Well, have 2 days of reading I can't figure the simplest of things out. I am using CCR 1036's. I have some that load balance, some fail over, you name it. (I have several networks). I am trying to replace a cisco with a CCr 1036 and all I need it to do is route my providers public IP info to my public class C I own. Which, for reasons I can NOT figure out, I can't get to work!


Provider side:
Subscriber IP - 216.00.14.38
sub - 255.255.255.252
gate -216.00.14.37

My side, 184.105.22.0 /24

NOW,,,, here is the config I am using,

/interface ethernet
set [ find default-name=ether2 ] name=Our_Network
set [ find default-name=ether1 ] name=Provider
/ip address
add address=184.105.22.1/24 comment=defconf interface=Our_Network network=\
184.105.22.0
add address=216.00.14.38/30 interface=Provider network=216.00.14.36
/ip route
add distance=1 gateway=216.00.14.37
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR
/tool graphing queue


And since the web interface seems to show more,


Let it be noted that the provider connection was unplugged at the time of pic. There has to be something really simple/stupid I am missing.

1. make sure you have ping to your ISP gateway. If not - resolve it. (layer 2 between you and isp) eg - you are 1.1.1.2/30 and isp are 1.1.1.1/30 you should have ping from 1.1.1.1
2. when ping is ok . make sure you have the route desired to your isp. eg default. 0.0.0.0/0 gw 1.1.1.1

Then router should have internet route. on the other side of router. make sure you have the same setup - eg router - PC as follow 2.2.2.1/30 and 2.2.2.2/30 at computer. If this is a rfc1918 address, you will need to add a /ip firewall nat src-nat masqurade at router. the internet should ping. after this . make sure you have a DNS, and wolla, its working.

"you will need to add a /ip firewall nat src-nat masqurade at router" ,,, Well, it was my understand that with routing a public Ip block from another, the "masqurade" wouldn't be used. I read somewhere that the "masqurade" was only used when going from public WAN to private LAN? Cisco has no such animal so with this cloudcore, I have been unsure.

How you said, is replacing an Cisco to a CCR, then supposedly the provider has delegated that block to you previously. So, this should have worked with no firewall config to do the static routing.

Do you have firewall rules enabled?
Is you using default config from CCR?

Edit: Your provider must know that 184.105.22.0/24 is in 216.00.14.38. If they don't this, never will work that static routing with public IPs and NAT network (LAN).
Also, they must announce your block via BGP (or via another dynamic routing they use) to be routable your block.

Post your Cisco config. I'm sure someone can look at it and figure it out.

You didn't mention any routing protocol peering, so probably your ISP is routing your public /24 to your target ip in the /30.

If you remove all config from the router (completely), then put the proper /30 address on the upstream interface and an address in the public /24 on your inside interface, and a default gateway, routing will work.

You should try to confirm this by setting up this config, then ping your IP on your upstream interface (the /30 address) from another network, a mobile phone for example. This should work. If this doesn't work, stop here. Ensure your settings are correct, if so, talk to your ISP. Maybe there's some controls going on that you're not aware of.

If you can ping your upstream IP but not your internal IP from the public /24, do a packet sniff on the upstream interface and look for the ping. If it doesn't ping but you can see it in the trace, you have something set up wrong on your end most likely.

Wow, that doesn't sound very good when I re-read it.

Do the basics. Clean up the config completely. Make sure the upstream IP in the /30 can ping.

Then try to ping your internal interface in the /24.

If you have evidence that basic stuff is working or not working, you can use this to work with your ISP if you think your setup is correct. Or post it here.

Also reset that CCR to factory with no default config

okay to get caught up here,

1. I have several CCR 1036 and I started from factory default.
2. I do have a Cisco currently doing the job since I can't get the CCR too. This means several things, delegation has worked for almost 2 years now, the only thing I'm missing is something in the configuration of the hard-core.
3. the Cisco configuration is as follows:
!
interface GigabitEthernet0/0
ip address 216.00.14.38 255.255.255.252
ip access-group 101 in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 184.105.22.1 255.255.255.0
duplex auto
speed auto
media-type rj45
no mop enabled
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 216.00.14.37
::::::::::
as you can see with Cisco there's nothing to it. but so much of my network is running on the CCR's now, I really want to replace these gateways with the CCR's as well.

5. as far as testing and pinging, I don't remember the direct results and since I only have a /30 on my outside, any testing I have to do I have one IP address to play with which means during testing everyone is down. This is not an option. The configuration I gave (on the first post) that I currently have in the CCR should be missing something obvious, or a particular route is missing. I can't figure it out and was hoping someone could see it.

6. there are no firewall rules, no queue rules, basically it's a clean slate.( as the configuration shows)
7. someone asked me to compare my configuration with one of the CCR config examples. With all due respect, there is no such thing as a real CCR example. These cloud cores have the worst documentation I've ever seen. And being a Cisco guy, that says a lot!!! LOL With all the features the CCR's have, they should be running the damn world. But in many cases the configurations don't make logical sense and therefore are difficult to troubleshoot. My hopes are not only to solve my problem but at the end of this thread have a posted, working example, of a gateway router config. (If anyone can help me figure this out).

Subscriber IP - 216.00.14.38
sub - 255.255.255.252

They should be raped with a barbed wire for that subnet size. Those retards are the reason IPv4 is full.

I am confused, it is only 2 available host addresses, would you mind to elaborate?

Subscriber IP - 216.00.14.38
sub - 255.255.255.252

They should be raped with a barbed wire for that subnet size. Those retards are the reason IPv4 is full.

I am confused, it is only 2 available host addresses, would you mind to elaborate?

At expense of four (one for network address and the other for broadcast address).

Ok, other than access list 101, that's pretty straightforward on the Cisco.

Quick detour. This is going to sound like me lecturing: You said "during testing everyone is down" and it's not acceptable. This is not a good business plan, what happens if the Cisco breaks? You should have scheduled downtime once in a while that your customers are aware of, even if it's only a few minutes... If customers are expecting 24x7 you should have "failoverability" to test stuff, or something similar. Routing protocols and stuff like VRRP is vendor independent, which can allow you to transition to new equipment without downtime. Expensive, yes, but possibly less so than customers expecting 24x7 with a setup that isn't really designed for it. I fail my VRRP routers over all the time, as well as my MC-LAG capable switches, and nobody knows When I need to upgrade edge switches that customers attach to with single links, then they know and I tell them it's happening.

So that basic setup on the Cisco should work on the MikroTik without issue. I suspect you are trying to implement the Cisco access list on the MikroTik and that's getting in the way somehow. Test without it. If you still cannot ping the internal /24, something is really wrong because that's just basic connected routes.

Subscriber IP - 216.00.14.38
sub - 255.255.255.252

They should be raped with a barbed wire for that subnet size. Those retards are the reason IPv4 is full.

I am confused, it is only 2 available host addresses, would you mind to elaborate?

At expense of four (one for network address and the other for broadcast address).

Doesn't matter anymore. The IPv4 address space will be growing again soon once people get off their backsides and use IPv6. The majority of traffic at my house is IPv6 now. My mobile phone is nearly 100% IPv6, and doesn't use a "real" IPv4 address when that's required. (see 464xlat)

"""So that basic setup on the Cisco should work on the MikroTik without issue. I suspect you are trying to implement the Cisco access list on the MikroTik and that's getting in the way somehow. Test without it. If you still cannot ping the internal /24, something is really wrong because that's just basic connected routes."""""",,,,,,

No access list with CCR. Soooooo, the config I have in the CCR should be right,,,,right?

/interface ethernet
set [ find default-name=ether2 ] name=Our_Network
set [ find default-name=ether1 ] name=Provider
/ip address
add address=184.105.22.1/24 comment=defconf interface=Our_Network network=\
184.105.22.0
add address=216.00.14.38/30 interface=Provider network=216.00.14.36
/ip route
add distance=1 gateway=216.00.14.37
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR
/tool graphing queue

..... Cause it still doesn't seem to work.