Community discussions

 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Multiple static public IPs through one interface

Fri Sep 07, 2018 5:01 am

Can you? and how can you connect multiple static IPs to one interface (eth1)
Is there a limit? Best way to do this in routerOS?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Multiple static public IPs through one interface

Fri Sep 07, 2018 8:33 am

Just add it at the same way as the first IP.

On a default configuration LAN side gets IP 192.168.88.1 set on the bride interface like this:
/ip address export
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
Then you can add on extra or more IP like this:
/ip address
add address=192.168.88.2/24 interface=bridge network=192.168.88.0
Result:
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.88.2/24 interface=bridge network=192.168.88.0
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Multiple static public IPs through one interface

Fri Sep 07, 2018 9:45 am

And for public IP space?

ISP has provisioned two Static public IP addresses.
Is there a way to have both public IPs come through eth1 interface via pppoe client connection to ISP or how?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Multiple static public IPs through one interface

Fri Sep 07, 2018 10:52 am

That would be the same, just use outside IF for your IP. (ether1 instead of bridge)
If on the other hand its DHCP, then you need another approach.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 5829
Joined: Mon Jun 08, 2015 12:09 pm

Re: Multiple static public IPs through one interface

Fri Sep 07, 2018 12:08 pm

The topic is difficult to discuss without full information.
Please give the information your ISP gives to you.
The "clean" situation is where your ISP issues you a single public router IP (as a /30 or /31 network, or via PPPoE or DHCP or whatever) and then also gives you a properly-sized subnet (usually /29 but can be larger) containing the extra public addresses you requested.
The ISP will route the addresses in that extra subnet via your router public IP, and you can put the /29 range on an internal network e.g. to be used as DMZ.
When you want to use the extra addresses only for dstnat purposes you do not need to put them on an interface, but you could put them on an empty bridge for clarity.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Multiple static public IPs through one interface

Sat Sep 08, 2018 1:18 am

The ISP gave out / 30, static IP assignment. Lets assume a clean situation, do I need to make another pppoe client connection to the ISP, one for each IP?
It sounds like NOT... Assign the additional static IP to the existing pppoe-client out connection on eth1 interface? Or how to?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5829
Joined: Mon Jun 08, 2015 12:09 pm

Re: Multiple static public IPs through one interface

Sat Sep 08, 2018 1:32 am

Ask the ISP for the information. That is the only one who can tell you how they are going to do it.
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple static public IPs through one interface

Mon Sep 10, 2018 10:09 am

Each PPPoE connection can only assign a single IP address to the client - it is a Point to Point Protocol.

If the ISP gives you a /30, which means 4 IP addresses, as a direct subnet, you'd end up with x.x.x.0 unusable for the network, x.x.x.3 unusable for the broadcast, x.x.x.1 or x.x.x.2 as the gateway at ISP end, x.x.x.2 or x.x.x.1 as the public address at your end. So effectively only a single public IP to use and the 3 remaining ones wasted.

PPPoE, on the other hand, doesn't need the network address, the broadcast address, and the gateway address: as it is a tunnel, the gateway device is "whatever listens at the remote end of the tunnel", so you don't need an IP address to identify it. So if you deliver a /30 using individual PPPoE connections, you can use all 4 addresses.

So this clearly indicates that
  • you have to run several PPPoE clients in parallel (but then the /30 is rarely the way to express that), or
  • you get one of the public IPs via PPPoE, the ISP routes packets for the other one via that PPPoE and you have to set that address up statically on some other interface (a port-less bridge) or just use src-nat and dst-nat rules to make use of that address, or
  • you get assigned a private address on the PPPoE client and the ISP routes packets for all your public IP addresses via that PPPoE (and you have to handle all of them like above)
Some ISPs require that you use RIP or BGP to advertise the public IPs to them so that they could route them to you.

So as @pe1chl said - until you get the information from the ISP how exactly you should use those addresses, there is no way to assist you with configuration.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5829
Joined: Mon Jun 08, 2015 12:09 pm

Re: Multiple static public IPs through one interface

Mon Sep 10, 2018 10:47 am

If the ISP gives you a /30, which means 4 IP addresses, as a direct subnet, you'd end up with x.x.x.0 unusable for the network, x.x.x.3 unusable for the broadcast, x.x.x.1 or x.x.x.2 as the gateway at ISP end, x.x.x.2 or x.x.x.1 as the public address at your end. So effectively only a single public IP to use and the 3 remaining ones wasted.
It depends. When you get a /30 plus the single address on PPPoE and they route the /30 via the PPPoE you could actually use all 4 addresses when you configure carefully.

But until we know what is happening, nothing can be said for sure.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Multiple static public IPs through one interface

Tue Sep 11, 2018 3:30 am

This was their response:

Network IP *.*.135.188/30
Subnet Mask *.*.255.252
Host IP's *.*.135.189 & *.*.135.190 (Usable IP's)
Broadcast *.*.135.191
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple static public IPs through one interface

Tue Sep 11, 2018 10:22 am

What is your current WAN setup? As they give you a /30 and declare two addresses to be usable, they'd have to be totally incompetent if they wanted you to use one of the two as a gateway on their side.

So if your current connection is a PPPoE one, I would run /tool torch pppoe-out1 ip-protocol=icmp src-address=0.0.0.0/0 dst-address= *.*.135.189 freeze-frame-interval=10s (use the actual name of your PPPoE interface and the actual IP address) and ping that address from some other connection (or ask a friend to do that if you cannot login to some remote machine, or use ip-protocol=tcp port=80 instead of ip-protocol=icmp and try to open http://*.*.135.189 from the browser of your mobile phone connected using 2G/3G/4G, i.e. not WiFi).

If torch shows packets to come, it means that the ISP routes packets for those IPs via your existing PPPoE connection without asking you to advertise them using a dynamic routing protocol, and that we may move further to making use of these addresses.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Multiple static public IPs through one interface

Wed Sep 12, 2018 2:42 am

I do see ICMP results in torch when I ping *.*.135.189 on pppoe-out1 interface from my iPhone on 4G. Same result with *.*.135.190.

My current public static IP is same.same.209.206

So I am thinking I can use both *.*.135.189 & *.*.135.190 along with my current static of same.same.209.206; giving me three static public IPs?
 
Sob
Forum Guru
Forum Guru
Posts: 4669
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple static public IPs through one interface

Wed Sep 12, 2018 3:21 am

If the /30 is routed to you, try also x.x.135.188 and x.x.135.191. There's a good change they will work too. More specifically, they should work, unless ISP blocks them, but it would be really strange thing to do.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Multiple static public IPs through one interface

Wed Sep 12, 2018 3:46 am

Those IPs both work as well for torch from my phone to pppoe-out1 via ICMP. Does this mean I can use those also?
 
Sob
Forum Guru
Forum Guru
Posts: 4669
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple static public IPs through one interface

Wed Sep 12, 2018 5:24 am

Looks like it. If you do it right, you can be happy owner of five real functional public IP addresses (the old one and four news ones).

Easiest way is to just assign all four new ones to router (e.g to PPPoE interface, it doesn't really matter much) and use them with NAT. But you can also route them to different internal servers if you want.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Multiple static public IPs through one interface

Wed Sep 12, 2018 5:34 am

That is exactly what I am wanting and intending to do... Route traffic to different vlans from these public IPs to vmware servers and keep one ip then for SMS maintenance stuff..
Can I do this without losing connectivity for any amount of time on the pppoe-out interface?
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple static public IPs through one interface

Wed Sep 12, 2018 10:41 am

You can add or remove an IP address on a running interface freely and it does not affect operation of other addresses attached to that interface.

But what you'll need to do in particular differs significantly depending on the intended use of the addresses.

The clean way is to use ppp interfaces (PPPoE, L2TP, PPTP) between the Mikrotik and the actual user of the IP address, because for PPP interfaces the very notion of network, broadcast, gateway IP is redundant, there is no or little practical use for these items (unless you use dynamic routing protocols but that's a different story). So when you have a PPP interface on that device, you either can configure the interface name rather than an IP address as a gateway, or, if you need an IP address as a gateway for some reason, you can assign to each end of a PPP link an IP address not related in any way to the one assigned to the other end.

So this way, you'd assign the four addresses to the virtual machines' ends of the four ppp tunnels, and assign e.g. 10.0.0.1 to the local (Mikrotik) ends of these tunnels (a single address common for all is enough). I think that Mikrotik even dynamically puts that local address up when the first tunnel establishes if that address isn't up yet due to manual configuration or other tunnel putting it up before.

Another way is to NAT these public addresses to private ones on the Mikrotik and do the reverse on the virtual machines; this is easy on Linux but I have no idea how to do that on Windows.

The ugly way to have the public addresses on the virtual machines is to use a larger subnet which includes your /30 with a margin at each end (so in your case, it has to be *.*.135.129/25), assign e.g. *.*.135.161 to the Mikrotik to be a gateway for hosts in that subnet, and configure each of the virtual machines to use one of your four IPs *.*.135.188 to *.*.135.191 in this subnet. This way you don't need to fiddle with PPP tunnels, but you'll lose access to the actual, outside-world users of *.*.135.160 through to *.*.135.187 and *.*.135.192 through to *.*.135.255 - while you'll still have to fiddle a lot if you want to have each virtual machine in a different VLAN.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 4669
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple static public IPs through one interface

Wed Sep 12, 2018 4:59 pm

There's also peer to peer /32 config where you can link two completely unrelated addresses, same way as with PPP, but on ethernet. You can have e.g. x.x.135.188 on server and 10.1.1.1 on router and it can work. It's not supported by all devices, but works great with those that know it.

RouterOS: /ip address add address=<local address>/32 network=<remote address>/32 interface=<name>
Linux: ip addr add <local address> peer <remote address> dev <name>
Windows: just use <local address> as address, 255.255.255.255 as mask and <remote address> as default gw
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Multiple static public IPs through one interface

Mon Sep 24, 2018 9:26 am

Status Update:

I did get this working but only with the two IP's the ISP said were usable. 189/30 and 190/30.

What I did was this -
Added a new ppp profile with pool for 188/30 ( not sure if I necessary )
Assigned the ppp profile to the pppoe-out connection
Created a bridge and put the pppoe-out connection on it ( not sure if necessary )
Added 189/30 and 190/30 to the bridge interface in addresses
Added NAT rule to netmap public ip 189/30 to internal subnet 25.0/24
Added dst-nat rule for public ip 189/30 to internal subnet 25.0/24
Added srcnat rule for internal subnet 25.0/24 to public ip 189/30

And had to do these in order..
Tried the same with 188/30 and 191/30 but could not get it to work
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple static public IPs through one interface

Mon Sep 24, 2018 2:58 pm

As for me, most of it is wrong.

As packets with one of those IP addresses as destination one did come to you via the previously existing pppoe-out1, there was no need to play with the ISP-facing PPPoE setup, the original one was good enough and playing with it can only make things worse.

You can use any of the methods described above to set up point-to-point connections between the VMs and the Mikrotik, and assign one of those public addresses to each of the VMs, and this is all you actually need to do, except adjusting your firewall configuration to permit connections to/from these IP addresses.

Or you may use the addresses locally as aliases for some private ones using src-nat/dst-nat, but use of netmap, src-nat and dst-nat at the same time collide with each other.

So first, I'd revert to the original configuration.
Next, I'd add an "/interface bridge name=br-test protocol-mode=none".
Next, I'd attach one of the addresses promised by the ISP as x.x.x.x/32 to the bridge: /ip address add address=x.x.x.x/32 interface=br-test
Then, I'd run ping 8.8.8.8 src-address=x.x.x.x.

If it works, fine, and you can change x.x.x.x also to the two "bonus" IPs (one by one of course) and try again.

This will show you whether the ISP filters the outgoing traffic from the "bonus" addresses - according to what you wrote before, you have seen in the previous steps that they don't filter the incoming traffic to these addresses and do forward it to you.

By adding the addresses as /30 on your side, you have made the "bonus" ones unusable by yourself.

To do dst-nat and/or src-nat, the addresses do not need to be up on the Mikrotik itself. It is enough that traffic for them is getting sent to you, which the ISP is doing.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Multiple static public IPs through one interface

Thu Sep 27, 2018 3:10 am

Thanks for that, your way sounds like the correct way of doing it. I will try your configuration and see how it goes.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Multiple static public IPs through one interface

Wed Oct 03, 2018 8:36 am

BTW, this worked, and I was able to use the additional IP's with your changes, thanks many
 
PortalNET
just joined
Posts: 15
Joined: Sun Apr 02, 2017 7:24 pm

Re: Multiple static public IPs through one interface

Tue Oct 08, 2019 4:36 am

This was their response:

Network IP *.*.135.188/30
Subnet Mask *.*.255.252
Host IP's *.*.135.189 & *.*.135.190 (Usable IP's)
Broadcast *.*.135.191


Most likely a litle bit late for posting the outcome, but basicaly a /30 just means you have 2 IPs, one will be your gateway and the other will be your public IP..

in your case posted 135.189 = Gateway IP and 135.190 will be your public IP which you will have access to the internet.



Now my real question would be.

Based on the following scenario how could i resolve this issue i am having at the moment?

My Provider gave me 2 different blocks /30 ips in order to use simultaneously on my mikrotik..

example

Block 1 = 189.xxx.xx2.90/30
Block 2 = 201.xxx.xx9.124/30

Both IPs are sent on one single fiber connection direclyt from ISP provider to my mikrotik.

At the moment i am only using block1 , working fine, but now i have come to the needs of activating block2 , but on another mikrotik device on another place..

Any ideas on how i can transport this block2 from my Main Mikrotik device to my second mikrotik device on a different location ?

ATM i have MIKROTIK1 -CCR1009 SPF1 port authenticated with Block1 Public Static IP running, then i have on the same CCR SFP+ device connecting to another Mikrotik2-CCR1036 both connected via SPF+ 10G at a 20mile distance.

both Mikrotik1 and mikrotik2 are connected via VLAN interface, but now i have the need to enable block2 static public IP on Mikrotik2 CCR1036.


Any ideas or help is appreciated, as i am kind of lost on this one.

i know i can create a bridge on Mikrotik1 and public both "block1 and block2" IP/addresses on that Bridge Ports but would be only on Mikrotik1 (also the purpose of Bridge is to bridge physical and virtual interfaces) and not IP/addresses blocks on the same physical interface.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat Jun 09, 2018 3:32 am

Re: Multiple static public IPs through one interface

Tue Oct 08, 2019 8:14 am

Maybe its not this simple, but can you add block2 to MT1 and then pass all traffic for block2 straight over vlan interface to MT2 via filtering and NAT rules?
Then assign the block2/interface on MT2 so that MT2 routes out block2 for WAN? idk..?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5829
Joined: Mon Jun 08, 2015 12:09 pm

Re: Multiple static public IPs through one interface

Tue Oct 08, 2019 10:14 am

Again, it depends how the ISP route it.
When they route the second /30 via the 1st, you can just set it on a link between your two routers and it will work.
But when they route the second block just directly on the line (address2 via address1) you will need to use tricks.
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple static public IPs through one interface

Tue Oct 08, 2019 11:59 am

...
Block 1 = 189.xxx.xx2.90/30
Block 2 = 201.xxx.xx9.124/30

Both IPs are sent on one single fiber connection direclyt from ISP provider to my mikrotik.
...
i know i can create a bridge on Mikrotik1 and public both "block1 and block2" IP/addresses on that Bridge Ports but would be only on Mikrotik1 (also the purpose of Bridge is to bridge physical and virtual interfaces) and not IP/addresses blocks on the same physical interface.
The purpose of bridge or switch is to bridge together any kind of L2 interfaces, so there is nothing wrong about bridging together multiple physical interfaces and no virtual one (or vice versa).

So you can create a bridge on your Tik 1 to which the ISP's fiber is connected directly, make the uplink to the ISP one member port of that bridge, the link to Tik 2 another member port of that bridge, and attach the IP configuration for the first public subnet to the bridge itself.

On Tik 2, you attach the IP configuration to the interface to which the uplink to Tik 1 is connected. And that's all, the whole setup will behave as if the fiber from ISP was extended to the Tik 2.

The above will work if the ISP really gives the two /30 independent from each other, i.e. does not route one range using your IP from the other range as a gateway.

If it does not, come back with configuration exports, and we may have to do some sniffing to check how exactly the ISP has set that up.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
PortalNET
just joined
Posts: 15
Joined: Sun Apr 02, 2017 7:24 pm

Re: Multiple static public IPs through one interface

Wed Oct 09, 2019 5:57 pm

Again, it depends how the ISP route it.
When they route the second /30 via the 1st, you can just set it on a link between your two routers and it will work.
But when they route the second block just directly on the line (address2 via address1) you will need to use tricks.
Hi

yes indeed they use the same unique physical fiber connection, and on their PPPOE hauwei server they setup a specific vlan for both IPblocks block1 and block2

So i will give it a test and will try to add both wan ports to bridge, the issue with bridge is all interfaces on bridge will be able to see each other..

Who is online

Users browsing this forum: No registered users and 9 guests