Community discussions

 
wesson
just joined
Topic Author
Posts: 2
Joined: Wed Mar 20, 2019 2:41 pm

RB4011iGS - Use of a /29 IP Block over PPPOe (OVH ISP)

Wed Mar 20, 2019 3:42 pm

Hello,
I am a subscriber to OVH as Internet Service Provider.
They offer a box with their subscription, however this box is too buggy (NAT just don't work) so I have decided to use a Mikrotik router as front connection.

Technically I connect to the ISP through a PPPoe interface, in a Fibre modem connected to ether1

This PPPoe provide an IP Address /32 which is then NATed to a local network /24 in interface ether2. Everything goes well up to this point, no problem with that.

But, with this ISP subscription, I also have a /29 IP range (a network of 8 Ip's) available. This IP range is routed through the very same pppoe connection as for the /32 address.

Let's say my /29 network is 109.xxx.yyy.zz0, and OVH define the gateway for this network on 109.xxx.yyy.zz6 in their documentation

So I have added the network gateway to the IP address list :
/ip address
add address=109.xxx.yyy.zz6/29 interface=ether2 network=109.xxx.yyy.zz0
Doing this allow me to ping the 109.xxx.yyy.zz6 from internet, so router can receive IGMP and route them back to the Internet.

then I physically connect to ether2 a computer with a static IP set :
address : 109.xxx.yyy.zz1
netmask: 255.255.255.248
gateway: 109.xxx.yyy.zz6
dns: 109.xxx.yyy.zz6

from this connected computer I have full access to internet.

But my goal is to make this computer reachable from the Internet. So I've added this firewall rule :
/ip firewall
add action=accept chain=input dst-address=109.xxx.yyy.zz0/29 in-interface-list=WAN
Yet This is what's not working. Pinging from the Mikrotik the 109.xxx.yyy.zz1 is working, but same address from the internet is not working.

Obviously it's an issue of firewall / nat / or routing rule, but I can't manage to find the adequate setting that will route packets from Internet to my server.
I've tried some Filter rules in the input or the forward chain, to no avail so far

Anyone with a suggestion ?
 
wesson
just joined
Topic Author
Posts: 2
Joined: Wed Mar 20, 2019 2:41 pm

Re: RB4011iGS - Use of a /29 IP Block over PPPOe (OVH ISP)

Wed Mar 20, 2019 4:18 pm

Oh, it turns out that I have found the solution:
Adding a forward rule but before the forward rule dropping all the traffic comming from the WAN
/ip firewall filter
add action=accept chain=forward dst-address=109.xxx.yyy.zz0/29 in-interface-list=WAN out-interface-list=LAN
My mistake was that this rule was added at the very end of the filter rules, thus the "drop everything from WAN forward rule" set before was the cause of my issue.
 
User avatar
flaviojunior
Trainer
Trainer
Posts: 19
Joined: Thu Nov 17, 2016 6:27 pm
Location: Brazil
Contact:

Re: RB4011iGS - Use of a /29 IP Block over PPPOe (OVH ISP)

Wed Mar 20, 2019 4:29 pm

The problem is that you are Natting the traffic to the computer, and filtering it from the WAN. And put the rule in the top of the firewall.

So what you need to do is.
/ip firewall filter add action=accept chain=forward dst-address=109.xxx.yyy.zz0/29 place-before=0 
/ip firewall filter add action=accept chain=forward src-address=109.xxx.yyy.zz0/29 place-before=0 
/ip firewall nat add action=accept chain=srcnat src-address=109.xxx.yyy.zz0/29 place-before=0
:D
Mikrotik Certified Trainer, Network Specialist.
Number 1 consultant Brazil, Rio de Janeiro
MTCNA, MTCRE, MTCWE, MTCTCE, MTCUME, MTCIPv6E, MTCINE, MTCSE

Who is online

Users browsing this forum: No registered users and 10 guests