Wrong Public IP Showing

nightowl · March 5, 2014, 11:41pm

I’m currently trying out configurations so as to convert my network from Bridged to Routed.

I have a /24 for discussion purposes I’m calling it 1.1.1.0/24 that is being provided to me.

what we have
1 - Core Router 1.1.1.254
2 – Test Router A (Port 1: 1.1.1.130/24) (Port 2: 1.1.1.133/30) (Ports 3-5:192.168.1.1/24)
3 – Test Router B (Port 1: 1.1.1.134/30 this is Plugged into Test Router B Port 2)
My problem is that test Router B is showing the public IP 1.1.1.130 to the world and NOT 1.1.1.134

Test Router A Configuration:

/interface bridge
add l2mtu=1598 name=“test”
add l2mtu=2290 name=“test 59”
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=NOPCS
supplicant-identity=“” wpa-pre-shared-key=xxxxxxxxx wpa2-pre-shared-key=
xxxxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=
20/40mhz-ht-below disabled=no frequency=2437 l2mtu=2290 mode=ap-bridge
security-profile=test ssid=“test”
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool1 ranges=192.168.59.1-192.168.59.10
add name=dhcp_pool2 ranges=1.1.1.134
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=“test 59” lease-time=1d
name=“test 59”
add address-pool=dhcp_pool2 interface=ether2 lease-time=1d name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=“test 59” interface=ether3
add bridge=“test 59” interface=ether4
add bridge=“test 59” interface=ether5
add bridge=“test 59” interface=wlan1
add bridge=“test Office” interface=ether6
add bridge=“test Office” interface=ether7
add bridge=“test Office” interface=ether8
add bridge=“test Office” interface=ether9
add interface=ether1
add interface=ether2
/ip address
add address=192.168.59.254/24 interface=“test 59” network=192.168.59.0
add address=1.1.1.130/24 interface=ether1 network=1.1.1.0
add address=192.168.1.1/24 interface=“test Office” network=192.168.1.0
add address=1.1.1.133/30 interface=ether2 network=1.1.1.132
/ip dhcp-server network
add address=192.168.59.0/24 dns-server=1.1.1.254,8.8.8.8,4.2.2.1
gateway=192.168.59.254
add address=1.1.1.132/30 dns-server=
1.1.1.133,1.1.1.254,8.8.8.8 gateway=1.1.1.133
/ip dns
set allow-remote-requests=yes servers=1.1.1.254,8.8.8.8
/ip route
add distance=1 gateway=1.1.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd interface
set sfp1 interface=sfp1
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10
set wlan1 interface=wlan1
/lcd interface pages
set 0 interfaces=“sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8
,ether9,ether10”

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Test Router B Configuration:

/interface bridge
add name=TEST59
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no l2mtu=2290 mode=
ap-bridge
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=“”
mode=dynamic-keys wpa-pre-shared-key=xxxxxxxxx wpa2-pre-shared-key=
xxxxxxxxxxxx
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool1 ranges=192.168.59.1-192.168.59.10
add name=dhcp_pool2 ranges=192.168.2.1-192.168.2.10
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=TEST59 lease-time=1d name=
dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=TEST59 interface=ether3
add bridge=TEST59 interface=ether4
add bridge=TEST59 interface=ether5
add bridge=TEST59 interface=wlan1
/ip address
add address=192.168.59.254/24 disabled=yes interface=TEST59 network=
192.168.59.0
add address=1.1.1.132/30 interface=ether1 network=1.1.1.134
add address=192.168.2.254/24 interface=TEST59 network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254 gateway=192.168.2.254
add address=192.168.59.0/24 dns-server=192.168.59.254 gateway=192.168.59.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.254,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=1.1.1.133
/lcd interface
set sfp1 interface=sfp1
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10
set wlan1 interface=wlan1

efaden · March 6, 2014, 12:00am

My guess is your masq rule on a’s config. You most likely don’t want that.

Sent from my SCH-I545 using Tapatalk

nightowl · March 6, 2014, 12:09am

Ya, I have a feeling it might have something to do with it also, but when I remove the rule all traffic fails.

Lakis · March 6, 2014, 12:12am

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

this should be removed

add
chain=dstnat action=dst-nat to-addresses=x.x.x.x
dst-address=x.x.x.x

also
/interface bridge port

add interface=ether1
add interface=ether2

last two add interface=ether1 where or = none

efaden · March 6, 2014, 12:15am

How are you using traffic? If it’s going out to the Internet it needs a masq somewhere

Sent from my SCH-I545 using Tapatalk

nightowl · March 6, 2014, 12:39am

Traffic is going out to the internet.

Lakis:

chain=dstnat action=dst-nat to-addresses=x.x.x.x
dst-address=x.x.x.x the x.x.x.x should that be my lan or public ips?

last two add interface=ether1 where or = none ?

efaden · March 6, 2014, 12:41am

Post a diagram… if its going out to the internet you can’t have it using private addresses.

nightowl · March 6, 2014, 1:35am

I’m not trying get Private IP’s to show to the world, im trying to get the WAN Public ip on Router B to show and Router B is connected to router A’s Port#2 because of that I think Router A’s Masqr its NATing the traffic from Router B, I’m running private ips on a couple of ports not all of them which is why there is the Masqr Nat rule but how do I exclude Router B traffic from Router A’s Nat rule?

All I’m trying to accomplish is routing public ip’s and have them show to the world and then manage all my devices on a private vlan after I accomplish routing public ips

efaden · March 6, 2014, 1:38am

Then modify the masq rule to only masq from specific sources.

Sent from my SCH-I545 using Tapatalk

nightowl · March 6, 2014, 1:54am

Is it possible to specify the source as a bridge if so how?

efaden · March 6, 2014, 1:57am

Sure. Just set the in interface to the bridge.

Sent from my SCH-I545 using Tapatalk

nightowl · March 6, 2014, 11:26pm

Ok, So I have the Public IP’s showing correctly BUT. I still haven’t been able to NAT the 192.168.2.0/24 to Eth1 public ip address and make traffic flow.
The currenty Masqr rule is not working. So what is the specific Masqr Rule I should be applying. because this rule add action=masquerade chain=srcnat out-interface=ether1 is not working. Thanks.

Below is an updated config.

/interface bridge
add name=TEST59
add l2mtu=1598 name=WAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no l2mtu=2290 mode=
ap-bridge
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool1 ranges=192.168.59.1-192.168.59.10
add name=dhcp_pool2 ranges=192.168.2.1-192.168.2.10
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=TEST59 lease-time=1d name=
dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=WAN interface=ether3
add bridge=WAN interface=ether4
add bridge=WAN interface=ether5
add bridge=TEST59 interface=wlan1
add bridge=TEST59 interface=ether6
add bridge=TEST59 interface=ether7
add bridge=TEST59 interface=ether8
add bridge=WAN interface=ether2
add bridge=WAN interface=ether1
/ip address
add address=192.168.59.254/24 disabled=yes interface=TEST59 network=
192.168.59.0
add address=1.1.1.130/24 interface=ether1 network=1.1.1.0
add address=1.1.1.254/24 interface=TEST59 network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254 gateway=192.168.2.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.254,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=1.1.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd interface
set sfp1 interface=sfp1
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10
set wlan1 interface=wlan1

efaden · March 6, 2014, 11:29pm

Add in-interface=whatever…

Sent from my SCH-I545 using Tapatalk

nightowl · March 6, 2014, 11:41pm

Ah YES you would think that would work. I’m receiving the following error when I try specifying the LAN Bridge to the interface.

efaden · March 6, 2014, 11:44pm

Argh… forgot about that.

Use src-address.

nightowl · March 6, 2014, 11:48pm

You would think that would also work, but ZERO traffic flows outbound to the world when specifying the src-address as 192.168.2.0/24

efaden · March 6, 2014, 11:52pm

Then something is wacky… post a diagram of your network and your full current configs and I’ll break it down when I have some time.

nightowl · March 7, 2014, 12:18am

This is the Full Config the only thing missing is the wifi security settings and I changed my first three octets of my public ips to 1.1.1.

/interface bridge
add name=TEST59
add l2mtu=1598 name=WAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no l2mtu=2290 mode=
ap-bridge
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool1 ranges=192.168.59.1-192.168.59.10
add name=dhcp_pool2 ranges=192.168.2.1-192.168.2.10
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=TEST59 lease-time=1d name=
dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=WAN interface=ether3
add bridge=WAN interface=ether4
add bridge=WAN interface=ether5
add bridge=TEST59 interface=wlan1
add bridge=TEST59 interface=ether6
add bridge=TEST59 interface=ether7
add bridge=TEST59 interface=ether8
add bridge=WAN interface=ether2
add bridge=WAN interface=ether1
/ip address
add address=192.168.59.254/24 disabled=yes interface=TEST59 network=
192.168.59.0
add address=1.1.1.130/24 interface=ether1 network=1.1.1.0
add address=1.1.1.254/24 interface=TEST59 network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254 gateway=192.168.2.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.254,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=1.1.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd interface
set sfp1 interface=sfp1
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10
set wlan1 interface=wlan1
Network Diagram.jpg

efaden · March 7, 2014, 12:29am

/ip address
add address=192.168.59.254/24 disabled=yes interface=TEST59 network=
192.168.59.0
add address=1.1.1.130/24 interface=ether1 network=1.1.1.0
add address=1.1.1.254/24 interface=TEST59 network=192.168.2.0Looks wrong?..
/ip address
add address=192.168.59.254/24 disabled=yes interface=TEST59 network=192.168.59.0
add address=1.1.1.130/24 interface=ether1 network=1.1.1.0
add address=192.168.2.254/24 interface=TEST59 network=192.168.2.0Or something like that is my guess… the way you have it you don’t actually have any address on the router in the 192.168.2.0/24 subnet.

And your masq should be
add src-address=192.168.2.0/24 action=masquerade chain=srcnat out-interface=ether1

nightowl · March 7, 2014, 2:52am

ok so in the process of hiding my public ip I messed up the config I posted. sorry

my actual config is
add address=192.168.59.254/24 disabled=yes interface=NOW59 network=192.168.59.0
add address=1.1.1.130/24 interface=ether1 network=1.1.1.0
add address=192.168.2.254/24 interface=NOW59 network=192.168.2.0

but I also added the nat rule you posted and still no traffic flowing out.