Hi,
I have a customer who wants a /29 public subnet to be assigned directly to hosts statically.
e.g they have a server and want it publicly visible as 103.107.xxx.xxx by assigning 103.107.xxx.xxx directly to the servers NIC.
Normally customers have a single Static IP /30 which gets assigned to the wan of their router and local networks are natted through that address.
This time he wants to use the usable addresses from the /29 on individual hosts using the builtin firewall of the server's OS as the only protection between the host and outside world
Is this 1:1 nat or something else?
How can I enable this in Mikrotik?
Thanks,
Re: Use of public IP space on local hosts. 1:1 NAT?
It's routed subnet. If your current config is:
and customers has a.a.a.y on their router, you'll do:
and whole /29 will be routed to customer.
Code: Select all
/ip address
add interface=<to customer> address=a.a.a.x/30Code: Select all
/ip route
add dst-address=b.b.b.b/29 gateway=a.a.a.yRe: Use of public IP space on local hosts. 1:1 NAT?
Ok, so...It's routed subnet. If your current config is:
and customers has a.a.a.y on their router, you'll do:Code: Select all/ip address add interface=<to customer> address=a.a.a.x/30
and whole /29 will be routed to customer.Code: Select all/ip route add dst-address=b.b.b.b/29 gateway=a.a.a.y
ISP Router (CCR):
Code: Select all
/ip address add interface=customer-facing address=10.200.0.1/24WAN: 10.200.0.20/24
Gateway: 10.200.0.1
Code: Select all
/ip route add dst-address=103.107.xxx.xxx/29 gateway=10.200.0.1Re: Use of public IP space on local hosts. 1:1 NAT?
Yes. And then customer can do anything with whole /29. Use the traditional way, assign one address to internal interface with /29 mask and have five addresses for other devices. Or there are various ways how to use all eight addresses. It's up to them.
Re: Use of public IP space on local hosts. 1:1 NAT?
Ok, So I have tested that but its not working. Do I need any NAT rules? Currently I have nothing in /ip firewall natYes. And then customer can do anything with whole /29. Use the traditional way, assign one address to internal interface with /29 mask and have five addresses for other devices. Or there are various ways how to use all eight addresses. It's up to them.
Re: Use of public IP space on local hosts. 1:1 NAT?
No, you do not need NAT rule as you have a public subnet.
Depending to how is configured your connection, you can assign your wan ip directly on your devices.
First, you need to assign an ip address to your "bridge" if you have 1, and the use this address as gateway on your devices.
Depending to how is configured your connection, you can assign your wan ip directly on your devices.
First, you need to assign an ip address to your "bridge" if you have 1, and the use this address as gateway on your devices.
Re: Use of public IP space on local hosts. 1:1 NAT?
Still not working...No, you do not need NAT rule as you have a public subnet.
Depending to how is configured your connection, you can assign your wan ip directly on your devices.
First, you need to assign an ip address to your "bridge" if you have 1, and the use this address as gateway on your devices.
CPE:
Code: Select all
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=10.255.0.2/30 interface=ether1 network=10.255.0.0
add address=103.107.224.161/29 interface=ether2 network=103.107.224.160
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN
/ip route
add distance=1 gateway=10.255.0.1
add distance=1 dst-address=103.107.224.160/29 gateway=10.255.0.1Code: Select all
/ip address add address=10.255.0.1/30 comment=TESTING interface=Local_Trunk network=10.255.0.0
Re: Use of public IP space on local hosts. 1:1 NAT?
Route must be on ISP's router:
Not on customer's.
Code: Select all
/ip route
add distance=1 dst-address=103.107.224.160/29 gateway=10.255.0.2Re: Use of public IP space on local hosts. 1:1 NAT?
Works a treat!Route must be on ISP's router:
Not on customer's.Code: Select all/ip route add distance=1 dst-address=103.107.224.160/29 gateway=10.255.0.2
Thanks a lot for your help
Re: Use of public IP space on local hosts. 1:1 NAT?
How would I go about static routing a public subnet to a PPPOE client with a dynamic remote address?Route must be on ISP's router:
Not on customer's.Code: Select all/ip route add distance=1 dst-address=103.107.224.160/29 gateway=10.255.0.2
Thanks,
Re: Use of public IP space on local hosts. 1:1 NAT?
It should be "Routes" option in PPP->Secrets.
Re: Use of public IP space on local hosts. 1:1 NAT?
Your a legend!It should be "Routes" option in PPP->Secrets.
Would you recommend providing customer static routes / public IPs via PPPOE? I have heard alot of people advise against it but never given a reason why.
Thanks,
Re: Use of public IP space on local hosts. 1:1 NAT?
I don't have clear answer. PPPoE is used for internet access, it works, other addresses can be routed over it, ... so from this perspective I see no problem. But I'm not ISP, maybe they could have some problem I'm not seeing. For example, I don't know how's compatibility with common client routers, many have very limited interface and I can imagine that some may not support routed subnets over PPPoE. I'm a customer and big RouterOS fan, so I don't need to care about these things, RouterOS can do it and that's all I need.
Re: Use of public IP space on local hosts. 1:1 NAT?
Thanks Sob,I don't have clear answer. PPPoE is used for internet access, it works, other addresses can be routed over it, ... so from this perspective I see no problem. But I'm not ISP, maybe they could have some problem I'm not seeing. For example, I don't know how's compatibility with common client routers, many have very limited interface and I can imagine that some may not support routed subnets over PPPoE. I'm a customer and big RouterOS fan, so I don't need to care about these things, RouterOS can do it and that's all I need.
We are an ISP and we use Mikrotik devices as a network termination unit. This is where the customers PPPOE session terminates. The NTU then has DHCP server running on the lan interface which gives out a single /30 address to the customers home wifi router that they supply.
For business customers, We intend to do the same thing although they may require static public IP's. In this case we would static route the IP public subnet to the PPPOE client and assign one of these addresses to the local interface of the NTU. Its then up to the customer to decide how they want to use these addresses.
Thoughts?