Community discussions

MUM Europe 2020
 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Public subnet routing on CCR1016

Wed May 01, 2013 3:29 pm

Hi all,

I'm still learning MikroTik and I've got a question which I haven't been able to answer correctly myself. So I'm looking for some help.

I've got a brand new CCR1016 for a colocation setup. We're getting a /29 public range, which gives us 8 Public IP's. It will be available through 1Gbit ethernet utp. So I'd like to plug that into ether1 of the CCR1016 and use it to route and firewall those public IP's to the servers we're putting up.

We'll also have a small group of servers which will be in a private subnet, this is similar to the configuration in my RB2011. So I'll be able to manage that.
But how to configure those 8 public IP's? Do I need to create a bridge and put all the 'public' interfaces in it? or do I need to create some loopback interface where the public IP's are?

I still need to plan MTCNA training some day. So for now I could use some help :D
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
adairw
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Jan 29, 2012 6:32 pm

Re: Public subnet routing on CCR1016

Wed May 01, 2013 5:27 pm

Is that /29 block routed to you over a /30 or just assigned to you?
 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Public subnet routing on CCR1016

Wed May 01, 2013 5:38 pm

I've just received a sheet with the specs. It's actually just 8 IP's in the providers /24 subnet..

Currently I've got two bridges, one public, and one local. With the first of the 8 public-addresses assigned to the CCR1016.
The first 6 ether ports are on the public bridge, the 7th until 12th port are on the local bridge, which has 192.168.8.0/24

Am I in the right direction with this? The CCR1016 will become a VPN endpoint so that people can use the servers in the local range.
But we also might be needing the seven other addresses for public available web services. So I'd like the CCR1016 to act as a firewall for them.
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
adairw
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Jan 29, 2012 6:32 pm

Re: Public subnet routing on CCR1016

Wed May 01, 2013 5:59 pm

You have two choices,
1) use source and destination Nat to map the public ips to the private ones.

2) use the ccr as a bridge filter.

If I was me, I'd nat everything unless the block was actually routed to me.
 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Public subnet routing on CCR1016

Wed May 01, 2013 6:06 pm

Ok, then I think I'll go for option 1 also..
But can I assign all my Public IP's to ether1?

And how does one manage the outgoing traffic?
Can I use masquerading per private IP?
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Public subnet routing on CCR1016

Thu May 02, 2013 1:05 am

If you want better flexibility ask the provider to route a number range to you.

You can place multiple IPs from the same subnet on one interface.

You can use SRC NAT (rather than Masquerade) to affect which IP is presented based on whatever criteria you choose.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Public subnet routing on CCR1016

Thu May 02, 2013 4:59 pm

ok! tnx :)
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Public subnet routing on CCR1016

Mon May 06, 2013 5:00 pm

Strange:

I've just tried to add a new public address to ether2 of the router so that I can plugin the second uplink cable that our provider has supplied.
But after adding the address to ether2 all connectivity was lost. I had to go into the datacenter and remove that address to make it working again.
The secondary cable hasn't been plugged in yet, but I'm wondering what went wrong.. It seems some sort of routing issue, but what?
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Public subnet routing on CCR1016

Tue May 07, 2013 10:00 pm

nobody? :(
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Public subnet routing on CCR1016

Tue May 07, 2013 10:30 pm

nobody? :(
You need to give a clearer indication of the question. What was the config beforehand (actual config from /export compact). What exact entry did you add? The answer will be found in those two items - anything else is wild guessing! ;)
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Public subnet routing on CCR1016

Wed May 08, 2013 4:34 pm

Ok,

This is the current config.. A bit anonymised for security
# may/08/2013 15:24:18 by RouterOS 6.0rc14
/interface bridge
add l2mtu=1590 name=access-level-1
add l2mtu=1590 name=trust-level-1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128,aes-192,aes-256 lifetime=1h
/ip pool
add name=l2tp-pool ranges=10.0.10.10-10.0.10.100
/port
set 0 name=serial0
/ppp profile
add local-address=10.0.10.1 name=L2TP remote-address=l2tp-pool
/interface bridge port
add bridge=access-level-1 interface=ether3
add bridge=trust-level-1 interface=ether4
add bridge=access-level-1 interface=ether5
add bridge=access-level-1 interface=ether6
add bridge=access-level-1 interface=ether7
add bridge=access-level-1 interface=ether8
add bridge=access-level-1 interface=ether9
add bridge=access-level-1 interface=ether10
add bridge=access-level-1 interface=ether11
add bridge=access-level-1 interface=ether12
/interface l2tp-server server
set default-profile=L2TP enabled=yes
/ip address
add address=192.168.8.1/24 interface=access-level-1 network=192.168.8.0
add address=xx.xx.xx.192/24 interface=ether1 network=xx.xx.xx.0
add address=192.168.9.1/24 interface=trust-level-1 network=192.168.9.0
/ip dns
set allow-remote-requests=yes servers=xx.xx.xx.142,xx.xx.xx.11,xx.xx.xx.228
/ip dns static
add address=192.168.88.1 name=router
add address=xx.xx.xx.1 name=gateway
/ip firewall filter
add chain=forward
add chain=input in-interface=access-level-1 src-address=192.168.8.0/24
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input in-interface=ether1 src-address=xx.xx.xx.xx
add chain=input in-interface=ether1 src-address=xx.xx.xx.xx
add chain=input dst-port=4500 protocol=udp
add chain=input dst-port=1701 protocol=udp
add chain=input dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 src-address=192.168.8.0/24 to-addresses=xx.xx.xx.192
add action=src-nat chain=srcnat out-interface=ether1 src-address=10.0.0.0/8 to-addresses=xx.xx.xx.192
add action=src-nat chain=srcnat out-interface=ether1 src-address=192.168.9.0/24 to-addresses=xx.xx.xx.192
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 nat-traversal=yes secret=xxxxxxx send-initial-contact=no
/ip route
add distance=1 gateway=xx.xx.xx.1
add distance=1 dst-address=10.0.31.0/24 gateway=10.0.10.3
add distance=1 dst-address=192.168.88.0/24 gateway=10.0.10.3
/lcd
set time-interval=hour
/ppp secret
add name=xxxxxxxx password=xxxxxxxx profile=L2TP remote-address=10.0.10.3 service=l2tp
add name=xxxxxxxx password=xxxxxxxx profile=L2TP remote-address=10.0.10.2 routes="192.168.0.0/16 10.0.10.2 1" service=l2tp
/system clock
set time-zone-name=Europe/Amsterdam
/system logging
add topics=l2tp
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=xx.xx.xx.xx secondary-ntp=xx.xx.xx.xx
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR
/tool graphing interface
add interface=ether1
This currently works fine with L2TP IPSEC etc..

The provider has two UTP cables going to two separate switches. One is currently connected to ether1:
What I want to do is add the other uplink to ether2. And use that as a back-up link. Either with a different IP (we have 8) or (if possible) with same IP to have some sort of redundancy.
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Public subnet routing on CCR1016

Wed May 08, 2013 11:38 pm

Were you trying to add another IP in the same /24 as
add address=xx.xx.xx.192/24 interface=ether1 network=xx.xx.xx.0
to ether2?

It isn't really clear what the upstream is providing, but if they are just handing you out addresses on a /24 with multiple connections to their switch infrastructure then if you add the same /24 to multiple interfaces in RouterOS it is getting confused - i.e. which interface does it ARP on for an address in that /24.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Public subnet routing on CCR1016

Sun May 12, 2013 11:41 pm

Were you trying to add another IP in the same /24 as
add address=xx.xx.xx.192/24 interface=ether1 network=xx.xx.xx.0
to ether2?
Yes
It isn't really clear what the upstream is providing, but if they are just handing you out addresses on a /24 with multiple connections to their switch infrastructure then if you add the same /24 to multiple interfaces in RouterOS it is getting confused - i.e. which interface does it ARP on for an address in that /24.
Ah, so there is no way of specifying which /24 address goes on which ether port?
Both ports (ether1 and 2) were not on a bridge. So I thought that separate address on separate port would be fine.
So there is no way of doing this?
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Public subnet routing on CCR1016

Mon May 13, 2013 12:50 am

I'm still not clear what the upstream's expectation is. If you are just connecting into their /24 broadcast network via two switch ports then you *could* bridge two interfaces on the CCR and place your IPs on the bridge interface - *but* you would need to check what spanning tree protocol is working on the upstream's switches and make sure that your bridge is configured to avoid loops.

If you are still trying to bootstrap your knowledge of routing then I would suggest that you get some assistance involved before trying to engineer a redundant layer 2 installation - multi-vendor spanning tree interworking can be a challenge for newcomers.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
inSaNo
newbie
Topic Author
Posts: 35
Joined: Fri Nov 23, 2012 9:23 am

Re: Public subnet routing on CCR1016

Mon May 13, 2013 11:00 pm

I'm still not clear what the upstream's expectation is. If you are just connecting into their /24 broadcast network via two switch ports then you *could* bridge two interfaces on the CCR and place your IPs on the bridge interface - *but* you would need to check what spanning tree protocol is working on the upstream's switches and make sure that your bridge is configured to avoid loops.
Thats also what they said, to prevent a loop.
If you are still trying to bootstrap your knowledge of routing then I would suggest that you get some assistance involved before trying to engineer a redundant layer 2 installation - multi-vendor spanning tree interworking can be a challenge for newcomers.
I agree.. I am planning to do the MTCNA course this year, but you know how it goes: busy busy busy, and sometimes a customer wants something "yesterday". :lol:

I've worked with other devices (Cisco, Foundry) before, and for the most part I can figure it out by my self. But the MikroTik is a bit different.
Currently redundancy is "nice to have" but not a must. So I'll leave that as is for now. Maybe I'll order another CCR1016 just to use as a training/testing device.. And to have one 'in stock'. Thanks for the assistance.
Router: Mikrotik RB2011UAS-2HnD-in
Speedtest.net: 93.22Mb/s download | 72.11Mb/s upload | 4ms ping

Who is online

Users browsing this forum: Bing [Bot], marisv, mur and 31 guests