2020, 11:43pm

Thanks Sob,

We are an ISP and we use Mikrotik devices as a network termination unit. This is where the customers PPPOE session terminates. The NTU then has DHCP server running on the lan interface which gives out a single /30 address to the customers home wifi router that they supply.

For business customers, We intend to do the same thing although they may require static public IP’s. In this case we would static route the IP public subnet to the PPPOE client and assign one of these addresses to the local interface of the NTU. Its then up to the customer to decide how they want to use these addresses.

Thoughts?