Community discussions

MikroTik App
 
fusa
just joined
Topic Author
Posts: 15
Joined: Wed Jun 06, 2012 5:12 am
Location: Belgium
Contact:

Multiple ip ranges

Wed Jun 06, 2012 5:21 am

Hello,

(RB1100AH)

I've multiple ip ranges (other subnets) assigned to one interface over one 100Mbit pipe. I did put everything into one bridge and added some firewall rules.
But now I've noticed: when I send from the one IP-range to the other IP-range data, this traffic doesn't get routed by the MikroTik but by my provider's router, which limits the traffic to 100Mbit.

As an example configuration:
ether1 (gbit): device-1 with ip 123.123.123.10 / 26
ether2 (gbit): device-2 with ip 234.234.234.20 / 26
ether13 (100mbit): uplink with all thoses IP's assigned
When I send from 123.123.123.10 to 234.234.234.20 the traffic will go like this:
ether1 --> MIKROTIK --> ether13 --> ROUTER PROVIDER --> ether13 --> MIKROTIK --> ether2
I think this is not the proper way to do it, it should be like this:
ether 1 --> MIKROTIK --> ether2
Thank you for your assistance,
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Multiple ip ranges

Wed Jun 06, 2012 2:51 pm

It sounds as if you have bridged these IP ranges so routerOS will not route them with the current config.

Please upload the config using the export function.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
fusa
just joined
Topic Author
Posts: 15
Joined: Wed Jun 06, 2012 5:12 am
Location: Belgium
Contact:

Re: Multiple ip ranges

Wed Jun 06, 2012 3:00 pm

That is correct, I've created a bridge, this is not correct.

It should be in routing, but how should I configure this to work with multiple IP ranges
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Multiple ip ranges

Wed Jun 06, 2012 3:23 pm

How you configure it depends on what you want to achieve and what the upstream ISP supports.

e.g. -

Do you want public IPs on your clients or private IPs via NAT?

How many clients do you have?

How does the ISP treat the /26? Do they have the ability to split it further and pass traffic or block B to an address in block A?
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
fusa
just joined
Topic Author
Posts: 15
Joined: Wed Jun 06, 2012 5:12 am
Location: Belgium
Contact:

Re: Multiple ip ranges

Wed Jun 06, 2012 3:28 pm

Thank you for your reply,

1) Clients: Public, not NAT
2) 4 x /26 blocks
3) They don't allow to split it further. All those ranges are configured at the ISP (on the same router). So I can use any gateway on this line.

Now all traffic between the ranges go trough the ISP's uplink.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Multiple ip ranges

Wed Jun 06, 2012 3:52 pm

To avoid wasting too many IPs I suggest that you ask the ISP if they can allocate a /30 to the link and pass traffic for your 4 x /26s to your address on the /30. That would make your life easier!
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
fusa
just joined
Topic Author
Posts: 15
Joined: Wed Jun 06, 2012 5:12 am
Location: Belgium
Contact:

Re: Multiple ip ranges

Wed Jun 06, 2012 3:53 pm

To avoid wasting too many IPs I suggest that you ask the ISP if they can allocate a /30 to the link and pass traffic for your 4 x /26s to your address on the /30. That would make your life easier!
That is not possible, so I need to waste those extra IP's for the router...

How should I configure this?
 
fusa
just joined
Topic Author
Posts: 15
Joined: Wed Jun 06, 2012 5:12 am
Location: Belgium
Contact:

Re: Multiple ip ranges

Thu Jun 07, 2012 2:18 pm

I think the RB must be configured so that it uses one IP of every range to do routing?


When they route all IP's to a private /30 range this configuration would be like this (or some more configuration)?
ISP IP: 10.9.0.1/30
MY IP: 10.9.0.2/30
PUB IP: 123.123.123.0/26 & 123.123.200.0/26

Interfaces
ether13 - uplink ISP
ether1 & ether2 - devices in a bridge (bridge01)

Configuration
IP > ADDRESSES > ether13 > 10.9.0.2/30
IP > ADDRESSES > bridge01 > 123.123.123.1/26
IP > ADDRESSES > bridge01 > 123.123.200.1/26
IP > ROUTES > 0.0.0.0/0 > 10.9.0.1

Is this correct?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Multiple ip ranges

Thu Jun 07, 2012 4:15 pm

That is along the lines that I was suggesting. By default the routing between the two /26 nets would be via the router and would not touch the ISP.

If you just want one ether port for each /26 then you would assign those straight to the respective ether ports.

If your ISP is not providing a firewall you would also want to implement firewall functionality on the routerboard.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
fusa
just joined
Topic Author
Posts: 15
Joined: Wed Jun 06, 2012 5:12 am
Location: Belgium
Contact:

Re: Multiple ip ranges

Thu Jun 07, 2012 4:24 pm

That is along the lines that I was suggesting. By default the routing between the two /26 nets would be via the router and would not touch the ISP.
Thank your for your response, as I could see, those are the only things I need to configure for a basic setup. Correct?

I know the possibility for the firewall, this is usefull, thank you for the suggestion.

The IP's are needed on both interface (in total 5 ranges) so this is why I did put them in a bridge, or is there a better solution?

I think this is the easy solution if I don't want to use NAT. But the ISP doesn't want to do this right away, so I need to convince them.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Multiple ip ranges

Thu Jun 07, 2012 4:30 pm

OK - well if you want the ranges on multiple interfaces a bridge is fine.

When you assign the IP ranges to the interfaces/bridge the relevant routing entries will appear in the routing table automatically so those along with your default entry should get the basic functionality going.

At that point you would however be totally open to inbound traffic. To protect the router itself you would want filters on the input chain and to allow only your clients to initiate connections you would want filters in the forward chain.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
fusa
just joined
Topic Author
Posts: 15
Joined: Wed Jun 06, 2012 5:12 am
Location: Belgium
Contact:

Re: Multiple ip ranges

Wed Jun 13, 2012 1:10 pm

Did contact them to route everything to one address, this is not possible.

So I must find another way to solve this. I know I will lose some IP's but that is not an issue.

So could you point me the right direction to allow routing between the subnets?

Thank you,
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Multiple ip ranges

Wed Jun 13, 2012 6:46 pm

Well it is sure possible but sounds like they don't want to.

If you want:

Public IPs on the clients
Firewall functionality to protect the clients
Routing between the allocated /26s to occur locally not at ISP

Then you need a router not a bridge and that implies either further sub-netting the /26s or using one as the link subnet. In any case any of those solutions would require action at the ISP's router too.

Handing off a bunch of /26s via a /30 is pretty basic stuff and is done every day. Can you look for another ISP or find somebody with some sense at your existing vendor?
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
fusa
just joined
Topic Author
Posts: 15
Joined: Wed Jun 06, 2012 5:12 am
Location: Belgium
Contact:

Re: Multiple ip ranges

Wed Jun 13, 2012 7:04 pm

Handing off a bunch of /26s via a /30 is pretty basic stuff and is done every day. Can you look for another ISP or find somebody with some sense at your existing vendor?
Not possible, they are the only provider there, still Belgium :(
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Multiple ip ranges

Wed Jun 13, 2012 8:19 pm

OK - Well if you want to route those /26s locally and you can't get the ISP to route the traffic for the /26s on one link network then you have to use NAT for the clients. Anything else would be horribly convoluted.

Personally I would beat up the ISP until they gave me the correct answer. :D This isn't a Routeros problem - it is an ISP problem.... :(
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
fusa
just joined
Topic Author
Posts: 15
Joined: Wed Jun 06, 2012 5:12 am
Location: Belgium
Contact:

Re: Multiple ip ranges

Wed Jun 13, 2012 8:22 pm

So I must give the router an IP of every range and NAT the other IP's.

Instead of using a private IP I will be using the public IP's. So every gateway (clients) must be edited to the IP of the RouterOS-router
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Multiple ip ranges

Wed Jun 13, 2012 8:29 pm

No - you can't split the /26s like that unless the ISP will also treat them as split, using part of the splits as the link networks and treating the rest as routed subnets sent to your IP on the relevant link networks.

Making several link networks would be wasteful compared to having a new /30 to route all of the /26s - but it would work *if* the ISP also treats the /26s as split.

Basically, their view of the subnet masks must match your router's view of the subnet masks.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

Who is online

Users browsing this forum: Baidu [Spider] and 49 guests