Community discussions

 
wwnet
just joined
Topic Author
Posts: 4
Joined: Mon Mar 11, 2019 8:03 pm

mikrotik ppoe without nat /24 block

Tue Jun 04, 2019 9:37 pm

I am encountering some issues assigning public IPs to customers. I've tried a pretty good Google search and surprised I didn't turn anything up. Currently it's working with NAT but I want all customers to have their own IP.

I have a Mikrotik CCR1009-7G-1C-1S+

I have a /24 block of IPs with a gateway of 45.xxx.yyy.1

I don't have any other IPs from my upstream provider.

ether1 is my WAN
ether2 is my LAN

What has been suggested to me, is to have ether1 with 45.xxx.xxx.2 and ether2 with 45.xxx.xxx.3
I had used 172.16.1.1/24 for ether2 but didn't think I needed it?
Now, first question...what subnet should the .2 and the .3 be on? Should I put the .2 to a /30 ? Then the rest for .3 ? Should there even be a .3 ? Yes...very confused :)

On ether2 I have 10.0.0.0/8 used for internal addresses for my aps and equipment.

In theory, a customer will get an ip between 45.xxx.xxx.10 and 45.xxx.xxx.245 and be routed to the internet with a speed test showing as that IP and NOT 45.xxx.xxx.2 or 45.xxx.xxx.3 which is happening right now.

Under firewall, NAT I have action=masquerade chain=srcnat src-address=!45.xxx.xxx.0/28 out-interface=ether1 which I thought did the trick

I was told that I should use 45.xxx.xxx.2 as my gateway for the customer IPs and then in turn use 45.xxx.xxx.1 as a gateway for 45.xxx.xxx.2 - does that make sense?

If there is a better way of 'dumping' information from the mikrotik so somebody can better help out I'm all ears :)

It seams like a pretty simple thing I'd like to do here, however, try as I might it isn't for me lol

Any help is appreciated, diagrams...anything...I'm pretty confused :)
 
mkx
Forum Guru
Forum Guru
Posts: 2484
Joined: Thu Mar 03, 2016 10:23 pm

Re: mikrotik ppoe without nat /24 block

Tue Jun 04, 2019 10:28 pm

I have no experience running PPPoE server, so some conceptual mumbling below ...

What you could probably do is something like this:
  • Assign 45.x.y.2 to ether1 in a point to point manner:
    /ip address add address=42.x.y.2/32 network=42.x.y.1 interface=ether1
    (network address is address of your gateway). However this will only work if ISP blindly routes whole /24 subnet through single interface and doesn't rely on ARP to resolve target device for individual addresses.
  • add default route via 42.x.y.1
  • Similarly push 42.x.y.z/32 address to PPPoE clients with network address 42.x.y.2
    It's fine to re-use same router's address for many point-to-point addresses.
Out of precaution you better don't use 42.x.y.0 and .255 addresses as it might confuse your gateway which has no idea of your misuse of /24 network addresses and would consider these addresses as network and broadcast address respectively.

What makes me wonder: is it really 42.x.y.1 used by ISP as your gateway address? I'd imagine ISP would use their own address on their side and route whole /24 subnet through that link ...
Last edited by mkx on Tue Jun 04, 2019 10:35 pm, edited 1 time in total.
BR,
Metod
 
Sob
Forum Guru
Forum Guru
Posts: 4208
Joined: Mon Apr 20, 2009 9:11 pm

Re: mikrotik ppoe without nat /24 block

Tue Jun 04, 2019 10:31 pm

However this will only work if ISP blindly routes whole /24 subnet through single interface and doesn't rely on ARP to resolve target device for individual addresses.
This is easily fixed by enabling proxy ARP on WAN.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
wwnet
just joined
Topic Author
Posts: 4
Joined: Mon Mar 11, 2019 8:03 pm

Re: mikrotik ppoe without nat /24 block

Tue Jun 04, 2019 11:21 pm

Well I did this and lost connection remotely to the device LOL so I would assume that they aren't? I'll have to go reset that config.
/ip address add address=42.x.y.2/32 network=42.x.y.1 interface=ether1
Would this be easier if I received a separate /30 from my upstream provider? They said they would give me another IP so now I guess it just comes down to routing. Here is what I was thinking about doing:

New IP: 46.x.y.81/30 with gateway of 46.x.y.80
IP Block: 45.x.y.2/24 with gateway 45.x.y.1
1. I assume I add 46.x.y.81/30 as the address and 46.x.y.0 as the network on ether1 ?
2. I assume then I add a route for my internal 10.x.x.x network
3. I assume I then add a route so that the 45.x.y.z/24 block can go through the router to the internet?

I'm confused here.
 
Sob
Forum Guru
Forum Guru
Posts: 4208
Joined: Mon Apr 20, 2009 9:11 pm

Re: mikrotik ppoe without nat /24 block

Tue Jun 04, 2019 11:55 pm

Did you also add default route?
/ip route add
add dst-address=0.0.0.0/0 gateway=42.x.y.1
And of course this and the point to point address alone without other config will allow outside access to 42.x.y.2 only. It's just first step.

I wouldn't say that separate /30 to connect to provider is easier (although my definition of "easy" may be a little shifted), but it's more usual config. You'd have /30 on WAN, everything to your own /24 would be routed to your router and it would be fully in your hands what you'd do with it. You could put 45.x.y.1/24 on LAN and connect customers directly with 45.x.y.X/24, or use PPPoE to give them 45.x.y.X/32, or route any smaller subnets cut from /24 anywhere in your network, etc. No special route would be required, your router would already have default route with gateway from /30.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
wwnet
just joined
Topic Author
Posts: 4
Joined: Mon Mar 11, 2019 8:03 pm

Re: mikrotik ppoe without nat /24 block

Wed Jun 05, 2019 12:05 am

Yep, I had that default route in there also.

Once I have the /30 I know how to set that up, how would I go about routing the /24 ? Would I need to create another default gateway for the /24 block to use? Are there any special firewall rules?
 
Sob
Forum Guru
Forum Guru
Posts: 4208
Joined: Mon Apr 20, 2009 9:11 pm

Re: mikrotik ppoe without nat /24 block

Wed Jun 05, 2019 12:21 am

Then you should be able to access 45.x.y.2/24 remotely. It could be just some small mistake...

And no, you don't sound like you know how to set it up with /30. ;) Well, probably just the /30 part itself. For the /24, you don't need to do anything with routing to allow those addresses access internet, the same existing default route will be used. Basic routing doesn't care about source, only about destination. So if you put an address from /24 somewhere, it tries to send packet to internet, e.g. to 8.8.8.8, router will check its routing table for route to 8.8.8.8 and existing default route to 0.0.0.0/0 will match. That's it. You don't need special firewall rules either, only one to allow incoming traffic to these addresses, another to allow outgoing and last to exclude them from srcnat. That's for basic config, if you want your clients with public addresses have unlimited access.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
wwnet
just joined
Topic Author
Posts: 4
Joined: Mon Mar 11, 2019 8:03 pm

Re: mikrotik ppoe without nat /24 block

Wed Jun 05, 2019 12:30 am

What would those routes look like? I believe I only have 1 route setup currently.
 
Sob
Forum Guru
Forum Guru
Posts: 4208
Joined: Mon Apr 20, 2009 9:11 pm

Re: mikrotik ppoe without nat /24 block

Wed Jun 05, 2019 1:07 am

For basic config, route will be only one (default) with gateway from /30, so:
/ip address
add address=x.x.x.a/30 interface=ether1
/ip route
add dst-address=0.0.0.0/0 gateway=x.x.x.b
Then you will also get some dynamic route(s) to addresses from your /24, depending on what exactly you do with them.

If you mean firewall rules, it really depends on what you have now, maybe some existing rules already permit required traffic, but if not, it would be:
/ip firewall filter
add chain=forward src-address=x.x.x.0/24 action=accept
add chain=forward dst-address=x.x.x.0/24 action=accept
Or another way is to exempt them from connection tracking:
/ip firewall raw
add action=notrack chain=prerouting src-address=x.x.x.0/24
add action=notrack chain=prerouting dst-address=x.x.x.0/24
And in "/ip firewall filter" you'd just accept packets with connection-state=untracked (default firewall has that).
And finally the NAT exception can be either what you already posted:
/ip firewall nat
action=masquerade chain=srcnat src-address=!x.x.x.0/24 out-interface=ether1
Or if you'd want to do something even more complex (more exceptions, different sources for other networks, etc), the first step would be to split it (action=accept stops processing in given chain):
/ip firewall nat
add action=accept src-address=x.x.x.0/24
add action=masquerade chain=srcnat out-interface=ether1
But really, this is all very basic networking stuff, try to find some good reading about it, to save yourself possibly lot of trouble.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: Google [Bot] and 55 guests