Community discussions

MikroTik App
 
jmay
Member
Member
Topic Author
Posts: 326
Joined: Tue Jun 23, 2009 8:26 pm

Private IP's to customers, but NAT each to their own Public IP?

Tue Jun 07, 2016 11:58 pm

I'm just thinking out loud here: I'm running out of IP's for our ISP and Arin will not give me more. I have some IPv6 assigned to me but I'd like to buy some time before diving into that fiasco. My network is subnetted pretty heavily with 17 different routers via OSPF that all go out to the internet via 1 central router . Each client gets their own public IP, but subnetting has cost me a lot of IP space. If I was 1 flat network I'd have enough IP's to survive another couple years, but I don't want to run a bridged network. So I'm wondering this, would it be possible to assign all my customers private IP's and when they hit the Internet facing router NAT them to a public address? This would allow me to keep all my public IP's in 1 place without losing anything to a subnet. I guess this would be the same as NATTING them twice though right? Since most clients will also have a router on their end. I know the video gamers hate being natted too many times.

Do I need to just make the jump to IPv6? :(
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Private IP's to customers, but NAT each to their own Public IP?

Wed Jun 08, 2016 10:00 am

Sure you can do a 1to1 NAT between the private IP and one public IP you've assign them. If you build your setup that way you can easily migrate to a one to many NAT when you have too many customers.

But if you have to go the carrier grade nat road i suggest to do it the right way from the beginning
1. also implement IPv6
2. make use of 100.64.0.0/10 ( rfc6598 ) instead of using private ranges from rfc1918 as those should be reserved for you customers lan
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
jmay
Member
Member
Topic Author
Posts: 326
Joined: Tue Jun 23, 2009 8:26 pm

Re: Private IP's to customers, but NAT each to their own Public IP?

Wed Jun 08, 2016 5:45 pm

Thanks for the reply. I may go this route as a temp solution. I know I need to migrate to ipv6 but I'm a lone ranger over here and the company assigns me a lot of other duties outside of IT. I did some reading the last couple of days on IPv6 but it seems a bit over whelming considering I need to learn it all. As an ISP I'll need to learn BGP, OSPF, firewalling, etc. I guess I'm just gonna have to bite the bullet and jump in.

Do you have any good guides you would recommend that pertain to MT? The MT wikis have never been easy to follow for me.
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Private IP's to customers, but NAT each to their own Public IP?

Wed Jun 08, 2016 7:09 pm

Do you have any good guides you would recommend that pertain to MT? The MT wikis have never been easy to follow for me.
Maybe because you're missing some networking basics? i think the MT wiki is usually quite helpful when it comes to routerOS specific things. but you need to know the networking principles. MT wiki is not the right place to learn how for example ospf or bgp works in principle that is something you need to learn somewhere else.

i wound for what kind of company you#re working if you are a "lone ranger" but they have an ISP network? If the company depends on your networking skills but nobody else inside the company can teach on that topic they need to send you to some external training.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
jmay
Member
Member
Topic Author
Posts: 326
Joined: Tue Jun 23, 2009 8:26 pm

Re: Private IP's to customers, but NAT each to their own Public IP?

Wed Jun 08, 2016 7:46 pm

Oh I agree, but you know how things go with various companies. I actually have a very strong understanding of ipv4, I'm the one that set the entire network up. When I came to work here I took a flat bridged network that had hundreds of customers natted and sharing 1 public IP address. I installed routers at various locations with OSPF linking them together with load balancing and backup links and purchased enough IP space to give everyone a routable public, but for some reason I have a mental block with IPv6. I guess I was hoping I'd be retired by the time we reached that point. I think I just need to find the time do some more reading.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Private IP's to customers, but NAT each to their own Public IP?

Wed Jun 08, 2016 8:04 pm

My network is subnetted pretty heavily with 17 different routers via OSPF that all go out to the internet via 1 central router . Each client gets their own public IP, but subnetting has cost me a lot of IP space
Are you using public IP segments for your internal network? First thing I'd do would be recovering those, use private ips for private transit...
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
jmay
Member
Member
Topic Author
Posts: 326
Joined: Tue Jun 23, 2009 8:26 pm

Re: Private IP's to customers, but NAT each to their own Public IP?

Wed Jun 08, 2016 11:37 pm

No, the infrastructure is all private IP's. Currently each of my 17 routers act as independent DHCP servers and hand out public IP's to clients. Each client is a wireless subscriber that receives 1 public IP, and then NAT on the customer side like a traditional router. My big problem is some network segments need large blocks and some need small blocks, forcing me to subnet some into smaller groups and some into larger groups. Arin has given me two /21 subnets. I gave 2 /24's to our sister network and the rest are mine. 2 /24's are broken into small subnets and used for static IP's when customers request to be bridged. I lose a lot of IP's there, because I might only have a couple of statics actually in use with a /29 or /28 reserved for that purpose. Same thing occurs with DHCP customers, I might have 15 IP's available on 1 router, but cannot really use those on another router so the closer I get to exhaustion the more complex it gets trying to shift IP's around and create properly sized subnets since the network is constantly growing and changing shape.

So the more I think about it the more I think a 1 to 1 nat would make more sense. This would free up several hundred IP's for me and allow me to have 1 central pool on the dhcp customers. The only issue is at that point many customers become triple natted, once by the 1 to 1 nat, second from their subscriber module, and a third at their wireless router which most people have these days.
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Private IP's to customers, but NAT each to their own Public IP?

Thu Jun 09, 2016 9:55 am

I would not NAT at the subscriber module. Just make it a layer2 device by bridging wireless with ethernet. You can use tunnel or mpls/pseudowires to bring the layer2 to a few or one centralized point(s). in such setup you have less tiny dhcp/static pools and should that reduce the wast of addresses.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
pe1chl
Forum Guru
Forum Guru
Posts: 6663
Joined: Mon Jun 08, 2015 12:09 pm

Re: Private IP's to customers, but NAT each to their own Public IP?

Thu Jun 09, 2016 11:06 am

In such cases many providers use PPPoE to bring the traffic to the customer, so they don't need to waste IPs
on small subnets. When using PPPoE to connect 250 customers to a /24 network, each customer needs only
a single IP in that network (and the router on your side obviously needs one).

It is also possible to use private addresses inside your network and route the customer subnets over that, so
you don't waste public IPs for the router on customers that want a /29 or /28 to be routed to them.
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Private IP's to customers, but NAT each to their own Public IP?

Thu Jun 09, 2016 1:23 pm

In such cases many providers use PPPoE to bring the traffic to the customer, so they don't need to waste IPs
on small subnets. When using PPPoE to connect 250 customers to a /24 network, each customer needs only
a single IP in that network (and the router on your side obviously needs one).
A pppoe concentrator is also something you can do at a central place. but you have some overhead.
It is also possible to use private addresses inside your network and route the customer subnets over that, so
you don't waste public IPs for the router on customers that want a /29 or /28 to be routed to them.
I would not do that as you would have lots of stars in your traceroutes
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
kevinds
Member Candidate
Member Candidate
Posts: 114
Joined: Wed Jan 14, 2015 8:41 am

Re: Private IP's to customers, but NAT each to their own Public IP?

Sat Jun 18, 2016 1:54 am

The only issue is at that point many customers become triple natted, once by the 1 to 1 nat, second from their subscriber module, and a third at their wireless router which most people have these days.
Not exactly..
If you are setting up 1:1 NAT, on your edge router you take public IP  26.45.234.65 and 1:1 NAT it to 10.232.56.42 (ISP of the subscriber module), then the subscriber module again 1:1 NAT's it to whatever IP you use for the customer side of the customer module 172.16.0.2.
This 26.45.234.65 IP is stil 1:1 into your customer's router WAN address of 172.16.0.2
 
jebz
Member Candidate
Member Candidate
Posts: 287
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: Private IP's to customers, but NAT each to their own Public IP?

Sat Jun 18, 2016 8:37 am

So I'm wondering this, would it be possible to assign all my customers private IP's and when they hit the Internet facing router NAT them to a public address?  This would allow me to keep all my public IP's in 1 place without losing anything to a subnet.  :(
PPPoE over VPLS
Mum presentation by Tomas Kirnak
http://mum.mikrotik.com/presentations/US13/kirnak.pdf
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Private IP's to customers, but NAT each to their own Public IP?

Sat Jun 18, 2016 6:36 pm

That would be also my preferred  setup up. You have some bytes overhead on the on hand but with VPLS/MPLS you need less cpu power on your other devices. MPLS was always fastpath. 
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA

Who is online

Users browsing this forum: Bing [Bot], dad2312, Google [Bot], knowledgemonster, simplextech, sindy and 70 guests