Hello,

I am struggling with routing a /23 subnet thru a Cisco uBR10K CMTS private address for cable modems to use. I have successfully done this on other sites and have a but I am struggling with this one in particular, and with it being a live network my nerves are on end. The DHCP server (10.2.10.2) is on a private network with the CMTS (10.2.10.3). Cable modem Private addresses (192.168.X.X) are currently NAT'd thru the MikroTik Private address (10.2.10.1) to the 12.1.X.X/29 network. The network is going to require the /23 public addresses to be given out in the near future (Netflix, PSN issues) The two public Subnets are VLAN'd at the ISPs equipment

Heres a breakdown of IPs and the (port) they are plugged into on the RB1100x4 running 6.43

12.2.X.X/29 Mikrotik Public address (port 2)
12.1.X.X/23 Subnet needed to route to CMTS (port 1)
10.2.10.1 Mikrotik Private (port 3)
10.2.10.3 CMTS (port 4)


/interface bridge port
add bridge=bridge1 interface=ether3 trusted=yes
add bridge=bridge1 interface=ether4 trusted=yes
add bridge=bridge1 interface=ether1 trusted=yes
/ip address
add address=10.2.10.1/24 interface=ether3 network=10.2.10.0
add address=12.2.X.X/29 interface=ether2 network=12.1.X.X
/ip firewall filter
add action=accept chain=forward dst-address=12.1.X.X/23
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=10.2.10.0/24
/ip route
add distance=1 gateway=12.2.X.X
add distance=1 dst-address=12.1.X.X gateway=10.2.10.3
add distance=1 dst-address=192.168.10.0/24 gateway=10.2.10.3

CMTS
Interface Gigabitethernet 4/0/0
ip address 10.2.10.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.2.10.1
interface Bundle1
ip address 12.1.X.4 255.255.254.0 secondary
ip address 192.168.10.1 255.255.255.0
cable arp filter request-send 3 2
cable arp filter reply-accept 3 2
cable dhcp-giaddr policy
cable helper-address 10.2.10.2

The Mikrotik can ping the gateway of the /23 subnet @ 12.1.X.1 and we have confirmed it can surf when a computer is plugged directly into the ISPs equipment. Mikrotik can also ping 12.1.X.3 of the CMTS CPE gateway.The computer connected to the cable modem is staticlly sent a IP of 12.1.X.20 sucessfully, however it cannot surf. Using the Bridge is a new addition to this setup and I think it may be the issue.

Any help would be greatly appreciated.

First I would move 10.2.10.1/24 to the bridge1 interface, as ether 1,3,and 4 are slaves to that interface.

Second, you would need another firewall rule
You allowed the traffic coming into the MikroTik, but not going back out from behind the CMTS.


--John