Community discussions

 
ntmanxp
just joined
Topic Author
Posts: 21
Joined: Fri Feb 15, 2008 9:04 pm

Pools with public IP in trouble

Wed Jun 18, 2008 9:35 pm

Hi!
I have set up 3 MT as PPPoE Servers ( Access Concentrator )
Each one has Public IP Pools, and Private IP Pools ( in case no more public address available ).
There are 5 PPPoE Servers listening on each ( interface named '1'), one in the default VLAN, and one more per VLAN.
All of them take an IP from the same pool, Public first, private later.
But, with users receiving any Public IP from the pool, some strange things happen, ie: logging to any FTP site, the 'dir' command is unsuccessful. Also, using any VPN, after connecting each side, no traffic there!. :?

Using torch ( having OS 3.10 :) ) I saw for the ftp example, that the ftp (21) is ok, can log in to FTP Server, but the ftp-data(20) is pointing to the local-address of the profile in ppp setup and cannot 'dir'! :shock:

In case the user get any Private IP, this behavior is not reflected, and he can 'dir' any FTP site.

Follows my setup:

[uTik-PPP1] > interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP
0 R WAN 1500 00:04:61:92:43:B9 proxy-arp
1 X OnBoard2 1500 00:04:61:92:43:BA enabled
2 R 1 1500 00:0A:5E:5A:38:8C enabled

[uTik-PPP1] /interface> print
Flags: X - disabled, R - running, D - dynamic, S - slave
# NAME TYPE MTU
0 R ;;; Vlan 201 - DSLAMs Norte
201 vlan 1500
1 R ;;; Vlan 101 - DSLAM 9201-1 Centro
101 vlan 1500
2 R ;;; Vlan 251 - DSLAMs Oeste
251 vlan 1500
3 R ;;; Vlan 102 - DSLAM 9210-2 Centro
102 vlan 1500
4 R WAN ether 1500
5 X OnBoard2 ether 1500
6 R 1 ether 1500

[uTik-PPP1] /interface> pppoe-server server print
Flags: X - disabled
0 service-name="PPPoE_1_1" interface=1 max-mtu=1480 max-mru=1480
mrru=disabled authentication=pap,chap keepalive-timeout=10
one-session-per-host=yes max-sessions=400 default-profile=default

1 service-name="PPPoE_1_201" interface=201 max-mtu=1480 max-mru=1480
mrru=disabled authentication=pap,chap keepalive-timeout=10
one-session-per-host=yes max-sessions=300 default-profile=Default_201

2 service-name="PPPoE_1_101" interface=101 max-mtu=1480 max-mru=1480
mrru=disabled authentication=pap,chap keepalive-timeout=10
one-session-per-host=yes max-sessions=400 default-profile=Default_101

3 service-name="PPPoE_1_251" interface=251 max-mtu=1480 max-mru=1480
mrru=disabled authentication=pap,chap keepalive-timeout=10
one-session-per-host=yes max-sessions=200 default-profile=Default_251

4 service-name="PPPoE_1_102" interface=102 max-mtu=1480 max-mru=1480
mrru=disabled authentication=pap,chap keepalive-timeout=10
one-session-per-host=yes max-sessions=400 default-profile=Default_102


[uTik-PPP1] /ppp> profile print
Flags: * - default
0 * name="default" local-address=172.21.1.1 remote-address=Pub_Dyn_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=yes change-tcp-mss=yes
dns-server=XXX.251.1.42,XXX.251.1.34

1 name="remoto1" local-address=172.21.2.1 remote-address=Priv_Res_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=default change-tcp-mss=default
rate-limit=512k/1024k

2 name="Default_101" local-address=172.21.101.1 remote-address=Pub_Dyn_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=yes change-tcp-mss=yes
dns-server=XXX.251.1.42,XXX.251.1.34

3 name="Default_102" local-address=172.21.102.1 remote-address=Pub_Dyn_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=yes change-tcp-mss=yes
dns-server=XXX.251.1.34,XXX.251.1.42

4 name="Default_201" local-address=172.21.201.1 remote-address=Pub_Dyn_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=yes change-tcp-mss=yes
dns-server=XXX.251.1.34,XXX.251.1.42

5 name="Default_251" local-address=172.21.251.1 remote-address=Pub_Dyn_01
use-compression=default use-vj-compression=default
use-encryption=default only-one=yes change-tcp-mss=yes
dns-server=XXX.251.1.34,XXX.251.1.42

6 * name="default-encryption" use-compression=default
use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes

[uTik-PPP1] /interface> /ip pool print
# NAME RANGES
0 Priv_Res_01 172.21.1.5-172.21.1.254
1 Pub_Ciber_01 XXX.252.255.45
2 Priv_Res_02 172.21.2.5-172.21.2.254
3 Pub_Dyn_00 XXX.251.139.1-XXX.251.139.62
4 Pub_Fijas_01 XXX.252.255.0/26
5 Priv_Res_101_1 172.21.101.5-172.21.101.254
6 Priv_Res_102_1 172.21.102.5-172.21.102.254
7 Priv_Res_101_2 172.21.103.5-172.21.103.254
8 Priv_Res_102_2 172.21.104.5-172.21.104.254
9 Priv_Res_201_1 172.21.201.5-172.21.201.254
10 Priv_Res_201_2 172.21.202.5-172.21.202.254
11 Priv_Res_251_1 172.21.251.5-172.21.251.254
12 Pub_Dyn_02 XXX.251.21.2-XXX.251.21.254
13 Pub_Dyn_01 XXX.136.0.2-XXX.136.0.254
14 Priv_Res_03 172.21.3.5-172.21.3.254
15 Priv_Res_04 172.21.4.5-172.21.4.254

[uTik-PPP1] /interface> /ip address print where ! dynamic
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 X ;;; PA NOSOTROS
172.16.1.1/27 172.16.1.0 172.16.1.255 (unknown)
1 ;;; PUBLICA WAN (TASA)
XXX.251.1.35/24 XXX.251.1.0 XXX.251.1.255 WAN
2 X ;;; MANAGE
192.168.0.38/24 192.168.0.0 192.168.0.255 (unknown)
3 ;;; POOL 1 Clientes Default VLAN
172.21.1.1/24 172.21.1.0 172.21.1.255 1
4 ;;; POOL 2 Clientes Default VLAN
172.21.2.1/24 172.21.2.0 172.21.2.255 1
5 ;;; POOL 1 Clientes VLAN 101
172.21.101.1/24 172.21.101.0 172.21.101.255 1
6 ;;; POOL 1 Clientes VLAN 102
172.21.102.1/24 172.21.102.0 172.21.102.255 1
7 ;;; POOL 2 Clientes VLAN 101
172.21.103.1/24 172.21.103.0 172.21.103.255 1
8 ;;; POOL 1 Clientes VLAN 201
172.21.201.1/24 172.21.201.0 172.21.201.255 1
9 ;;; POOL 2 Clientes VLAN 201
172.21.202.1/24 172.21.202.0 172.21.202.255 1
10 ;;; POOL 1 Clientes VLAN 251
172.21.251.1/24 172.21.251.0 172.21.251.255 1
11 ;;; POOL 2 Clientes VLAN 102
172.21.104.1/24 172.21.104.0 172.21.104.255 1
12 ;;; Pool Publico 1 All VLANs
XXX.136.0.1/24 XXX.136.0.0 XXX.136.0.255 1
13 ;;; POOL 3 Clientes Default VLAN
172.21.3.1/24 172.21.3.0 172.21.3.255 1
14 ;;; POOL 4 Clientes Default VLAN
172.21.4.1/24 172.21.4.0 172.21.4.255 1
15 ;;; Pool Publico 2 All VLANs
XXX.251.21.1/24 XXX.251.21.0 XXX.251.21.255 1

[uTik-PPP1] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Las IPs Publicas no usan Masquerade, salen antes de aca.
chain=srcnat action=return src-address-list=IPs_Publicas_01
1 X chain=dstnat action=log dst-address-list=IPs_Publicas_01
log-prefix="a ver---"
2 X ;;; Las IPs Privadas, usan Masquerade para salir.
chain=srcnat action=masquerade
3 chain=srcnat action=masquerade src-address=172.21.1.0/24
4 chain=srcnat action=masquerade src-address=172.21.2.0/24
5 chain=srcnat action=masquerade src-address=172.21.3.0/24
6 chain=srcnat action=masquerade src-address=172.21.4.0/24
7 chain=srcnat action=masquerade src-address=172.21.101.0/24
8 chain=srcnat action=masquerade src-address=172.21.102.0/24
9 chain=srcnat action=masquerade src-address=172.21.103.0/24
10 chain=srcnat action=masquerade src-address=172.21.104.0/24
11 chain=srcnat action=masquerade src-address=172.21.201.0/24
12 chain=srcnat action=masquerade src-address=172.21.202.0/24
13 chain=srcnat action=masquerade src-address=172.21.251.0/24

Thanks in advance!
 
User avatar
Giepie
Member
Member
Posts: 431
Joined: Mon Sep 13, 2004 12:33 pm
Location: Western Cape, South Africa
Contact:

Re: Pools with public IP in trouble

Sun Jul 06, 2008 4:02 pm

Why not use different IP Pools, one for Public IPs and one for Local IPs. In Usermanager (or your RADIUS server), specify from what pool the user needs to get an IP address.

I tried figuring out what exactly it is you wish to accomplish by reading all your settings. Is there any specific reason for doing it the way you do it?
The only thing Mikrotik lack, is to send power to your High Sites wirelessly.....

Who is online

Users browsing this forum: No registered users and 86 guests