Community discussions

MikroTik App
 
isp85
just joined
Topic Author
Posts: 18
Joined: Mon Mar 08, 2010 1:49 am

Passing public IPs to some PPPoE Users

Thu Jun 14, 2018 4:05 pm

Hi,

I've read/searched alot about this in the forum but couldn't quite get a hang of how it's done. We have almost a thousand PPPoE clients that all are using private IP addresses to connect to internet, but now some of our clients want to have public addresses. What's the best way to achieve this without messing anything else inside the router. Clients are being authenticated using a 3rd party Radius server.
We have being given a /27 public subnet. The scenario would be:

Upstream ISP providing /27==========>/27 Pub IP on Eth1 !!!!!Mikrotik!!!!!! /21 Private IP on Eth2=========>PPoE clients

in simple words, I want to assign a public ip from /27 range to some of my internal PPPoE clients without NAT and still be able to apply bandwidth control which I'm doing now through my Radius server.

Any help is appreciated. :)
 
User avatar
victorsoares
Member Candidate
Member Candidate
Posts: 107
Joined: Thu Feb 15, 2018 6:29 pm
Location: Ubatuba, São Paulo - Brazil
Contact:

Re: Passing public IPs to some PPPoE Users

Thu Jun 14, 2018 6:06 pm

The basic setup would to set the /27 public IP on the mikrotik, and then put this IP's on the pppoe pool. I don't know how to set this on your radius server, but the main thing is to get MK to receive those IP addresses so they can be used.
Can you post your NAT rules?
MTCNA MTCRE
 
isp85
just joined
Topic Author
Posts: 18
Joined: Mon Mar 08, 2010 1:49 am

Re: Passing public IPs to some PPPoE Users

Fri Jun 15, 2018 12:47 pm

The basic setup would to set the /27 public IP one the mikrotik, and then put this IP's on the pppoe pool. I don't know how to set this on your radius server, but the main thing is to get MK to receive those IP addresses so they can be used.
Can you post your NAT rules?
Well, I'm already using one IP from that /27 range to translate to all my clients. Let's forget about the radius server (that i'll know what to do once my configs are done) and just assume I'm using mikrotik pools to assign IPs. how would it be then?

Here is my looong NAT print:

2 chain=srcnat action=masquerade to-addresses=XXX.XXX.70.102
src-address=10.10.32.0/20 out-interface=ether1 log=no log-prefix=""

3 ;;; MDF Down
chain=dstnat action=dst-nat to-addresses=172.16.1.6 to-ports=8081
protocol=tcp dst-address=XXX.XXX.70.101 dst-port=8081 log=no log-prefix=""

4 ;;; Fiber UP
chain=dstnat action=dst-nat to-addresses=172.16.1.2 to-ports=8080
protocol=tcp dst-address=XXX.XXX.70.101 dst-port=8080 log=no log-prefix=""

5 ;;; (rule-name)
chain=dstnat action=dst-nat to-addresses=172.16.1.10 to-ports=8082
protocol=tcp dst-address=180.94.70.101 dst-port=8082 log=no log-prefix=""

6 ;;; (rule-name)
chain=dstnat action=dst-nat to-addresses=172.16.1.14 to-ports=8083
protocol=tcp dst-address=XXX.XXX.70.101 dst-port=8083 log=no log-prefix=""

7 chain=srcnat action=masquerade src-address=192.168.4.0/24
dst-address=0.0.0.0/0 out-interface=ether1 log=no log-prefix=""

8 X ;;; Local
chain=srcnat action=masquerade src-address=192.168.88.0/24 log=no
log-prefix=""

9 X ;;; Ibs Otra
chain=dstnat action=dst-nat to-addresses=XXX.XXX.127.130
dst-address=XXX.XXX.70.102 log=no log-prefix=""

10 chain=srcnat action=masquerade src-address=192.168.4.0/24 log=no
log-prefix=""

11 chain=srcnat action=masquerade src-address=192.168.5.0/24 log=no
log-prefix=""

12 ;;; Scrambled
chain=dstnat action=dst-nat to-addresses=XXX.XXX.127.130
dst-address=XXX.XXX.70.103 log=no log-prefix=""

13 ;;; nat-pak
chain=srcnat action=src-nat to-addresses=XXX.XXX.70.101
src-address=192.168.55.55 log=no log-prefix=""


And my gateway in mikrotik is xxx.xxx.70.97

thanks again
 
almdandi
newbie
Posts: 46
Joined: Sun May 03, 2015 5:22 pm

Re: Passing public IPs to some PPPoE Users

Sat Jun 16, 2018 5:00 pm

Hallo

I think, as victorsoares said, assign one of the /27 ips to your customer, exclude the /27 from your nat rule to the internet and check your firewall rules, so they allow the traffic.

Maybe it's a problem that the local end of the pppoe tunnel uses a private address, for further routing but i don't exactly know, but i think you're fine.
But you can also use the same public ip from ether1, for the local end of the tunnel. Also i don't think a ARP-Proxy on ether1 is necessary because of using pppoe instead of normal ethernet.

Besides you should use just normal SRT-NAT rules instead of Masquerade, where you have a static ip on the outgoing interface, for performance reasons. Here is a gread video from a MUM, that explains that problem pretty well.

Greetings
 
sindy
Forum Guru
Forum Guru
Posts: 5418
Joined: Mon Dec 04, 2017 9:19 pm

Re: Passing public IPs to some PPPoE Users

Sun Jun 17, 2018 3:30 pm

Like other ppp interfaces, PPPoE does not require that the "local" and "remote" address come from the same subnet.

So just like you assign private addresses to your existing PPPoE clients, assign the public ones from the /27 subnet to those requesting a public address, via RADIUS or local settings.

However, I disagree with the suggestion of the gentlemen above to put up those other addresses on the Mikrotik itself; instead, you have to set arp=proxy-arp on the uplink interface to your provider (ether1 in your case). This way, your router will respond to ARP requests for all the addresses of the currently connected clients from the /27 subnet with its own MAC address, so the ISP's router which is a member of that /27 subnet will send the traffic towards these addresses to your 'Tik which will then route it to the PPPoE clients.

And of course do take care not to masquerade/src-nat packets from these addresses as others have suggested, but the printout of your current NAT rules printout shows you already don't.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Baidu [Spider] and 39 guests