Community discussions

MikroTik App
 
yaro014
just joined
Topic Author
Posts: 5
Joined: Sat Sep 18, 2021 5:32 pm

PPPoE multi IP configuration

Sat Sep 18, 2021 6:01 pm

I recently purchased a FTTP broadband from openreach.
I have a ONT with single ethernet cable in my house which serves as WAN link.
I also have been assigned with /29 public IPv4 subnet and /56 IPv6 subnet.

The first IPV4 public IP address is retrieved automatically via PPPoE and other public IPs from /29 range need to be routed via the first dynamically assigned.
I would like to be able to configure the other public IPs on other devices connected to switch however I would like to have a NAT on the main public IP.

Configuration would look something like shown below:
Image

Would you be able to advise if i would be able to achieve this configuration on CHR?
This is mainly question about the RouterOS configuration rather than configuring virtual machine etc.

Thanks.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: PPPoE multi IP configuration

Sun Sep 19, 2021 3:14 pm

Take a look here https://wiki.mikrotik.com/wiki/Manual:I ... :1_mapping
Also you should assign those addresses on your WAN interface ...
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: PPPoE multi IP configuration

Sun Sep 19, 2021 8:26 pm

You can have the public /29 on a local network, just assign the xxx.xxx.xxx.73/29 IP address to port 3. Having the same address on the PPPoE WAN interface is fine as the context is different.

You may wish to masquerade the private network on port 2 egress via port 3 in addition to the PPPoE WAN unless you do not mind the servers attached to port 3 seeing traffic originating from private IP addresses.
 
yaro014
just joined
Topic Author
Posts: 5
Joined: Sat Sep 18, 2021 5:32 pm

Re: PPPoE multi IP configuration

Mon Dec 06, 2021 9:24 pm

So I've added the /29 network on Port3 but I'm unable to reach internet or even ping the .73 address from device assigned .75 as shown on diagram.

Is there anything else I should do to make it work ?

I have the only single NAT rule:
chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface-list=WAN log=no log-prefix="" 
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: PPPoE multi IP configuration

Mon Dec 06, 2021 9:39 pm

If you can't ping the xx.xx.xx.73/29 address on ether3 from xx.xx.xx.75/29 from the device attached via the switch something is misconfigured or blocked by firewall rule(s). If you can't see anything obvious post the output of /export hide-sensitive after hiding any public addresses, etc.
 
yaro014
just joined
Topic Author
Posts: 5
Joined: Sat Sep 18, 2021 5:32 pm

Re: PPPoE multi IP configuration

Mon Dec 06, 2021 9:49 pm

So after adding address to Port3 it created dynamic route.

I have now added new static route and it seems to be working. Is this step expected or I have something misconfigured ? I'll send export soon.

Static route added manually :

DST address :xxx.xxx.72/29 , Gateway: Port3, distance 1

The dynamic route automatically added is:

DST address : 255.255.255.248, Gateway: Port3, pref source: xxx.xxx.xxx.73, distance 0


The full config is :
# dec/06/2021 19:50:34 by RouterOS 6.49.2
# software id = 
#
#
#
/interface bridge
add mtu=1500 name=bridge_lan_01 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on name=eth1_wan_pppoe
set [ find default-name=ether2 ] loop-protect=on name=eth2_lan_01_phy
set [ find default-name=ether1 ] auto-negotiation=no disable-running-check=no loop-protect=on name=eth3_lan_01_virt speed=1Gbps
set [ find default-name=ether2 ] disable-running-check=no name=eth4_wan_shared_virt
/interface pppoe-client
add add-default-route=yes allow=chap dial-on-demand=yes disabled=no interface=eth1_wan_pppoe name=pppoe-out1 user=XXXX
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge_lan_01 name=dhcp1
/ipv6 dhcp-server
add address-pool=delegation interface=bridge_lan_01 name=dhcp1
/interface bridge port
add bridge=bridge_lan_01 interface=eth2_lan_01_phy
add bridge=bridge_lan_01 interface=eth3_lan_01_virt
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge_lan_01 list=LAN
/ip address
add address=192.168.1.1/24 interface=eth2_lan_01_phy network=192.168.1.0
add address=192.168.1.1/24 interface=bridge_lan_01 network=192.168.1.0
add address=xxx.xxx.xxx.73 interface=eth4_wan_shared_virt network=255.255.255.248
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1 log=yes
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1 log=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.1.0/24
/ip route
add distance=1 dst-address=xxx.xxx.xxx.72/29 gateway=eth4_wan_shared_virt
/ipv6 address
add address=::1 from-pool=delegation interface=bridge_lan_01
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=delegation pool-prefix-length=56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=pppoe-out1 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=pppoe-out1 passthrough=yes protocol=tcp tcp-flags=syn
/ipv6 nd
set [ find default=yes ] interface=bridge_lan_01 managed-address-configuration=yes other-configuration=yes ra-interval=20s-1m
/system clock
set time-zone-name=Europe/London
If I remove the route
add distance=1 dst-address=xxx.xxx.xxx.72/29 gateway=eth4_wan_shared_virt
it stops working.
Also the eth4_wan_shared_virt is what Port3 represents there on drawing
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: PPPoE multi IP configuration

Mon Dec 06, 2021 11:47 pm

You have missed the netmask on the IP address so it defaults to /32, it should be
add address=xxx.xxx.xxx.73/29 interface=eth4_wan_shared_virt network=255.255.255.248xxx.xxx.xxx.72

Edit: note the network= parameter is the all-zeros address of the subnet, it isn't the subnet mask - if omitted it will be calculated automatically from the address and subnet size.
 
yaro014
just joined
Topic Author
Posts: 5
Joined: Sat Sep 18, 2021 5:32 pm

Re: PPPoE multi IP configuration

Tue Dec 07, 2021 1:27 am

Perfect. That did the trick. Thanks !

One more question, Is it possible to filter traffic to those IP addresses using Mikrotik firewall ?
I noticed the only rules for it that are working are from forward chain and it seems to disable the oubound internet access when I try to do drop all rule.

Should the below do the trick ?
chain=forward action=drop connection-state=!established dst-address-type="" in-interface=pppoe-out1 out-interface=eth4_wan_shared_virt log=no log-prefix=""
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: PPPoE multi IP configuration

Tue Dec 07, 2021 5:53 pm

Yes, and it will be handled by the forward chain, the input chain only applies to packets destined for services on the Mikrotik itself.

The dst-address-type="" may match nothing, to mtach all destination address types omit the parameter entirely.

Your config references the input chain twice, rather than the input and forward chains so established and related packets are not being allowed I'd suggest replacing
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1 log=yes
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1 log=yes

with
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface-list=WAN log=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward in-interface-list=WAN log=yes


The accept dstnat rule is to permit any inbound dstnat port forwards which may be added under /ip firewall nat. For the routed public addresses just add foward accept rules as required, e.g. for a web server you may have something along the lines of
add action=accept chain=forward in-interface-list=WAN dst-address=xxx.xxx.xxx.74 dst-port=80,443 protocol=tcp
before the final forward drop rule.
 
yaro014
just joined
Topic Author
Posts: 5
Joined: Sat Sep 18, 2021 5:32 pm

Re: PPPoE multi IP configuration

Mon Dec 13, 2021 11:59 pm

This all worked like a charm.
Big thanks for your help. Much appreciated.

Who is online

Users browsing this forum: No registered users and 16 guests