Community discussions

MUM Europe 2020
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 255
Joined: Tue Jul 08, 2014 3:58 pm

One public address per LAN

Wed Sep 18, 2019 3:39 pm

A /29 public addresses subnet is available to one RB ethernet port.
How can each single LAN subnet use a specific WAN IP address ?
 
User avatar
nickshore
Member
Member
Posts: 473
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: One public address per LAN

Wed Sep 18, 2019 3:44 pm

Put the /29 IPs on the interface and then use a srcnat rule for each subnet to srcnat to the IP address you wish to use.

Regards
Nick
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 255
Joined: Tue Jul 08, 2014 3:58 pm

Re: One public address per LAN

Thu Sep 19, 2019 7:26 pm

Nick, any practical example of rule ?

i.e. :
192.168.1.0/24 (ether4) will use 10.20.30.1/29 on ether1
192.168.2.0/24 (ether5) will use 10.20.30.2/29 on ether1
and so on...

Still masquerade rule needed ?

Thank you
 
User avatar
nickshore
Member
Member
Posts: 473
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: One public address per LAN

Fri Sep 20, 2019 4:13 pm

Nick, any practical example of rule ?

i.e. :
192.168.1.0/24 (ether4) will use 10.20.30.1/29 on ether1
192.168.2.0/24 (ether5) will use 10.20.30.2/29 on ether1
and so on...

Still masquerade rule needed ?

Thank you


Try
 /ip firewall nat add chain=srcnat place-before=1 src-address=192.168.1.0/24 action=src-nat to-addresses=10.20.30.1/29 out-interface=ether1
 /ip firewall nat add chain=srcnat place-before=1 src-address=192.168.2.0/24 action=src-nat to-addresses=10.20.30.2/29 out-interface=ether1
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 255
Joined: Tue Jul 08, 2014 3:58 pm

Re: One public address per LAN

Tue Nov 26, 2019 10:32 pm

Thank you for example,
This is for Lan forwarded packets , what if the routerboard itself need to use different wan address ?
Should I use an ip route for specific target, selecting the wan address by mean of “Pref.Source” field ?
 
sindy
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: One public address per LAN

Tue Nov 26, 2019 10:41 pm

Thank you for example,
This is for Lan forwarded packets , what if the routerboard itself need to use different wan address ?
Should I use an ip route for specific target, selecting the wan address by mean of “Pref.Source” field ?
Yes, this is one of the possible ways. However, I'm afraid (not sure, though!) that the pref-src of a route must be one of router's own addresses (i.e. it must be assigned to some of its interfaces), which is not the case for a src-nat rule. So instead of /ip route add dst-address=x.x.x.x pref-src=y.y.y.y, you may want to use /ip firewall nat add chain=srcnat action=src-nat src-address-type=local dst-address=x.x.x.x to-addresses=y.y.y.y.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 255
Joined: Tue Jul 08, 2014 3:58 pm

Re: One public address per LAN

Thu Nov 28, 2019 9:40 am

And what about existing masquerade rule ?
 
sindy
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: One public address per LAN

Thu Nov 28, 2019 10:04 am

And what about existing masquerade rule ?
I don't get the question. In his post #4, @nickshore gave you the src-nat rules which choose a particular public IP to be used as source depending on the actual source subnet. I was answering solely your other question, how to choose a particular public address as a source for connections initiated by the router itself.

I have only one problem with that suggestion, place-before=1 may not be the right way to indicate their position as these src-nat rules may have been placed after the masquerade one, which would make them be shadowed by the masquerade one and never used.

If you have all that in place with no gaps (i.e. if each LAN subnet is covered by one src-nat rule), you don't need the masquerade rule at all. Worse than that, as said above, if you keep it at a wrong place (i.e. before all these suggested by me and @nickshore), these rules will never see a single packet so the magic you ask for will not happen.

A masquerade rule is originally intended for interfaces which get their addresses dynamically; the fact that it does the job even when used on interfaces with a statically configured address makes it a good choice for the default firewall configuration whose purpose is to work out of the box in SOHO application. But once you go beyond that, you have to think about the role of every rule in the default firewall.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 255
Joined: Tue Jul 08, 2014 3:58 pm

Re: One public address per LAN

Thu Nov 28, 2019 10:37 am

Ok , so the masquerade one could be considered the global one to be placed at the end, where other src-nat rules are not matched, as the masquerade cannot specify a "to-addresses"

From what I undersood, if more LAN subnet have to be used , just the interested ones can match src-nat rules while all others can go through the next masquerade one.

This is related to forwarded packets

My second question is in fact, different and related to connections initiated to router itself, the ip route "pref-src" is actually a public ip assigned to RB wan interface so it shuldn't be a problem using the /ip route method, do you find anyhow better to use src-nat with src-address-type=local ?
 
sindy
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: One public address per LAN

Thu Nov 28, 2019 11:02 am

The only reason is the one I gave - if you had e.g. a pool of 29 public addresses, it would not be practical to put all of them up at the WAN interface of the router. Doing so is necessary to allow use of these addresses as pref-src of a route, but not required for use as to-addresses in a src-nat rule.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 255
Joined: Tue Jul 08, 2014 3:58 pm

Re: One public address per LAN

Thu Nov 28, 2019 11:31 pm

I've tried
/ip firewall nat add chain=srcnat action=src-nat src-address-type=local dst-address=x.x.x.x to-addresses=y.y.y.y.
It doesn't work unless y.y.y.y is assigned to RB wan....
 
sindy
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: One public address per LAN

Thu Nov 28, 2019 11:37 pm

I'm afraid you may have to set arp=proxy-arp on the WAN interface if the all the public addresses are from the same subnet attached to the WAN interface.

EDIT: the actual setting required is arp=local-proxy-arp - see post #15
Last edited by sindy on Sun Dec 01, 2019 12:20 pm, edited 1 time in total.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 255
Joined: Tue Jul 08, 2014 3:58 pm

Re: One public address per LAN

Fri Nov 29, 2019 12:37 am

I need just two ip addresses from /29 subnet to my wan interface, so I'll go for it and still use your src-nat rules with no proxy-arp , it seems to be more reliable than the ip route one ( that sometimes works and sometimes not...)
Thanks
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 802
Joined: Mon May 14, 2012 9:30 pm

Re: One public address per LAN

Sat Nov 30, 2019 3:50 pm

I'm afraid you may have to set arp=proxy-arp on the WAN interface if the all the public addresses are from the same subnet attached to the WAN interface.
I don't think I have ever had to do that.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
sindy
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: One public address per LAN

Sun Dec 01, 2019 12:16 pm

I don't think I have ever had to do that.
You probably never had to because you probably never used addresses from your WAN subnet, which were not assigned to any interface, as to-addresses in a src-nat rule. If you use addresses from any other subnet which the ISP routes to you via your IP in the WAN subnet, there is no need to make the router respond ARP requests on these addresses.

And Mark Twain's quote in your automatic signature is perfectly right: the correct arp setting needed to make the router respond to ARP-requests for addresses used as reply-dst-address of tracked connections is actually local-proxy-arp.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 802
Joined: Mon May 14, 2012 9:30 pm

Re: One public address per LAN

Sun Dec 01, 2019 2:27 pm

If I have a /29 IP address on the WAN...
I assign them to the WAN interface.
I put the proper gateway in routes.
Then I use address-lists and src-nat to, to send different traffic over the different IPs.
Pretty sure the default for an interface is "arp enabled".

Did I miss something?
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
sindy
Forum Guru
Forum Guru
Posts: 4191
Joined: Mon Dec 04, 2017 9:19 pm

Re: One public address per LAN

Sun Dec 01, 2019 3:23 pm

I assign them to the WAN interface.
The above is the difference I am talking about. You assign them to the WAN interface, so the system responds to the ARP requests regarding those addresses because they are its own ones.
I do not assign them to the WAN interface, so I need to set arp to local-proxy-arp so that the system started checking reply-dst-addresses in connection tracker when processing an incoming ARP request.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: MSN [Bot] and 43 guests