Using Public IPs on Local Clients without NAT

GJS · July 31, 2004, 11:33pm

I know this question has been asked before but I’ve not been able to find an answer I can understand by searching the archives.

I have an MT with two interfaces one public going to the internet and one private going to a LAN. I have a /29 block avaliable on the public interface and the LAN uses a private /24 network masqueraded to one of the public addresses. I would like to put a few of the remaining public addresses on some of the clients on the LAN. Just statically assign them to a client without any NAT. I would still like to apply queues, however, to these clients so that I can throttle their bandwidth.

Any guidance would be much appreciated.

Guy

lastguru · August 1, 2004, 11:01am

http://forum.mikrotik.com/phpbb2/viewtopic.php?t=445

GJS · August 1, 2004, 12:20pm

lastguru,

In this thread you describe bridging and proxy-arp as the two possible options but the thread goes on to describe a NAT solution only.

Can you elaborate on the the use of bridging and proxy-arp to be able to put a “real” IP address on a LAN host?

Thanks,
Guy

yogi · August 1, 2004, 11:34pm

With a /29 and 2 interfaces you arent going to go far. Can you let the clients who require the IP’s dial up with PPPoE? If so enable Proxy-ARP on both interfaces and ur routing and shaping is sorted.

GJS · August 4, 2004, 10:34pm

No, unfortunately I can’t use PPPoE. I can get a larger IP block when I need it.

I currently have Proxy-ARP enabled on the Public interface, normal ARP enabled on the Private interface, and have set an address of 82.X.X.242/29 on the private interface. A PC connected to the private interface has an address of 82.X.X.245/29 set on it, but I can even ping 82.X.X.242 from the PC!!! After the ping, the ARP table on the PC is empty. What could be happening?

Thanks,
Guy

GJS · August 4, 2004, 10:35pm

Isn’t there a way to do what I am trying to do with routes?

Thanks,
Guy

mp3turbo2 · August 5, 2004, 6:06am

no, you can’t do it with routes, because your provider will not see MAC/can’t use ARP of your client which is located far, far away from his (providers) Ethernet segment.

This is what we do:

provider facility, our router, range x.y.z.192/27 (192-223), our gw (providers cisco) x.y.z.193, we have machine with ethernet set to x.y.z.194/27 (gateway for all our clients with private IPs through wireless) and connected to providers cisco, proxy-arp turned on, ROUTING public IP x.y.z.195 for client to private wireless interface. Then wireless has private 10.10.0.1/30, other side 10km away has 10.10.0.2/30 on wireless, 10.100.0.1/24 on ethernet and there is second machine with 10.100.0.2/24 ethernet and “fake” IP x.y.z.195 on the same ethernet. Believe it or not, it works. No NAT, queues very simply set up etc. This way, you can have public IP address located many hops behind private addresses - as long as you manage routing for them. As you see, we have public address on second machine behind wireless router, no problem to have it on fifteenth level

Key to success is Routing on machine at providers site with proxy-arp:

0 S 0.0.0.0/0 r x.y.z.193 1 ether1 (default GW to our provider)
1 S x.y.z.195/32 r 10.10.0.2 1 wireless (ok, route this private IP to other side of wireless connection, because servers there know what to do with it)
2 DC x.y.z.192/27 r 0.0.0.0 0 ether1 (all other IPs should go to default GW, thus provider and outside world)
3 DC 10.10.0.0/30 r 0.0.0.0 0 wireless (well, wireless has to have something)

So, the system is: provider is looking for your IPs on ethernet segment, thus he needs to have your ARP/MAC available. This will manage proxy-arp on your first server - it will send responses to addresses it physically doesn’t have configured, but which are in his routing table. Then, you have to set routing of those “special” addresses assigned to your client where they need to be - it means to interfaces, where your client is connected to (wireless) through private addresses. On client’s side, you have to define everything as normally - wireless with private, ethernet with public address/32 - that’s it. Works like champ, easy and fast to set up and manage. It took me around five hours at the first try (ok, basically it was midnight), but afterwards, you can do it in two minutes.

bye, mp3turbo.

GJS · August 5, 2004, 5:15pm

THANKS!!!

With your detailed explanation and different ways of looking at it I was able to work throught the problem and now it works great!

I learnt a bit about routing tables into the bargain.

Many thanks, mp3turbo!

Guy

GJS · August 6, 2004, 12:13am

One observation which might help others with this setup (perhaps you can check if my logic is correct, mp3turbo).

I had to set proxy-arp on the private interface, as well as public, to get this working. This makes sense as the client PC with the x.y.z.195 address is in a different subnet than anything else on the private interface and so cannot commumnicate with anything without proxy-arp stepping up and replying to arp requests from the 195 machine. As I wish to use arp reply-only mode on the private interface (for security) with only static arp entries, I need to set the gateway address on the client PC to the private interface address i.e. 10.10.01. in the example above.

Thanks again, mp3turbo.
Guy

mp3turbo2 · August 6, 2004, 10:18am

hi gjs,

you’re welcome ! As I’m not linux nor networking guru, I had to be kicked in several times {not here, but generally}, but with little knowledge of TCP/IP, I was able to do this on my own - little thinking is required and then it goes

I had to set proxy-arp on the private interface, as well as public, to get this working.

of course, depends on your architecture and how your servers / routers are cascaded. Basically, every time you try to push “mapped” address further down in structure, you need to use proxy-arp. Doesn’t matter what level are we talking about.

As I wish to use arp reply-only mode on the private interface (for security) with only static arp entries

this is great deal of security - we have been facing some jerks who tried to falsify / share / call-it-whatever IP addresses and because they were able to change MAC addresses also, there were no ways to stop them - except complicated pptp tunelling which we didn’t want to use. We ended up with static ARP and reply-only thing and this stopped them completely… of course, we added (batch file run from diskette) static ARP mapping on clients…

have a nice day, mp3turbo.