Page 1 of 1

One public address per LAN

Posted: Wed Sep 18, 2019 3:39 pm
by ik3umt
A /29 public addresses subnet is available to one RB ethernet port.
How can each single LAN subnet use a specific WAN IP address ?

Re: One public address per LAN

Posted: Wed Sep 18, 2019 3:44 pm
by nickshore
Put the /29 IPs on the interface and then use a srcnat rule for each subnet to srcnat to the IP address you wish to use.

Regards
Nick

Re: One public address per LAN

Posted: Thu Sep 19, 2019 7:26 pm
by ik3umt
Nick, any practical example of rule ?

i.e. :
192.168.1.0/24 (ether4) will use 10.20.30.1/29 on ether1
192.168.2.0/24 (ether5) will use 10.20.30.2/29 on ether1
and so on...

Still masquerade rule needed ?

Thank you

Re: One public address per LAN

Posted: Fri Sep 20, 2019 4:13 pm
by nickshore
Nick, any practical example of rule ?

i.e. :
192.168.1.0/24 (ether4) will use 10.20.30.1/29 on ether1
192.168.2.0/24 (ether5) will use 10.20.30.2/29 on ether1
and so on...

Still masquerade rule needed ?

Thank you


Try
 /ip firewall nat add chain=srcnat place-before=1 src-address=192.168.1.0/24 action=src-nat to-addresses=10.20.30.1/29 out-interface=ether1
 /ip firewall nat add chain=srcnat place-before=1 src-address=192.168.2.0/24 action=src-nat to-addresses=10.20.30.2/29 out-interface=ether1

Re: One public address per LAN

Posted: Tue Nov 26, 2019 10:32 pm
by ik3umt
Thank you for example,
This is for Lan forwarded packets , what if the routerboard itself need to use different wan address ?
Should I use an ip route for specific target, selecting the wan address by mean of “Pref.Source” field ?

Re: One public address per LAN

Posted: Tue Nov 26, 2019 10:41 pm
by sindy
Thank you for example,
This is for Lan forwarded packets , what if the routerboard itself need to use different wan address ?
Should I use an ip route for specific target, selecting the wan address by mean of “Pref.Source” field ?
Yes, this is one of the possible ways. However, I'm afraid (not sure, though!) that the pref-src of a route must be one of router's own addresses (i.e. it must be assigned to some of its interfaces), which is not the case for a src-nat rule. So instead of /ip route add dst-address=x.x.x.x pref-src=y.y.y.y, you may want to use /ip firewall nat add chain=srcnat action=src-nat src-address-type=local dst-address=x.x.x.x to-addresses=y.y.y.y.

Re: One public address per LAN

Posted: Thu Nov 28, 2019 9:40 am
by ik3umt
And what about existing masquerade rule ?

Re: One public address per LAN

Posted: Thu Nov 28, 2019 10:04 am
by sindy
And what about existing masquerade rule ?
I don't get the question. In his post #4, @nickshore gave you the src-nat rules which choose a particular public IP to be used as source depending on the actual source subnet. I was answering solely your other question, how to choose a particular public address as a source for connections initiated by the router itself.

I have only one problem with that suggestion, place-before=1 may not be the right way to indicate their position as these src-nat rules may have been placed after the masquerade one, which would make them be shadowed by the masquerade one and never used.

If you have all that in place with no gaps (i.e. if each LAN subnet is covered by one src-nat rule), you don't need the masquerade rule at all. Worse than that, as said above, if you keep it at a wrong place (i.e. before all these suggested by me and @nickshore), these rules will never see a single packet so the magic you ask for will not happen.

A masquerade rule is originally intended for interfaces which get their addresses dynamically; the fact that it does the job even when used on interfaces with a statically configured address makes it a good choice for the default firewall configuration whose purpose is to work out of the box in SOHO application. But once you go beyond that, you have to think about the role of every rule in the default firewall.

Re: One public address per LAN

Posted: Thu Nov 28, 2019 10:37 am
by ik3umt
Ok , so the masquerade one could be considered the global one to be placed at the end, where other src-nat rules are not matched, as the masquerade cannot specify a "to-addresses"

From what I undersood, if more LAN subnet have to be used , just the interested ones can match src-nat rules while all others can go through the next masquerade one.

This is related to forwarded packets

My second question is in fact, different and related to connections initiated to router itself, the ip route "pref-src" is actually a public ip assigned to RB wan interface so it shuldn't be a problem using the /ip route method, do you find anyhow better to use src-nat with src-address-type=local ?

Re: One public address per LAN

Posted: Thu Nov 28, 2019 11:02 am
by sindy
The only reason is the one I gave - if you had e.g. a pool of 29 public addresses, it would not be practical to put all of them up at the WAN interface of the router. Doing so is necessary to allow use of these addresses as pref-src of a route, but not required for use as to-addresses in a src-nat rule.

Re: One public address per LAN

Posted: Thu Nov 28, 2019 11:31 pm
by ik3umt
I've tried
/ip firewall nat add chain=srcnat action=src-nat src-address-type=local dst-address=x.x.x.x to-addresses=y.y.y.y.
It doesn't work unless y.y.y.y is assigned to RB wan....

Re: One public address per LAN

Posted: Thu Nov 28, 2019 11:37 pm
by sindy
I'm afraid you may have to set arp=proxy-arp on the WAN interface if the all the public addresses are from the same subnet attached to the WAN interface.

EDIT: the actual setting required is arp=local-proxy-arp - see post #15

Re: One public address per LAN

Posted: Fri Nov 29, 2019 12:37 am
by ik3umt
I need just two ip addresses from /29 subnet to my wan interface, so I'll go for it and still use your src-nat rules with no proxy-arp , it seems to be more reliable than the ip route one ( that sometimes works and sometimes not...)
Thanks

Re: One public address per LAN

Posted: Sat Nov 30, 2019 3:50 pm
by gotsprings
I'm afraid you may have to set arp=proxy-arp on the WAN interface if the all the public addresses are from the same subnet attached to the WAN interface.
I don't think I have ever had to do that.

Re: One public address per LAN

Posted: Sun Dec 01, 2019 12:16 pm
by sindy
I don't think I have ever had to do that.
You probably never had to because you probably never used addresses from your WAN subnet, which were not assigned to any interface, as to-addresses in a src-nat rule. If you use addresses from any other subnet which the ISP routes to you via your IP in the WAN subnet, there is no need to make the router respond ARP requests on these addresses.

And Mark Twain's quote in your automatic signature is perfectly right: the correct arp setting needed to make the router respond to ARP-requests for addresses used as reply-dst-address of tracked connections is actually local-proxy-arp.

Re: One public address per LAN

Posted: Sun Dec 01, 2019 2:27 pm
by gotsprings
If I have a /29 IP address on the WAN...
I assign them to the WAN interface.
I put the proper gateway in routes.
Then I use address-lists and src-nat to, to send different traffic over the different IPs.
Pretty sure the default for an interface is "arp enabled".

Did I miss something?

Re: One public address per LAN

Posted: Sun Dec 01, 2019 3:23 pm
by sindy
I assign them to the WAN interface.
The above is the difference I am talking about. You assign them to the WAN interface, so the system responds to the ARP requests regarding those addresses because they are its own ones.
I do not assign them to the WAN interface, so I need to set arp to local-proxy-arp so that the system started checking reply-dst-addresses in connection tracker when processing an incoming ARP request.