Very simple routing question

mrQQ · February 9, 2010, 6:03pm

Hello,

this should be very simple, but I’m so uneducted in this topic, that I’m facing issues

Scenario:

WAN ↔ MikroTik ↔ LAN + RoutedDirectIP

What I mean, is that MikroTik serves WAN access to LAN using NAT. And, also has one server directly connected to it, which has external IP address.

MikroTik: 85.1.1.1
LAN: 10.1.1.255
Server1: 85.1.2.1

if Server1 would have IP close to MikroTiks, I could use subnet mask to let it know that it’s directly connected. But its not… so I thought I could add static route, but it requires a gateway address..

Whats the proper way to do this?

Thanks!

Sob · February 11, 2010, 2:32am

I don’t know about the proper way, but I have some ideas how to make it work.

First, are you sure that only single address is routed to you? It is possible, just seems a little unusual to me.

Lets say it is correct. Then:

a) use point-to-point addresses

on Server1 add 85.1.1.1 and set the other address to x.x.x.x (any non-public address you like).
on Server1 add default route via x.x.x.x
on Mikrotik add x.x.x.x and set the other address to 85.1.1.1.

How exactly to do it:

on Mikrotik add new address x.x.x.x/32 and set network address to y.y.y.y (other address)
on Linux use e.g. ifconfig ethX x.x.x.x pointopoint y.y.y.y
on Windows I have no idea

b) use another private network to connect Mikrotik and Server1

on Mikrotik add 10.1.2.1/24
on Server1 add 10.1.2.2/24
on Server1 add 85.1.2.1/32
on Server1 add default route via 10.1.2.1
on Mikrotik add route to 85.1.2.1 via 10.1.2.2

If Server1 is running Windows, it won’t like 85.1.2.1/32 (= mask 255.255.255.255). But it seems that it can be changed later manually in registry.

mrQQ · February 11, 2010, 9:07am

For now I’ve done it adding a simple route to 85.1.2.1 using 85.1.2.1 as the gateway. It seems to work, though I’m not sure if it might have any consequences?

SurferTim · February 11, 2010, 11:25am

If the public ip srcnat/dstnat to the private ip is correct, you should be able to use a local masquerade. Mine works.

/ip firewall nat
add chain=srcnat action=masquerade src-address=10.1.1.0/24

If it is not a private ip, how do you have it routed, and what interface is assigned that public ip subnet?

mrQQ · February 11, 2010, 1:45pm

thats the issue - it’s public IP, and it’s only one IP that our ISP has given to us (in addition to our router IP). So how to route it IS my question For now I have it working like this:

85.1.1.1 is public IP for our router [well, I’ve changed it, but lets assume its like that]
85.1.2.1 is public IP for our internal server

I’ve added a new route to 85.1.2.1 255.255.255.255 on 85.1.1.1 using 85.1.2.1 as a gateway. It seems to work. But is it proper?

SurferTim · February 11, 2010, 1:48pm

If you have only one public ip, where did you get the other public ip? Unless your ISP routes that second ip to your router, it will not work outside your localnet.

ADD: My bad! You have two public ips assigned; one at the router, and the second is routed into a server on the localnet, correct? And your localnet is on the same interface as the server?

Add the second ip address/netmask (85.1.2.1/24?) to your WAN interface.
Set the internal server to a localnet address. (like 10.1.1.2/24)

/ip firewall nat
add chain=srcnat action=src-nat src-address=10.1.1.2 to-addresses=85.1.2.1 place-before=0
add chain=dstnat action=dst-nat dst-address=85.1.2.1 to-addresses=10.1.1.2 place-before=0

If the two ips are on separate subnets, you may need a routing-mark to select the correct gateway in “/ip route”.

Sob · February 11, 2010, 2:42pm

For now I’ve done it adding a simple route to 85.1.2.1 using 85.1.2.1 as the gateway. It seems to work,…

I don’t get it. It basically tells the router that route to 85.1.2.1 is via it’s own address. But how can router know where it is? It can’t work. But if it does, I’m obviously misinterpreting something.

SurferTim · February 11, 2010, 2:57pm

@Sob: I don’t think you are missing anything. If the ip/subnet is not assigned to the WAN interface, only conntrack will know where it is. Only locally in the router. From the internet, it will dead-end into the MT router’s WAN interface. Without the second ip address/subnet assigned there, the router will not respond.

mrQQ · February 11, 2010, 5:28pm

I think I forgot to tell something - the server is connected directly to the router via a switch. So there is no path anymore, the packet just has to be delivered to the recipient

SurferTim · February 11, 2010, 5:33pm

Connected directly to which interface? WAN or LAN?

mrQQ · February 11, 2010, 5:40pm

lan

SurferTim · February 11, 2010, 5:51pm

What ip/subnet is assigned to your lan interface? Show me:
/ip address print
with changes to protect your public ip, of course!

mrQQ · February 17, 2010, 9:35am

I’ve actually changed all the IPs in question, so I’m not even sure what to show Routers external IP is 85.1.1.1, LAN IP is 10.1.1.1, subnet mask is 10.1.1.255. Internal servers lan IP is 10.1.1.200. It also has a second interface, which has a 85.1.2.1 IP assigned. And I added a new route to 8.1.2.1 VIA 8.1.2.1 to router.

Seems to work..

Sob · February 17, 2010, 1:56pm

If I understand it correctly, you have this:

Routes are (MikroTik style):

at Server:
/ip route add dst-address=0.0.0.0/0 gateway=10.1.1.1
at ISP
/ip route add dst-address=85.1.2.1 gateway=85.1.1.1

And now the part I don’t understand. It sounds that on the Router you added:

/ip route add dst-address=85.1.2.1 gateway=85.1.2.1

This simply can’t work, because Router doesn’t have any idea where 85.1.2.1 might be.

I’d understand if the route on Router was:

/ip route add dst-address=85.1.2.1 gateway=10.1.1.200

That would work just fine.

mrQQ · February 17, 2010, 2:45pm

It is exactly as you described, precisely.

And it works!

Adding route did not work, until I explicitely specified interface. When I did that, it started working. My guess, is that it sends arp request and the server responds to it, so they know they are connected directly. Could this be true?

Sob · February 17, 2010, 10:29pm

So I was wondering how it’s possible to specify interface. And finally found that it’s possible to do:

/ip route add dst-address=85.1.2.1 gateway=name_of_interface

Is this what you did?

mrQQ · February 25, 2010, 1:05pm

Frankly, I’m so new to mikrotik, that I’m using WinBox interface, and not even sure of the command lines..

Anyway, my way doesnt really work It worked when 8.1.2.1 was on same adapter which also had an internal IP address. When we put in a new adapter, it no longer works.. I have to look into your suggestions..

SurferTim · February 25, 2010, 1:12pm

And now the part I don’t understand. It sounds that on the Router you added:
/ip route add dst-address=85.1.2.1 gateway=85.1.2.1

I don’t think that route is correct. It should be
/ip route add dst-address=85.1.2.1 gateway=10.1.1.200

Insure to exclude this address from any srcnats or masquerades.

mrQQ · February 25, 2010, 1:32pm

Ok, I’ve tried it “additional private network” way. And it works just fine for incoming connections - they find their way to the public IP just fine. However, that does not work at all for outgoing connections via that network. If I don’t add anything, they just dont go through. If I add a masquarade rule, they appear to come from router’s IP address

mrQQ · February 25, 2010, 1:36pm

Ok, so current configuration:

Router - 85.1.2.1
Router additional network - 10.1.2.1/24
Router route to 85.1.2.2 via 10.1.2.2

Server - 85.1.2.2 AND 10.1.2.2

This works for incoming connections. Outgoing connections from server fail.

If I add a masquarade, outgoing connections appear to come from 85.1.2.1

If I add a src-nat for 10.1.2.2 to 85.1.2.2, it works, but I thought I could avoid NAT completely?