Using netmap

npyoung · April 30, 2010, 3:46am

I’m trying to set up netmap, and I just have one question; is it really necessary to add all the public ip addys to the public interface in order to make this work? So, for instance, I have two public /24 ranges…which means I need to add 500 ips to the public interface? (!) Is there some sort of elegant way around this?

Chupaka · May 2, 2010, 4:38pm

sure. just enable Proxy-ARP on those interfaces and add routes to those subnets on your router

npyoung · May 11, 2010, 4:36pm

Sounds good, but I can't seem to make this routing work. I'm fine as long as I assign a corresponding public IP from the /24 space that I'm using in the /24 netmapped private space. So, for example, for 207.xx.xx.102/24 assigned to the public interface netmapped to 172.20.103.102/24 works great. Shift to say 172.20.103.103/24, and it doesn't pass traffic. The important factor in the route is the preferred source. As long as that is set to the corresponding public IP mapped to the private netmapped IP you are trying to use, it works. Outside of that space, it doesn't.

Setup:

172.20.103.0/24 on private side.
207.xx.xx.101/24 assigned on public side (207.xx.xx.0/24 handed off to us from our upstream provider)

ip/firewall/nat:

[xxx@xxx] > ip firewall nat
[xxx@xxx] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; General use NATed Ips mapped to 207.xx.xx.0/24
chain=dstnat action=netmap to-addresses=172.20.103.0-172.20.103.255 dst-address=207.xx.xx.0/24

1 ;;; General use NATed Ips mapped to 207.xx.xx.0/24
chain=srcnat action=netmap to-addresses=207.xx.xx.0-207.xx.xx.255 src-address=172.20.103.0/24

[xx@xx] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

10 207.xx.xx.102/24 207.xx.xx.0 207.xx.xx.255 CoreFiberAlt

[xx@xx] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

578 ADC 207.xx.xx.0/24 207.xx.xx.102 0 CoreFiberAlt >

I guess, how specifically, do you define a route to work with a /24 netmapped space without having to assign each and every public netmapped IP to the public interface?

npyoung · May 12, 2010, 3:20pm

Final word from MT support…you have to add the public IPs to the public interface in order to use netmap. No shortcuts.

Chupaka · May 12, 2010, 9:14pm

actually, those things are not connected to each other…

netmap is NAT area, adding addresses is ARP area…

fewi · May 12, 2010, 9:18pm

Isn’t it possible that the public interface will never see any of the traffic destined to the public IP netmapped to a private behind the router because the upstream never sends it because the public interface doesn’t respond to ARP for the public IP address? Workarounds would include either proxy ARP on the public interface (only possible if the network between you and your provider belongs to you in its entirety) or assigning all the netmapped public IPs to the interface.