Hotspot and public addresses

daiceman · Fri Mar 11, 2005 7:11 pm

My first post here, so please don't chew me up

Here is the scenario I am working with.

Mikrotik Box:
-Ether 1 Public IP 207.xx.xx.56 SN:255.255.255.192 GW:207.xx.xx.62
-Ether 2 Private IP 10.5.50.1

I need to figure out how to pass a local address from the 207 class to clients connected to Ether2 so that they can remote manage thier systems

The 207/26 class in managed by my cisco3640

I hope that I was clear enough.

--edit--
Authentication is being handled via FreeRadius/MySql

daiceman · Mon Mar 14, 2005 3:34 am

Well lets see, this is a tough one.

My suggestion is to look at bridging the two interfaces and maybe useing PPPoE to hand out some static publis addresses. It might work, but I am new to PPPoE. Can anyone tell either of us what the pros/cons of a PPPoE session are as compared to PPP.

Newb question:
If I am being authenticated via radius, how is that different from PPPoE?

I hope the first part help you out.

Signed,
Daiceman's split presonality

wildbill442 · Mon Mar 14, 2005 4:25 am

PPPoE or PPTP would work. both allowing you to create tunnels to an endpoint, so as long as your client can get to your endpoint you can assign them any ip address you'd like (whether you network is bridged or routed).

RADIUS allows you to manage users from a central location (server) and grant them access to services such as PPP, PPTP, PPPoE.

both layer 2 protocols encapsulate packets and have methods of encryption, and compression..

*EDIT* sorry PPPoE doesn't offer encryption.. that's one of the advantages to using PPTP over PPPoE. Also, when using PPTP the device you have as the endpoint will require more CPU power as it has to encode/decode packets.

daiceman · Sat Mar 19, 2005 11:07 pm

Any other ideas for me?

savage · Sat Mar 19, 2005 11:22 pm

dst-nat?

daiceman · Sun Mar 20, 2005 1:10 am

Here is what I am looking for:

All the periods are for formating purposes.

............................................................................................................./ DHCP Pool 10.0.5.0/24
.........................................................................................................../
Cisco 3640 Eth0 207.75.xx.62 ----- 207.75.xx.60 Eth0 Mikrotik Eth1-
...........................................................................................................\
.............................................................................................................\ 207.75.xx.50 End user

Being able to run dhcp and able to provide a public address within the same subnet as Mikrotik Eth0 on Eth1

djape · Mon Mar 21, 2005 10:25 am

Do src-nat and dst-nat..

Just add user address in src-nat:

ip firewall src-nat

src-address=10.0.5.x/32 action=nat to-src-address=207.75.xx.50

now

ip firewall dst-nat

dst-address=207.75.xx.50/32 action=nat to-dst-address=10.0.5.x

Like this your client would have public ip address.

Cheers...

daiceman · Tue Mar 22, 2005 7:13 pm

Do src-nat and dst-nat..

Just add user address in src-nat:

ip firewall src-nat

src-address=10.0.5.x/32 action=nat to-src-address=207.75.xx.50

now

ip firewall dst-nat

dst-address=207.75.xx.50/32 action=nat to-dst-address=10.0.5.x

Like this your client would have public ip address.

Cheers...

It is not working. I am still getting the MT base IP Address

wildbill442 · Tue Mar 22, 2005 7:23 pm

Do src-nat and dst-nat..

Just add user address in src-nat:

ip firewall src-nat

src-address=10.0.5.x/32 action=nat to-src-address=207.75.xx.50

now

ip firewall dst-nat

dst-address=207.75.xx.50/32 action=nat to-dst-address=10.0.5.x

Like this your client would have public ip address.

Cheers...
It is not working. I am still getting the MT base IP Address

You're still going to get a Private IP addres 10.xx.xx.xx.. what you need to do is setup 1-to-1 NAT so that the MT maps a public IP address to one of your private IPs. You'll also want to setup a reservation for the users that require static public IPs in the DHCP server so they get the same IP address everytime. The solution posted earlier with the src/dst-nat will work. I didn't look over the exact syntax, but essentially that is what you need to do. Check the manual for more examples.

daiceman · Tue Mar 22, 2005 7:51 pm

Right, the pc still has the private ip, but when I do to a page that will show me what the world sees, my IP is that of the MT router interface. Not the one that I am trying to nat thru. The pages that I am using to lookup my IP are http://www.ipchicken.com and iceman.30below.com.

Do I need to add the public IP that I want nated thru to the public interface on the MT?

daiceman · Tue Mar 22, 2005 9:07 pm

Update:
I can ping my public nated pc from outside the MT. This is good - remote access is possible

But, when I get a report of the IP that I am using, it is still showing 207.75.xx.60 and not 207.75.xx.55. the 55 is the one I am nating thru.

If I look at the nat rules. my src nat is showing no packets or bytes. and the dst nat rule is showing packet and byte count.

wildbill442 · Tue Mar 22, 2005 9:24 pm

Update:
I can ping my public nated pc from outside the MT. This is good - remote access is possible

But, when I get a report of the IP that I am using, it is still showing 207.75.xx.60 and not 207.75.xx.55. the 55 is the one I am nating thru.

If I look at the nat rules. my src nat is showing no packets or bytes. and the dst nat rule is showing packet and byte count.

Yeah double check your src-nat rules... they should look similar to this

0 ;;; SRC-NAT
src-address=[private_IP/32] action=nat to-src-address=[Public_IP]

Also, yes you will have to add the public IP addresses to the WAN interface. of the device doing NAT.

daiceman · Tue Mar 22, 2005 9:42 pm

OK here is my config.

/ ip firewall src-nat
add src-address=10.0.4.11/32 action=nat to-src-address=207.75.xx.55 comment="Static for Goomba" disabled=no

/ ip firewall dst-nat
add dst-address=207.75.xx.55/32 action=nat to-dst-address=10.0.4.11 comment="Static for Goomba" disabled=no

/ ip address
add address=207.75.xx.60/26 network=207.75.xx.0 broadcast=207.75.xx.63 interface=internet comment="added by setup" disabled=no
add address=10.0.4.1/23 network=10.0.4.0 broadcast=10.0.5.255 interface=hotspot comment="hotspot network" disabled=no
add address=207.75.xx.55/26 network=207.75.xx.0 broadcast=207.75.xx.63 interface=internet comment="Public for Goomba" disabled=no

wildbill442 · Tue Mar 22, 2005 9:46 pm

looks fine... I don't know if i mentioned it before, but you're going to want to create a reservation for that private address on your DHCP server (unless you're using static IP's) so that particular user gets the same private IP everytime.

daiceman · Tue Mar 22, 2005 9:49 pm

yup, it looks good, but it is still reporting the primary interface, the .60.
If my client needs to have a public that works both ways for remote access to his local server and use the same ip to connect to a remote server it is not working as needed.

Edit: the src-nat is not doing its job.

wildbill442 · Tue Mar 22, 2005 9:51 pm

it shouldn't... have your client reboot his CPE device and then try going to

Http://www.whatismyip.com

Also make sure you clear the cache on the browser...

daiceman · Tue Mar 22, 2005 9:56 pm

it shouldn't... have your client reboot his CPE device and then try going to

Http://www.whatismyip.com

Also make sure you clear the cache on the browser...

Well, right now the client is me and the cpe is my laptop sitting next to me. I did reboot it, made sure the connection was cleared in MT and reconnected. Checked with 3 different ip reporting sites to no avail. Still .60

wildbill442 · Tue Mar 22, 2005 10:05 pm

hrrmm..

I have a buncha clients working right now with no problems.. and your configs look fine..

what comes first on your src-nat rules? put the masquerading rule at the bottom of the list and your src-nat rule at the top.. see if that makes a difference..

daiceman · Tue Mar 22, 2005 10:26 pm

I tried moving the rule to the top and no good. Also tried disableing all the other src-nat rules. The only one running is the one I need. Still no good.

I think I will stop the the day. My desk is taking quite a beating from my head.

djape · Wed Mar 23, 2005 5:33 pm

Hehe, well I think you're in Twilight Zone

The example I posted earlier was exactly how it should be...

Just remove

add address=207.75.xx.55/26 network=207.75.xx.0 broadcast=207.75.xx.63 interface=internet comment="Public for Goomba" disabled=no

Try and let us know what happened

Cheers...

daiceman · Wed Mar 23, 2005 5:41 pm

Hehe, well I think you're in Twilight Zone

The example I posted earlier was exactly how it should be...

Just remove

add address=207.75.xx.55/26 network=207.75.xx.0 broadcast=207.75.xx.63 interface=internet comment="Public for Goomba" disabled=no

Try and let us know what happened

Cheers...

Done, and still the same.
I can ping my 207.75.xx.55 address and it is really getting to the machine, but if I go to a site that tells me my IP, it is the 207.75.xx.60

daiceman · Wed Mar 23, 2005 5:52 pm

Here are my current nat rules:

[admin@MikroTik] ip firewall src-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Static for Goomba
src-address=10.0.4.11/32 action=nat to-src-address=207.75.xx.55

1 ;;; masquerade hotspot network
src-address=10.0.5.0/24 action=masquerade

2 ;;; masquerade hotspot network
src-address=10.0.4.0/23 action=masquerade

[admin@MikroTik] ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 dst-address=207.75.xx.55/32 action=nat to-dst-address=10.0.4.11

1 ;;; redirect unauthorized hotspot clients to hotspot service
in-interface=hotspot protocol=tcp flow=!hs-auth action=redirect
to-dst-port=80

2 ;;; intercept all DNS requests
dst-address=:53 protocol=udp action=nat to-dst-address=12.xx.xx.1

3 ;;; transparent HTTP proxy for hotspot clients
in-interface=hotspot dst-address=:80 protocol=tcp action=redirect
to-dst-port=80

bholler · Wed Mar 23, 2005 8:48 pm

hello daiceman,

Why not try uPnP ? i would have suggested proxy-arp but it will be a problem cos u r running a dhcp.

http://www.mikrotik.com/docs/ros/2.8/ip/upnp.content

djape · Thu Mar 24, 2005 10:14 am

Forget what you see on whatismyip.com etc. Try accessing from some other network I am sure it will open 207.75.xx.55....

daiceman · Thu Mar 24, 2005 6:45 pm

Forget what you see on whatismyip.com etc. Try accessing from some other network I am sure it will open 207.75.xx.55....

Right, it does work that way.

BUT, what I am needing is for a maching to be able to be accessed from the internet with a public IP. This is working. Also, the parent company wants to allow that SAME IP to tunnel thru their corparate firewall. This is not working, they are seeing the .60 address not the .55

Alessio Garavano · Wed Mar 30, 2005 10:54 pm

Your problem is here

3 ;;; transparent HTTP proxy for hotspot clients
in-interface=hotspot dst-address=:80 protocol=tcp action=redirect
to-dst-port=80

The action redirect to destination port 80 is not correct, this is the port of hotspot service, this may be 8080 or 3128(check your webproxy service port) and if you are checking in theses web pages(http://www.whatismyip.com, etc) your clients are transparent proxied... try disabling this rule in dst-nat and don´t configure to use web-proxy in the browser and try again...

Regards!

daiceman · Wed Mar 30, 2005 11:56 pm

Thanks for all the info. I will try the last option. What I have configured is hotspot for all the normal clients and now I have PPPoE setup for the clients that need publicly accessable addresses.

Alessio Garavano · Thu Mar 31, 2005 3:20 am

I have hotspot with dhcp leasing public ip address to my clients, i have a bridge which is linking the public interface and the hotspot interface, and i only have 1 public IP address in the interface bridge... at 2 years i have this and work perfectly... remember to wait at least 30 seconds to the bridge interface learn the network...
Regards and sorry my bad english
Alessio

djape · Thu Mar 31, 2005 11:17 pm

Your problem is here

3 ;;; transparent HTTP proxy for hotspot clients
in-interface=hotspot dst-address=:80 protocol=tcp action=redirect
to-dst-port=80

The action redirect to destination port 80 is not correct, this is the port of hotspot service, this may be 8080 or 3128(check your webproxy service port) and if you are checking in theses web pages(http://www.whatismyip.com, etc) your clients are transparent proxied... try disabling this rule in dst-nat and don´t configure to use web-proxy in the browser and try again...

Regards!

Completely agree, I have just entered the proxy and I also get gateways IP address...

Cheers...

Hotspot and public addresses

Hotspot and public addresses

Who is online