Community discussions

MikroTik App
 
AUsquirrel
just joined
Topic Author
Posts: 16
Joined: Fri Feb 21, 2014 10:28 pm

Framed Route - Two IP addresses from my ISP

Tue Nov 03, 2020 10:43 pm

Hi,
Has anyone successfully implemented a dual IP WAN connection as a client on a Router OS device using Framed Routes? In Australia, my ISP has provided a second IPV4 address and provisioned it using what they term, a Framed Route. I assume that this using RADIUS attribute 22.
I found nothing in the forums like this and most reference refer to using PPP. With the NBN in Australia, I don't use a PPP or PPoE for the connection.
Can anyone point me in the direction to research this?

Thanks
 
martinclaro
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: Framed Route - Two IP addresses from my ISP

Wed Nov 04, 2020 12:46 am

Hi, this other topic may be helpful: viewtopic.php?t=131363
Martín C. @ TopHost Soluciones
MTCNA | MTCTCE
 
tdw
Long time Member
Long time Member
Posts: 556
Joined: Sat May 05, 2018 11:55 am

Re: Framed Route - Two IP addresses from my ISP

Wed Nov 04, 2020 3:44 am

As you are not using a PPP-like connection for your WAN how is your existing main/primary WAN address set/acquired?
 
AUsquirrel
just joined
Topic Author
Posts: 16
Joined: Fri Feb 21, 2014 10:28 pm

Re: Framed Route - Two IP addresses from my ISP

Wed Nov 04, 2020 12:42 pm

Hi Martinclaro,
Thanks for the tips. I read the link and will now check the rfc and the dhcp parts of the manual to see if I can find something.

Hi Tdw,
In Australia we have what is officially know as the National Broadband Network (NBN), or as most people refer to it Not a Bl**dy Network. It provides a layer 2 link from your home to a designated ISP interconnect point. With my ISP, you just send a standard DHCP request to get your network address and prefix. For others, you would configure the interface as a standard static IP address, netmask and gateway address. No PPP or PPoE required.

So for Framed Route to work the way it appears that my ISP has configured it, I need to have two interfaces on the same physical port both with DHCP enabled.

¯\_(ツ)_/¯

The search continues.
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Framed Route - Two IP addresses from my ISP

Wed Nov 04, 2020 2:03 pm

So for Framed Route to work the way it appears that my ISP has configured it, I need to have two interfaces on the same physical port both with DHCP enabled.
It sounds unlikely to me. There is no difference between another interface with another hardware ID on your own device and on your neighbor's device, unless the ISP would check the physical source port of the DHCP request at their end. I.e. I can see the idea with two DHCP clients as an alternative to the Framed Route one.

What I've understood from the complaints in the thread @Martinclaro has referred to, it seems that the ISP uses the Framed Route in their RADIUS data to tell to its own gear that the route to your public IP #2 is via your public IP #1, and the subject of these complaints is that this information leaks to the DHCPOFFER/DHCPACK which the Mikrotik acting as a DHCP server sends to the client, in the form of Option 121.

So if this assumption that the Framed Route is used for the ISP gear itself and the secondary address is routed to you, using the primary one as a gateway, is correct, and if the secondary public address is a static one, it should be sufficient to put it up anywhere on your Mikrotik (e.g. on a dedicated bridge with no ports, as a /32 one). If it is a dynamically changing one, I cannot see how the ISP could deliver it to you via DHCP as a secondary one.

How is the primary one linked to your identity/account? By MAC address or by physical line?

And when you speak about dual WAN, do you have in mind just that requests coming to each of the two public IPs will be responded from the same one? Because if I understand it right, there will be only a single physical channel no matter how the multiple WAN addresses are configured.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tdw
Long time Member
Long time Member
Posts: 556
Joined: Sat May 05, 2018 11:55 am

Re: Framed Route - Two IP addresses from my ISP

Wed Nov 04, 2020 2:05 pm

The DHCP process only assigns a single IP address to an interface, as you have a static address this could be done with DHCP option 82 (this isn't seen by the end user) or MAC address binding. The framed route setup at the ISP just directs incoming packets for the additional IP address(es) to your primary IP address, there isn't a mechanism for adding those addresses to your router automatically.

Are your two addresses completely separate (e.g. x.x.42.7 & x.x.99.23), or part of a subnet (e.g. x.x.42.9 & x.x.42.10) and what subnet mask are you assigned (/32, /30, something else)?
 
AUsquirrel
just joined
Topic Author
Posts: 16
Joined: Fri Feb 21, 2014 10:28 pm

Re: Framed Route - Two IP addresses from my ISP

Wed Nov 04, 2020 9:10 pm

Hi Sindy,
Thanks for your reply. It has given me some more information.

My primary one is linked by what is call an Access Virtual Circuit to create a virtual link to my house from my ISP. That link terminates in an RJ45 Ethernet connector on the NBN Customer Premises Equipment (CPE).

Your point about the second one being delivered by DHCP was also what had me confused. My ISP has no idea of which mac address belongs to which IP. One thing I have learnt is that you can rent a Cisco 1100 series router from them and it will work. I am seeing if I can get a copy of the config to reverse engineer what they have done.

Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Framed Route - Two IP addresses from my ISP

Wed Nov 04, 2020 9:25 pm

Still, if you know the secondary address, why don't you try to sniff on your WAN interface for packets towards that secondary address while pinging it from elsewhere (via mobile connection, or asking a friend to ping it)? If mine and @tdw's assumption is correct, you should see the ping packets to arrive to the WAN.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
AUsquirrel
just joined
Topic Author
Posts: 16
Joined: Fri Feb 21, 2014 10:28 pm

Re: Framed Route - Two IP addresses from my ISP

Thu Nov 05, 2020 10:40 am

Hi Sindy,
Thanks for that. I will try it tonight and let you know the results.
 
AUsquirrel
just joined
Topic Author
Posts: 16
Joined: Fri Feb 21, 2014 10:28 pm

Re: Framed Route - Two IP addresses from my ISP  [SOLVED]

Sun Nov 15, 2020 2:01 am

Hi Everyone,
Thank you for your help so far. Just to let you all know where I am up to, here is an update.

After a hectic week when I was unable to take the link off line, I grabbed an old CISCO 2600 router and threw a base config on it to test. With this config, I was able to achieve a ping on the second IP address.
[CISCO Config]
interface FastEthernet0/0
ip address dhcp
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 180.150.96.103 255.255.254.0
no snmp trap link-status

Looking at the CISCO config, it is using a default VLAN to achieve the link using the "Framed Route". So I have added a VLAN on my WAN interface on the RB2011 with the VLAN set to 1. I can now ping that address from the internet.

RB2011 Interfaces
0 R ;;; WAN-NBN
ether1-AussieBB-WAN ether 1500 1598 4074
[Cut out irrelevant interfaces]
16 R ;;; DMZ
bridge-DMZ-SW2 bridge 1500 1598
17 R ;;; INT
bridge-INT-SW1 bridge 1500 1598
18 R vlan1 vlan 1500 1594

ip address p
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; DMZ
192.168.10.1/24 192.168.10.0 ether8-DMZ
1 ;;; INT
192.168.11.1/24 192.168.11.0 ether2-INT
2 180.150.96.103/23 180.150.96.0 vlan1
3 D 180.150.98.165/23 180.150.98.0 ether1-AussieBB-WAN

From the internet site https://ping.eu/ping/
--- PING 180.150.96.103 (180.150.96.103) 56(84) bytes of data. ---
64 bytes from 180.150.96.103: icmp_seq=1 ttl=53 time=290 ms
64 bytes from 180.150.96.103: icmp_seq=2 ttl=53 time=276 ms
64 bytes from 180.150.96.103: icmp_seq=3 ttl=53 time=282 ms
64 bytes from 180.150.96.103: icmp_seq=4 ttl=53 time=290 ms

I will now work on the outbound routing from the VLAN interface.
 
AUsquirrel
just joined
Topic Author
Posts: 16
Joined: Fri Feb 21, 2014 10:28 pm

Re: Framed Route - Two IP addresses from my ISP

Sun Nov 15, 2020 8:35 am

If have now added a one to one nat for the address and web browsing appears to be working.

Thanks sindy, tdw and martinclaro for your help.
 
sindy
Forum Guru
Forum Guru
Posts: 6262
Joined: Mon Dec 04, 2017 9:19 pm

Re: Framed Route - Two IP addresses from my ISP

Sun Nov 15, 2020 11:01 am

From your description, I'd say that the VLAN ID 1 is not really relevant - you could use VLAN 555 at the RB2011 and the outcome would be the same. I maintain that the ISP merely uses your primary public IP as a gateway to your secondary public subnet (which happens to consist of a single IP). So if they had a Mikrotik with a static routing configuration at their side, it would look as follows:

/ip route add
...
dst-address=sec.sec.sec.sec/32 gateway=pri.pri.pri.pri
...


The thing is:
  • a device does not care whether a packet with one of its own IP addreses as destination came in through the interface to which that address is attached or through any other one (to make it care, you'd have to engage the firewall)
  • both Cisco and Mikrotik use VLAN ID 1 as the the default pvid of trunk interfaces (so do not show that pvid in the configuration export unless you force them to), so attaching a subinterface (/interface vlan) with VLAN ID 1 to an interface with no pvid shown means that that subinterface will never receive any packet, as no frame with VLAN ID 1 will ever arrive through the wire

You may do a test - create a bridge interface with no member ports:
/interface bridge add name=br-test protocol-mode=none

Then, move the secondary IP address from the /interface vlan to that /interface bridge:
/ip address set [find address~"sec.sec.sec.sec"] interface=br-test

If I am right, everything will keep working as before.

Also, change the mask of the secondary address from /23 (255.255.254.0) to /32. Chances are high that other addresses from the /23 are assigned to your neighbours, so if you wanted to reach them (online gaming? local bicycle shop's web page?), you wouldn't be able to as your 2011 would treat them as reachable at L2 rather than via a gateway, which is not the case.

It also means that you don't need to use a dst-nat unless that's what you really want - you can route that secondary public IP to the destination device and put it up on it directly.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
AUsquirrel
just joined
Topic Author
Posts: 16
Joined: Fri Feb 21, 2014 10:28 pm

Re: Framed Route - Two IP addresses from my ISP

Sun Nov 22, 2020 2:19 am

Hi sindy,
Thanks for that post. IT explains a couple of things I have been trying to understand as to how it works. I will try the all the changes you have suggested and let you know how I go when I get back from my holidays this week.

Who is online

Users browsing this forum: devtomas2003 and 90 guests