Hi everyone, i'm stucked with a project.
I want to use a public IP block that i own in one other site in a dynamic IP LTE mikrotik
Public IP range: 1x.168.109.0/27
CHR core: 1x.168.109.25
Public IP block that i want to asssign to LTE router:1x.168.109.28/30
Public IP remote LTE Mikroitk: 1x.168.109.29/30
Public IP remote device under LTE Mikroitk: 1x.168.109.30/30 with default gateway 1x.168.109.29

The routers are connected via SSTP.

Remote router with IP 1x.168.109.29 works perfectly, but i can't reach in any way the 1x.168.109.30

Those are the routers config:

Can u help me to reach the 1x.168.109.30 from WAN?


Traceroute from CHR:
tool traceroute 1x.168.109.30
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 10.0.2.2 0% 3 39.7ms 58.5 39.7 74 14.2
2 1x.168.109.30 0% 3 55.9ms 77 55.9 98 21.1


Thanks

Since you are using a subnet inside of a larger subnet that already has an IP inside the /27, you'll probably need to enable Proxy ARP on the interface that 1x.168.109.25/27 is configured on - this can sometimes cause a brief loss of reachability, so be sure that you have OOB access to the CHR.

Essentially when traffic comes in following the route for the /27, it will attempt to find an ARP entry for 1x.168.109.28/30 on the interface the /27 is configured on at the CHR because the /30 subnet is inside of the /27. Unless proxy arp is enabled, it won't follow the routing table to get to the /30.

Hi,

i think the static arp entry with the published checkbox checked should be engoth. No need for a arp proxy.

From the arp wiki page

Static proxy-arp entry for individual IP address. When an ARP query is received for the specific IP address, the device will respond with its own MAC address. No need to set proxy-arp on the interface itself for all the MAC addresses to be proxied. The interface will respond to an ARP request only when the device has an active route towards the destination

Are you unable to reach 1x.168.109.30 form internet or from the CHR? I think the routing should be fine because you can reach 1x.168.109.29. I think the problem is the routing path back to the CHR for the ip 1x.168.109.30. Maybe you can check with the torch tool on ether1 on the LTE router, which packets are sent and received.

For me the mangle rules are wrong. You should use the prerouting chain because in the output chains the routing decision is already done (diagram)

Thank you for your answer, i've enable the proxy arp on the ether2 (1x.168.109.25/27) nothing changes, i can't reach the .30 :(

Hi,

i think the static arp entry with the published checkbox checked should be engoth. No need for a arp proxy.

From the arp wiki page

Static proxy-arp entry for individual IP address. When an ARP query is received for the specific IP address, the device will respond with its own MAC address. No need to set proxy-arp on the interface itself for all the MAC addresses to be proxied. The interface will respond to an ARP request only when the device has an active route towards the destination

Are you unable to reach 1x.168.109.30 form internet or from the CHR? I think the routing should be fine because you can reach 1x.168.109.29. I think the problem is the routing path back to the CHR for the ip 1x.168.109.30. Maybe you can check with the torch tool on ether1 on the LTE router, which packets are sent and received.

For me the mangle rules are wrong. You should use the prerouting chain because in the output chains the routing decision is already done (diagram)

Thanks! I can't reach the .30 from internet but i can reach it from CHR, with prerouting i can ping .29 but the path is wrong, i can't use any tcp connection, i'm pretty new with mikrotik so i think that i'm wrong with mangle.

From CHR:
ping 1x.168.109.30
SEQ HOST SIZE TTL TIME STATUS
0 1x.168.109.30 56 254 27ms
The torch on the remote LTE
SRC 10.0.2.1 DST 1x.168.109.30

From Internet tracert
7 17 ms 18 ms 17 ms 1x.168.109.25
8 83 ms 115 ms 57 ms 10.128.0.80 this is the LTE interface
Torch of LTE router
SRC mywanip DST 1x.168.109.30

I really don't know where i'm wrong

Finally it work,
was missing this:

yeah such a prerouting rule will do the trick. I don't know your full setup but in my obinen the two output rules a useless.

For incoming packets you can route everything with the main routing table because 1x.168.109.28/30 is locally connected. No need for a mangle rule.
But for packets heading outwards, you need policy based routing otherwise the packets from 1x.168.109.30 will use the default route in the main table.

yeah such a prerouting rule will do the trick. I don't know your full setup but in my obinen the two output rules a useless.

For incoming packets you can route everything with the main routing table because 1x.168.109.28/30 is locally connected. No need for a mangle rule.
But for packets heading outwards, you need policy based routing otherwise the packets from 1x.168.109.30 will use the default route in the main table.

The first output mangle is for force all traffic through the VPN and i have exluded only the SSTP server, for the second one i agree with u, but without it, the tracert of the.30 goes to .25 and back to .29 so the only way that i found to reach the .30 directly is using mangle.