Community discussions

MikroTik App
 
miastudio
just joined
Topic Author
Posts: 9
Joined: Tue Apr 06, 2010 9:06 am

Routing for clients assigned public IP via pppoe

Wed Jun 09, 2021 6:02 pm

Hi,

I have followed various posts on this forum, but am now stuck. I currently have:

ISP (1.2.3.1/24) - switch - Mikrotik eth1 1.2.3.2/24 - Mikrotik eth2 pppoe server using 10.1.1.1/16 pool - pppoe clients with 10.1.x.y/32 ip; src-nat'ed

I have a free public IP pool 1.2.3.2-1.2.3.200 (others are used internally) which I provide to some clients.

Till now I assigned those IPs to eth1 and dst-nat'ed all ports to the specific 10.1.x.y IP. However, I would like to assign the public IPs directly to the end-users and switch (route ?) instead. I have:
  • set up a new ip pool for 1.2.3.2-1.2.3.200
  • set up a new pppoe profile using this pool
  • set specific client IPs to use this pppoe profile
  • enable proxy-arp on eth1 and eth2
This works:
  • clients log in via pppoe and get their public IP
  • clients are able to ping 1.2.3.1 and 1.2.3.2
  • setting a computer to 1.2.3.201 and connecting it to the switch allows me to ping the client's public IP

My configuration:
/interface ethernet
set [ find default-name=ether1 ] name=ether1-isp arp=proxy-arp
set [ find default-name=ether2 ] name=ether2-lan arp=proxy-arp
/ip pool
add name=pool-pppoe-private ranges=10.1.1.2-10.1.255.254
add name=pool-pppoe-public ranges=1.2.3.3-1.2.3.200
/ppp profile
add local-address=10.1.1.1 name=pppoe-private remote-address=pool-pppoe-private
add local-address=1.2.3.2 name=pppoe-public remote-address=pool-pppoe-public
/interface pppoe-server server
add disabled=no interface=ether2-lan service-name=pppoe
/ip address
add address=1.2.3.2/24 interface=ether1-isp network=1.2.3.0
add address=10.1.1.1/24 interface=ether2-lan network=10.1.0.0
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.1.0.0/16
/ip route
add distance=1 gateway=1.2.3.1
/ppp secret
add name=private_user password=password profile=pppoe-private
add name=public_user password=password profile=pppoe-public

My issue is that clients are not able to ping beyond 1.2.3.1. I think the missing piece is that there is no instruction setting as the default gateway 1.2.3.1 for client traffic

I'm not quite sure if what I have in mind is possible and if so, what the missing settings are ?

Thank you for your time
Last edited by miastudio on Wed Jun 09, 2021 6:33 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routing for clients assigned public IP via pppoe

Wed Jun 09, 2021 6:09 pm

you must put all the config on forum

on the file censore remainig sensitive data with * without remove any part , do not remove anything, just censore public IP and username (password are not exported)

/export hide-sensitive file=pippo


if you do not want to do that, you do not receive help
you can just have some reply from fortune-teller...
 
miastudio
just joined
Topic Author
Posts: 9
Joined: Tue Apr 06, 2010 9:06 am

Re: Routing for clients assigned public IP via pppoe

Wed Jun 09, 2021 6:34 pm

you must put all the config on forum
Thank you. I have added my config in my original post
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Routing for clients assigned public IP via pppoe

Wed Jun 09, 2021 7:24 pm

do not use public IP for local-address=1.2.3.2
create one pool of useless IP, just used for pppoe local-address:
100.64.0.1-100.64.0.254
or is like you use twice (multiple time) the 1.2.3.2 for each connected users
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Routing for clients assigned public IP via pppoe

Wed Jun 09, 2021 7:36 pm

Nothing obvious, the default route is sufficient for all traffic which arrives at the Mikrotik. Are there any firewall rules which you have omitted to show?

Whilst you need proxy-arp on ether1 for the WAN IP range, it would not be necessary on ether2 if the LAN IP range did not overlap with the private PPPoE pool.
 
miastudio
just joined
Topic Author
Posts: 9
Joined: Tue Apr 06, 2010 9:06 am

Re: Routing for clients assigned public IP via pppoe

Thu Jun 10, 2021 6:38 am

Thank you for your replies

do not use public IP for local-address=1.2.3.2
I also tried with a dummy 10.10.10.1 IP. But that did not make any difference. Ultimately, I followed this post: viewtopic.php?t=122667#p605632

create one pool of useless IP, just used for pppoe local-address: 100.64.0.1-100.64.0.254
I'm not sure I understand what you're saying. Isn't that what i did with
/ip pool add name=pool-pppoe-public ranges=1.2.3.3-1.2.3.20


or is like you use twice (multiple time) the 1.2.3.2 for each connected users
I use 1.2.3.2 in 2 places:
/ip address add address=1.2.3.2/24 interface=ether1-isp network=1.2.3.0
/ppp profile add local-address=1.2.3.2 name=pppoe-public remote-address=pool-pppoe-public
But I do not use it for the clients / pool. That starts at 1.2.3.3:
/ip pool add name=pool-pppoe-public ranges=1.2.3.3-1.2.3.200


Nothing obvious, the default route is sufficient for all traffic which arrives at the Mikrotik. Are there any firewall rules which you have omitted to show?
No, that's it. I set up a bare system to test this

Whilst you need proxy-arp on ether1 for the WAN IP range, it would not be necessary on ether2 if the LAN IP range did not overlap with the private PPPoE pool.
I tried enabling it just on one interface and I was not able to ping out. That's why I enable it on both. It was also suggested in viewtopic.php?t=141584
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Routing for clients assigned public IP via pppoe

Thu Jun 10, 2021 12:13 pm

There is nothing wrong with using 1.2.3.2 for both ether1 and as the local address for the PPPoE client connections. Presumably 1.2.3.x/24 is just a fake range you are using to describe the situation rather than your real public IP addresses.

I tried enabling it just on one interface and I was not able to ping out. That's why I enable it on both. It was also suggested in viewtopic.php?t=141584
Ping out from where? It is necessary on ether1 so the Mikrotik can answer ARP requests from other directly connected 1.2.3.x/24 devices on behalf of the PPPoE clients, but it should not necessary on ether2.

Are there any IP clients connected to ether2 (as the IP address network for ether2 is incorrect)?
 
miastudio
just joined
Topic Author
Posts: 9
Joined: Tue Apr 06, 2010 9:06 am

Re: Routing for clients assigned public IP via pppoe

Fri Jun 11, 2021 9:11 am

Presumably 1.2.3.x/24 is just a fake range you are using to describe the situation rather than your real public IP addresses.
Yes, correct

Ping out from where?
A pppoe client (say 1.2.3.3) is able to ping 1.2.3.2 and 1.2.3.1 but not beyond (i.e. routed via 1.2.3.1) - say 8.8.8.8 or google.com

It is necessary on ether1 so the Mikrotik can answer ARP requests from other directly connected 1.2.3.x/24 devices on behalf of the PPPoE clients, but it should not necessary on ether2.
Ok, thank you for clarifying

Are there any IP clients connected to ether2 (as the IP address network for ether2 is incorrect)?
No, that's just for ping / tests
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Routing for clients assigned public IP via pppoe

Fri Jun 11, 2021 11:14 am

What do /ip route print and /ip arp print show?

setting a computer to 1.2.3.201 and connecting it to the switch allows me to ping the client's public IP
Can the PPPoE client also ping 1.2.3.201 successfully?
 
miastudio
just joined
Topic Author
Posts: 9
Joined: Tue Apr 06, 2010 9:06 am

Re: Routing for clients assigned public IP via pppoe

Sun Jun 13, 2021 1:57 pm

I exported the config, reset it and re-applied the config and it worked immediately. Thank you all for your help for confirming that the config was in principle right.

Who is online

Users browsing this forum: BinaryTB, Bing [Bot] and 65 guests