I am running v 3.9 and would like to figure out how to NAT some customers and not NAT others based on IP address. Here is the setup: Using PPPoE Server to hand out public and private IP addresses based on username and password, but all customers are behind the firewall, so they all appear to be coming from the same IP address. What I would like to do is leave the firewall alone for the private IP address people, it's working ok. I used the srcnat rules listed in the mikrotik manual and they work fine. But now, I want to take all the people behind the firewall with public IP addresses and bypass NAT so that they go out on the internet with their own public IP. I'm sure I haven't given enough information to get this done, so I will gladly answer questions if you can help me.

/ip firewall nat add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.0.0/24

Where src-address is the subnet you want NATed

Actually, I was more looking for the solution provided on this topic:

http://forum.mikrotik.com/viewtopic.php?f=2&t=22671

I am going to attempt to use OSPF and then run the PPPoE server to hand customers a public or a private IP address. I will let people know if this works later today.

Edit: I am just trying to understand OSPF - have been told this is the solution that would work best, but I do not understand how to set it up. I will upload a basic network diagram image of what I'm trying to do.

Here is the network diagram with some basic explanation. Right now, we have a linux box running iptables and dhcp for the private customers, and a linux box with bridging enabled for the public IP customers. We just go to the customers router and enter in the IP, subnet, and gateway information manually for public. We are getting too large for that. We want to enable the PPPoE server to hand out public or private based on their username and then the public IP address people can get access to their router/firewall/webserver/whatever just by typing in their IP address. I don't want to do 1:1 NAT, and OSPF seems to be the way to go, but I cannot get it configured correctly in my test environment. I can set up the PPPoE properly to hand out private addresses, and set up the firewall rules to correctly allow this, but I cannot set up OSPF and the PPPoE server to work for the Public customers.

Ok, I'm going to post my test configuration start to finish and just strip out parts of the public IP addresses or anything that's not useful. Then I add the DNS settings via winbox, because I was lazy. Right after that, I set up an OSPF area: Here's where I get confused as to what to add. Does the public IP address range get added to the pppoe area or backbone? I've tried the following in every combination with no success: and/or When I do all this, I get test_priv username and password to connect just fine from a Windows XP machine. I can surf the internet, check my email, and my public facing IP address comes from X.X.109.2

I can get PPPoE authentication correctly from test_pub, but I cannot surf the internet or even ping X.X.109.1 when connecting to the public PPPoE profile. What am I doing wrong? I just can't figure it out because I've never set up anything like this before.

Just a FYI, we can help you with this config. We are only out of St. Louis.. http://www.linktechs.net

Are you going to help us or "help" us? I am familiar with you guys, and we would like to buy one of the units you sell when we get large enough, but for now, I just need free message board support because I'm running this under test conditions only. Can you offer any pointers at this time or do I have to get a contract with you?

You don't need to buy one of our PowerRouters to be able to get support from us. We offer hourly and contract rates for Mikrotik / Network Support. We are one of the larger Mikrotik Consulting companies around, and 90% of our business is nothing but consulting.

BTW, we got your message. I will have a guy call you as soon as passable!

kccoyote -
Since you do not understand OSPF you should start with static routing.... Once you understand that you will know what OSPF does and then it's only a short jump to understand HOW OSPF does it....

Great pictures with your post...I did not see any routing information with the post - and I suspect that is probably the issue.


R/

Since I want this network to expand quickly, I just decided to understand OSPF. I finally got it working when I worked backwards - first get public IP's to work and then private IP addresses are easy enough. I was going about it all wrong (not the technical stuff, just the visualization stuff) so I went ahead and defaulted my configuration and used Winbox to get it working, so I could visualize in my mind what was happening. Here are the steps I took from start to finish (with the public IP's stripped out).

Step 1
IP > Addresses, then click +
Address: X.X.108.18/28
Network: X.X.108.16
Broadcast: X.X.108.31
Interface: ether1 (this is the public facing network card)
Step 2
Routing > OSPF, then click Areas tab, then click +
Area Name: public110
Area ID: 0.0.0.110
Type: default
Authentication: none
Step 3
Click Networks tab, then click +
Network: X.X.110.0/24
Area: public110
Step 4
Click Area Ranges tab, then click +
Area: public110
Range: X.X.110.0/24
Cost: default
check box Advertise
Step 5
IP > Pool, then click +
Name: public110
Addresses: X.X.110.10-X.X.110.249
Next Pool: none
Step 6
PPP, then Profiles tab, then +
Under General tab
Name: public_110
Local Address: X.X.110.1
Remote Address: public_110
DNS Server:blah blah
Under Limits tab
Rate Limit (rx/tx): 1024000/1024000
Step 7
Under Secrets tab, click +
Name: username
Password: password
Service: pppoe
Profile: public_110
Step 8
Under PPPoE Servers tab, click +
Service Name: public_internet
Interface: ether2 (private facing network card)
Max MTU: 1480
Max MRU: 1480
Default Profile: public_110
Check box One Session Per Host
Check box Authentication pap only

This makes the public IP addresses work. I then just went through the steps I did before (testing the public at each turn) to get the private addresses working. I will post again if I have any problems integrating the public and private networks. The reason this was so complicated for me to understand is that we switched from T1's to Fiber where the T1 providers would have some kind of Cisco, etc box at the gateway and we would just punch into our devices the IP, Subnet, Gateway, DNS, and boom it would work. This is the first time we've had to route our own network, and it was a learning experience. I hope someone else can learn from this, I might try and make a video of what I did to get a free key. Just made me realize how powerful Mikrotik is!

1. in setp 6 ,does it work if my Local Address be private ip address ?
2. you have two public subnets . if the our public ip and pppoe private ip is in one range ( for example all in a /25 ) how should setup to work without proxy arp ?

thanks

not working