Hello,
I have a question about routing. My router a Mikrotik CCR1009 should route a network to a Mikrotik CRS326 over SFP+. The networks are at port eth1.
Located at the CRS are Server these should be get the IP addresses. My problem is i can´t bring the Netzwork to the Switch. The normal Static Routing ist working fine. I made ist whit this instruction
https://wiki.mikrotik.com/wiki/Manual:S ... ic_Routing
Here ist a little plan of my network. The IP addresse from WAN are reduced.
https://picload.org/view/dowgarpa/network.png.html
When you need the routingtable or other thing write it here. Tank you
-
-
samsung172
Forum Guru
- Posts: 1191
- Joined:
- Location: Østfold - Norway
- Contact:
Re: Routing
You cant route public ip's trough rfc1918. You need to ether use nat - or bridge to your internal ip.
The only routes you need - it seesm like a default route from your rfc 1918 address , and via nat to internet.
The only routes you need - it seesm like a default route from your rfc 1918 address , and via nat to internet.
Re: Routing
You can do a lot of things. Some of them can make purists cry, but they still work. Routing of public addresses over private networks happens all the time with garage ISPs. I makes gaps in traceroute, but otherwise it works fine. I'm not saying it's super nice, but it's tough times, addresses are scarce and not cheap, man needs to do whatever is needed to survive. 
That being said, if you want whole /29 end up in same place, it seems to me that bridged/switched config should be possible, and it's clean solution.
But if not, there are other ways. In this case, first obstacle is that ISP expects whole /29 to be reachable from their gateway, i.e. all IP addresses need to respond to ARP requests, and it won't happen by default, it the router doesn't have them. But if you make them visible using proxy ARP, it will make ISP's router happy. Then you can do whatever you want with them in your network, route individual addresses with /32 netmask to CRS or wherever you want. Inner config has also more than one solution. You may route /32 IPs to servers. Or you could duplicate whole /29 on CRS's internal interface, including ISP's gateway (again, not nice, I wouldn't do it myself, but possible).
That being said, if you want whole /29 end up in same place, it seems to me that bridged/switched config should be possible, and it's clean solution.
But if not, there are other ways. In this case, first obstacle is that ISP expects whole /29 to be reachable from their gateway, i.e. all IP addresses need to respond to ARP requests, and it won't happen by default, it the router doesn't have them. But if you make them visible using proxy ARP, it will make ISP's router happy. Then you can do whatever you want with them in your network, route individual addresses with /32 netmask to CRS or wherever you want. Inner config has also more than one solution. You may route /32 IPs to servers. Or you could duplicate whole /29 on CRS's internal interface, including ISP's gateway (again, not nice, I wouldn't do it myself, but possible).
Re: Routing
Hello samsung172, sob,
tank you for your answer. I know that a switch/bridge configuration is possible but i think it is not the best. I want to do this with routing. It would be very nice when you post a Routing Table or a config for this. I have been trying for a longe time now but noting ist working.
tank you for your answer. I know that a switch/bridge configuration is possible but i think it is not the best. I want to do this with routing. It would be very nice when you post a Routing Table or a config for this. I have been trying for a longe time now but noting ist working.
Re: Routing
Basic IP config on CCR:
Route other public addresses to CRS:
Make them visible for ISP:
Basic IP config for CRS:
Where to find connected servers:
Allow servers to find gateway:
You can configure servers as if they were part of the real /29 with x.x.201.249 as gateway. They will be able to access real x.x.201.249 and x.x.201.250 on CCR.
Code: Select all
/ip address
add address=x.x.201.250/29 interface=WAN
add address=172.16.1.1/30 interface=toCRS
/ip route
add dst-address=0.0.0.0/0 gateway=x.x.201.249Code: Select all
/ip route
add dst-address=x.x.201.251/32 gateway=172.16.1.2
add dst-address=x.x.201.252/32 gateway=172.16.1.2
...Code: Select all
/ip arp
add address=x.x.201.251 interface=WAN published=yes
add address=x.x.201.252 interface=WAN published=yes
...Code: Select all
/ip address
add address=172.16.1.2/30 interface=toCCR network=172.16.1.0
/ip route
add dst-address=0.0.0.0/0 gateway=172.16.1.1Code: Select all
/ip route
add dst-address=x.x.201.251/32 gateway=servers
add dst-address=x.x.201.252/32 gateway=servers
...Code: Select all
/interface ethernet
set [ find default-name=etherx ] arp=proxy-arp name=serversRe: Routing
Use EoIP. Tunnel Ethernet to the switch and bridge it like normal there. Works for everything and is a clean way of doing it. If the switch isn't running RouterOS then place a RouterOS in the closet with the switch to terminate the EoIP tunnel and bridge it.Hello,
I have a question about routing. My router a Mikrotik CCR1009 should route a network to a Mikrotik CRS326 over SFP+. The networks are at port eth1.
Located at the CRS are Server these should be get the IP addresses. My problem is i can´t bring the Netzwork to the Switch. The normal Static Routing ist working fine. I made ist whit this instruction
https://wiki.mikrotik.com/wiki/Manual:S ... ic_Routing
Here ist a little plan of my network. The IP addresse from WAN are reduced.
https://picload.org/view/dowgarpa/network.png.html
When you need the routingtable or other thing write it here. Tank you
-
-
samsung172
Forum Guru
- Posts: 1191
- Joined:
- Location: Østfold - Norway
- Contact:
Re: Routing
Its a lot of possibilities. 
Its possible to "hack" - just have a regular routing table inside ingress from isp. You have to route your public ip's inside rfc1918 - its stight forward - but - a hack.
ITs possible to use Eoip - and its a good easy solution. You might suffer from packet loss. A better solution is to use MPLS/VPLS and have VPLS tunnels between ingress and egress for your public ip.
You can also have some kind of l3 VPN and route directly trough here.
Last - but also possible - but a bit to big for a small network is to have bgp baset MPLS with confederation and vrf's. Then you can route your internet VRF trough your rfc1918 with no problem.
There is also some other ways like vlan etc.
Its possible to "hack" - just have a regular routing table inside ingress from isp. You have to route your public ip's inside rfc1918 - its stight forward - but - a hack.
ITs possible to use Eoip - and its a good easy solution. You might suffer from packet loss. A better solution is to use MPLS/VPLS and have VPLS tunnels between ingress and egress for your public ip.
You can also have some kind of l3 VPN and route directly trough here.
Last - but also possible - but a bit to big for a small network is to have bgp baset MPLS with confederation and vrf's. Then you can route your internet VRF trough your rfc1918 with no problem.
There is also some other ways like vlan etc.
Re: Routing
Its a lot of possibilities.
Its possible to "hack" - just have a regular routing table inside ingress from isp. You have to route your public ip's inside rfc1918 - its stight forward - but - a hack.
ITs possible to use Eoip - and its a good easy solution. You might suffer from packet loss. A better solution is to use MPLS/VPLS and have VPLS tunnels between ingress and egress for your public ip.
You can also have some kind of l3 VPN and route directly trough here.
Last - but also possible - but a bit to big for a small network is to have bgp baset MPLS with confederation and vrf's. Then you can route your internet VRF trough your rfc1918 with no problem.
There is also some other ways like vlan etc.
EoIP shouldn't induce any more packet loss than MPLS. The exception to that statement would be if the MPLS tagging was being done in hardware on those platforms but I don't think that's the case. That said, yes either will work. EoIP is far easier to use than VPLS in my opinion. From the MT manual:
Code: Select all
VPLS interface can be considered tunnel interface just like EoIP interface. To achieve transparent ethernet segment forwarding between customer sites the following tunnels need to be established:Reference: https://wiki.mikrotik.com/wiki/Manual:M ... interfaces
Re: Routing
That's actually not true at all. You can have rfc1918 addresses on links and forward public IP addresses across these links just fine. I used to work for a company whose entire backbone was un-natted 10.x.x.x addresses and the only public IPs to be found were on the customer's circuits. (I didn't like this setup myself - but hey, it was their company, not mine) It will give issues trying to ping to/from these hops and other points outside the admin scope of your network, though.You cant route public ip's trough rfc1918. You need to ether use nat - or bridge to your internal ip.
-
-
samsung172
Forum Guru
- Posts: 1191
- Joined:
- Location: Østfold - Norway
- Contact:
Re: Routing
Yep - But in practical use on high load, or unstable connection - Eoip is a lot more likely to drop packet than VPLS. Its a lot more stable now - than 3-4 years ago - but you will still se some error counting on a eoip interface. I have yet to see 0% error on a eoip interface running xx mb/s I dont know about Eoip implementation as its a propotary implementation, but it seems like the protocol have some bugs/issues in error handling packages that somehow is droppet/missed/partly recived. My tought is that it try to fix a missed udp packet as TCP will fix it by itself.. But i dont know.Its a lot of possibilities.
Its possible to "hack" - just have a regular routing table inside ingress from isp. You have to route your public ip's inside rfc1918 - its stight forward - but - a hack.
ITs possible to use Eoip - and its a good easy solution. You might suffer from packet loss. A better solution is to use MPLS/VPLS and have VPLS tunnels between ingress and egress for your public ip.
You can also have some kind of l3 VPN and route directly trough here.
Last - but also possible - but a bit to big for a small network is to have bgp baset MPLS with confederation and vrf's. Then you can route your internet VRF trough your rfc1918 with no problem.
There is also some other ways like vlan etc.
EoIP shouldn't induce any more packet loss than MPLS. The exception to that statement would be if the MPLS tagging was being done in hardware on those platforms but I don't think that's the case. That said, yes either will work. EoIP is far easier to use than VPLS in my opinion. From the MT manual:
Code: Select allVPLS interface can be considered tunnel interface just like EoIP interface. To achieve transparent ethernet segment forwarding between customer sites the following tunnels need to be established:
Reference: https://wiki.mikrotik.com/wiki/Manual:M ... interfaces
-
-
samsung172
Forum Guru
- Posts: 1191
- Joined:
- Location: Østfold - Norway
- Contact:
Re: Routing
As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work.That's actually not true at all. You can have rfc1918 addresses on links and forward public IP addresses across these links just fine. I used to work for a company whose entire backbone was un-natted 10.x.x.x addresses and the only public IPs to be found were on the customer's circuits. (I didn't like this setup myself - but hey, it was their company, not mine) It will give issues trying to ping to/from these hops and other points outside the admin scope of your network, though.You cant route public ip's trough rfc1918. You need to ether use nat - or bridge to your internal ip.
If you use a rfc1918 address as dst inside your net - you need to use nat to have it working.
Re: Routing
Just to clarify for those following along - ICMP will be forwarded through rfc1918 routers as well - but ICMP to/from them won't work (e.g. mtu exceeded messages from your routers, TTL expired, ping, etc) - because Internet carriers drop packets with rfc1918 addresses at their borders. (rightly so)As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work.
If you use a rfc1918 address as dst inside your net - you need to use nat to have it working.
Furthermore, I'm not saying it's a good idea to do this - I'm just saying that it won't break end-to-end connectivity.
Re: Routing
Just to clarify for those following along - ICMP will be forwarded through rfc1918 routers as well - but ICMP to/from them won't work (e.g. mtu exceeded messages from your routers, TTL expired, ping, etc) - because Internet carriers drop packets with rfc1918 addresses at their borders. (rightly so)As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work.
If you use a rfc1918 address as dst inside your net - you need to use nat to have it working.
Furthermore, I'm not saying it's a good idea to do this - I'm just saying that it won't break end-to-end connectivity.
MTU exceeded being on of the most critical ICMP messages. I'm with ZeroByte, design with ICMP support in mind. EoIP / VPLS will do that.
-
-
samsung172
Forum Guru
- Posts: 1191
- Joined:
- Location: Østfold - Norway
- Contact:
Re: Routing
well. Its also only partly true.Just to clarify for those following along - ICMP will be forwarded through rfc1918 routers as well - but ICMP to/from them won't work (e.g. mtu exceeded messages from your routers, TTL expired, ping, etc) - because Internet carriers drop packets with rfc1918 addresses at their borders. (rightly so)As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work.
If you use a rfc1918 address as dst inside your net - you need to use nat to have it working.
Furthermore, I'm not saying it's a good idea to do this - I'm just saying that it won't break end-to-end connectivity.
some ISP's will drop rfc1918 packages, but a lot will also have em routed inside its own network, - couse they have a mixed routing table, a default route - and or no firewall at all to its CPE.. its mainly when reaching eBGP and global routingtable with filtering the packed are dropped. In some rare cases this can be a bit funny. You can manage to access a device you never even knowed exist.Re: Routing
well. Its also only partly true.Just to clarify for those following along - ICMP will be forwarded through rfc1918 routers as well - but ICMP to/from them won't work (e.g. mtu exceeded messages from your routers, TTL expired, ping, etc) - because Internet carriers drop packets with rfc1918 addresses at their borders. (rightly so)As long as rfc1918 is just used as transport - it will work. ICMP packet's will not work . but traffic in TCP/IP will work.
If you use a rfc1918 address as dst inside your net - you need to use nat to have it working.
Furthermore, I'm not saying it's a good idea to do this - I'm just saying that it won't break end-to-end connectivity.
BCP38, if you're not doing it you're part of the problem.
-
-
samsung172
Forum Guru
- Posts: 1191
- Joined:
- Location: Østfold - Norway
- Contact:
Re: Routing
I have in the last 5 years or so - used rfc1918 addresses to run internal network - with no nat etc at all. Then you are 99% secure from someone accessing your devices, and you dont need big firewalls, patches etc. I have used 2 types of network inside rfc1918 - VPLS or vrf. A typical setup -
eBGP/Global routing connected to a MPLS Router having global internett to a vrf.
Connect internal routers trough rfc1918 with ospf and MPLS/LDP for VPLS. On same router - have a bgp with confederation - sharing the vrf's trough bgp.
Then a core with a lot of NAS'es - (pppoe routers) connectet with ibgp to confederation core trough internett vrf. Lan side connected to VPLS side of routers - haveing the VPLS interfaces spread across the whole contry. At endpoint - a new MPLS Router terminating the VPLS running this to a "lan" side of the router (CPE Side) - here it is a lot of connected devices like radioes, cpes. All behind the router at a /24 rfc 1918 address. This is then connected trough a VPN to a core VPN managment router . having all the CPE and radio rfc1918 addresses. Then there are a mixed network here - with pppoe to CPE - and with rfc1918 to managment - but still no connection between devices. (and yes, its no perfect solution, but a hack to mix a old bridged net to a new MPLS/VPLS/BGP core. In rare cases where its not possible to have enough l2mtu to run VPLS to core - Vrf are used to a local NAs (pppoe).
eBGP/Global routing connected to a MPLS Router having global internett to a vrf.
Connect internal routers trough rfc1918 with ospf and MPLS/LDP for VPLS. On same router - have a bgp with confederation - sharing the vrf's trough bgp.
Then a core with a lot of NAS'es - (pppoe routers) connectet with ibgp to confederation core trough internett vrf. Lan side connected to VPLS side of routers - haveing the VPLS interfaces spread across the whole contry. At endpoint - a new MPLS Router terminating the VPLS running this to a "lan" side of the router (CPE Side) - here it is a lot of connected devices like radioes, cpes. All behind the router at a /24 rfc 1918 address. This is then connected trough a VPN to a core VPN managment router . having all the CPE and radio rfc1918 addresses. Then there are a mixed network here - with pppoe to CPE - and with rfc1918 to managment - but still no connection between devices. (and yes, its no perfect solution, but a hack to mix a old bridged net to a new MPLS/VPLS/BGP core. In rare cases where its not possible to have enough l2mtu to run VPLS to core - Vrf are used to a local NAs (pppoe).
Re: Routing
It's sometimes interesting when doing traceroute to remote subnet and some 10.x.x.x comes from hop far far away. It's "how the hell you were able to get here?!"In some rare cases this can be a bit funny.
