Community discussions

MikroTik App
 
oxigeno20
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue May 23, 2006 5:29 pm
Location: Argentina

Trying to give PPPoE NAT with private routed WAN

Sat Jun 26, 2021 4:11 pm

Hi,
We run out of public addresses and we must do NAT with PPPoE Server and have a second way of connectivity, giving public for one side or private addresses for the other. But our superior ISP is giving us a very strange private addressing (for not to waste public directions), and this is the reason the things are a little bit dificult for getting this working.

My WAN ISP is giving us a private /29 addresses: 192.168.15.234/29

Now, for giving PPPoE with "public" addresses we are used to setup the Private addressing on WAN interface, and one Public address on LAN (this is for having a public address in the source origin).

So, we have the following setup and is working perfectly fine:
WAN interface 192.168.15.234/29 -----> ( 15.233 our gateway)
LAN interface 200.20.20.1/24 (public address). ----> we use the same address for the customer gateways.

NOTE: We have our own ASN number and public directions (BGP)

Here we came with the problem:

Now we wanted to add a second way of connectivity with PPPoE but with NAT, So we created different PPP profiles with that purpose, (using the same WAN "private" Interface addressing configuration that we named before). We added a second address to the same LAN interface 10.9.1.1/20
When I am doing a traceroute, I can`t reach internet access because the ISP is seeing "our source address" as a private address, and their BGP filters drops our outgoing traffic.


[soporte1@testing] > tool trace 1.1.1.1
# ADDRESS LOSS SENT LAST AVG BEST WORST
1 10.9.0.1 0% 37 0.4ms 0.4 0.4 0.7
2 192.168.15.233 0% 37 1.3ms 1.3 1.2 3
3 100% 37 timeout
4 10.169.147.34 0% 37 4.1ms 7.1 4 112.6
5 100% 37 timeout
6 100% 37 timeout
7 100% 37 timeout
8 100% 37 timeout
9

They told us that we must have a "public" source origin address, so we put a public one to the private PPP profiles but the result is the same, we cant reach internet.

[soporte1@testing] > tool trace 1.1.1.1
# ADDRESS LOSS SENT LAST AVG BEST WORST
1 200.20.20.1 0% 5 0.4ms 0.6 0.4 0.8
2 192.168.15.233 0% 5 1.3ms 1.5 1.3 1.7
3 100% 5 timeout
4 10.169.147.34 0% 5 4.1ms 4.2 4.1 4.3
5 100% 5 timeout
6 100% 5 timeout
7 100% 5 timeout
8 100% 4 timeout
9 100% 4 timeout


Other partners with similar ISP setup, fix the problem putting another parallel Routerboard doing NAT but I what to fix this with the same routerboard.

What is this happening?. and why? There could be a way to fix that without the ISP intervention?.

Sorry for my poor english. Is right the tittle of the post?.
Thanks!
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: Trying to give PPPoE NAT with private routed WAN

Sat Jun 26, 2021 6:50 pm

Follow this for CGNAT and PPPoE: viewtopic.php?f=23&t=176358
 
oxigeno20
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue May 23, 2006 5:29 pm
Location: Argentina

Re: Trying to give PPPoE NAT with private routed WAN

Mon Jun 28, 2021 10:57 pm

Hi @DarkNate, The articles were the key for solve my problems. Thanks.

For the record, I used "NETMAP" instead of "MASQUERADE".
But I haven't used proxy-arp in my setup. It's working without it.

The following rule saved my life:
/ip firewall nat
add action=netmap chain=srcnat comment="NETMAP PPPoE" out-interface=sfp1-Internet src-address-list=Clientes_NAT to-addresses=PUBLIC/32
I don't understand what is the difference using "srcnat action masquerade" (witch it wasn't working) and using "Netmap" (witch for shure it runned perfectly fine at the first moment that I put it). I want to learn/understand why this way is working.

I tried to post a reply in the author's website (in order to regard him and could learn/understand more about NETMAP). But my post doesn't seem to be there yet. https://www.daryllswer.com/edge-router- ... e-for-isps

Thanks
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: Trying to give PPPoE NAT with private routed WAN

Sat Jul 10, 2021 8:29 pm

Basically

Masquerade = single IP that's dynamic on WAN interface
Src NAT is 1:Many
netmap is 1:1

Your netmap rule is incomplete, where is IPSec passthrough?

But check the blog post, there are some strange results when using src NAT, so the author suggested netmap instead.

Who is online

Users browsing this forum: Bing [Bot], robertkjonesjr and 34 guests