Community discussions

MikroTik App
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

proxy-arp assistance.

Sat Jul 23, 2005 12:23 am

We have this setup.

Dual-wan router with a 5 ip block.

Mikrotik RouterOS with following bridges below:

Bridge1: ether0, wlan1, wlan2, wlan3, wlan4, wlan5
bridge1: 192.168.0.70/16

We need to give external ip's to 3 customers that we will be providing backhaul connections to and they really require non-nat solution for their secure billing software to work properly. Only route I know of doing this over several wireless bridges is to use proxy-arp. I was going to configure like this:

Provider to switch, Xincom dual wan router to switch, mikrotik routerOS to switch with proxy-arp enabled on all the wireless side. What do I need to setup for proxy-arp do I need any forwarders? Besides proxy-arp enabled on the bridge to the client?

What I have to first client is:

Mikrotik RouterOS: 192.168.0.70/16
Bridge to first tower by WDS with RouterOS: 192.168.0.71/16
Bridge to customers tower with RouterOS: 192.168.0.73/16

Customers switch to have external address for example: 66.15.99.195/24

I understand that the router ether0 will have to have external ip like 66.15.99.194/24 but would it just be on ether0 or would it be a bridge IP? Also will this interfere with all the other wireless on this server that is being natted since it's all a single bridge going to point-to-points and AP links?

Anyone able to help me with proxy-arp?
 
GJS
Member
Member
Posts: 418
Joined: Sat May 29, 2004 4:07 pm
Location: London

Sun Jul 24, 2005 6:09 am

Well, to start with, you do not need to do anything to pass a IP address over a bridge. A bridge is a layer 2 device and will pass data regardless of protocol, IP or otherwise. The only reason you have IP addresses assigned to bridges is to manage them.

Apart from that, I do not understand your setup. Can you explain it again, perhaps ignoring bridges to simplify things?

All that proxy-arp does is make a router interface respond to arp requests for any IP address that is in it's routing table. So, if you want an address to just traverse a router put a static routing entry in for that address and the interface you want it to go out of, then enable proxy ARP.

'Hope that helps.
Guy

wispuk.org
A Forum Community for UK WISPs
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Sun Jul 24, 2005 9:49 am

ok we have a two wan router. Each with it's own block of IP's so I have a static ip set to the router itself 66.15.99.x on wan 2.

router wan 2: 66.15.99.192/24
router lan: 192.168.0.1/16

mikrotik router: 192.168.0.70/16

customer needs to get ip 66.15.99.195 as their static. From what I am understanding I will need to to assign say 66.15.99.193/24 to the ethernet side and turn on proxy-arp.

And from what I understand from your example I than would put a static router indicating that 66.15.99.195 goes out say wlan1 and have the customer put that ip in their equipment end. correct?

Now the question I have is this.

wlan1, wlan2, wlan3, wlan4, wlan5, ether0 are all bridged on bridge1 with a single ip 192.168.0.70/16.

Now when I proxy-arp do I proxy-arp the bridge1 itself or do I just proxy arp the individual wlans?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sun Jul 24, 2005 12:48 pm

marvin,

can't you just subnet the 66.15.99.0/24 that's currently completely on the WAN side of your router,
lets say split it into 66.15.99.0/25 and 66.15.99.128/25 and only use 66.15.99.0/25 on the WAN side
while you then can route addresses from 66.15.99.128/25 on the LAN / wireless side? That way
you'll get rid of all that proxy-arp business.
I never understand why people tend to fiddle so much with NAT and proxy-arp and all that stuff.
If a customer wants static, official addresses, route them static official addresses for heavens sake...

--Tom
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Sun Jul 24, 2005 10:15 pm

We don't have the entire class C it's just how our provider is routing.. We have a small block of IP's with a subnet of class C tho.
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sun Jul 24, 2005 11:32 pm

We don't have the entire class C it's just how our provider is routing.. We have a small block of IP's with a subnet of class C tho.
Ok, so ask your provider to assign an additional network (of the size that your wireless customer
would like to use) to you and have it routed by your provider via your existing connection, using your
router as the gateway (from the providers point of view).

--Tom
 
GJS
Member
Member
Posts: 418
Joined: Sat May 29, 2004 4:07 pm
Location: London

Mon Jul 25, 2005 4:13 pm

ok we have a two wan router. Each with it's own block of IP's so I have a static ip set to the router itself 66.15.99.x on wan 2.

router wan 2: 66.15.99.192/24
router lan: 192.168.0.1/16

mikrotik router: 192.168.0.70/16

customer needs to get ip 66.15.99.195 as their static. From what I am understanding I will need to to assign say 66.15.99.193/24 to the ethernet side and turn on proxy-arp.

And from what I understand from your example I than would put a static router indicating that 66.15.99.195 goes out say wlan1 and have the customer put that ip in their equipment end. correct?

Now the question I have is this.

wlan1, wlan2, wlan3, wlan4, wlan5, ether0 are all bridged on bridge1 with a single ip 192.168.0.70/16.

Now when I proxy-arp do I proxy-arp the bridge1 itself or do I just proxy arp the individual wlans?
Yes this is correct though you do not say what side of the MT is assigned 192.168.0.70/16 I assume it is the upstream port (by the way, why are you using /16, do you have 65,000 devices on your network?). I do not believe you can put wlan1 in the routing table if it is assigned to a bridge. The bridge interface must be put into the routing table as the gateway. The arp request for the packet to be sent will go to all interfaces assigned to the bridge. On your last question I beleive you can only enable proxy-arp on the bridge interface, not individual physical interfaces assigned to the bridge, though I am not sure.
Guy

wispuk.org
A Forum Community for UK WISPs
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Tue Jul 26, 2005 5:10 pm

GJS, No the reason we had to use /16 is we have a BMU unit that has seperate class C ip's for Infrastructure, Internal Network, Hotspot Gateway, and Clients. To tie them together the company had to make the BMU a /16 and to keep proper communication for the router to be able to communicate with all 4 ip's it had to be a /16 also. Powernoc the BMU company first tried 4 seperate class C with /24 but it had serious issues an they had to bridge them with Class B range.

Now I originally assigned the ip address 192.168.0.70/16 to the ether0 but since all are bridged now it's assigned to the bridge itself. Is that wrong to do should it just remain on the ether0?
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Wed Jul 27, 2005 10:09 am

We need to give external ip's to 3 customers that we will be providing backhaul connections to and they really require non-nat solution for their secure billing software to work properly.
1:1 NAT should work fine for this.. the customer sets a static private IP address and a public IP is mapped to that private address. You have to set SRC and DST NAT up properly for this to work. The clients billing software will send/recieve requests from a public IP address and it wont know the difference. You could also do PAT and just forward the required ports.

If you do use 1:1 NAT the packets will still be processed by your firewall rules so make sure you're not blocking the ports they require, or just setup a rule to allow all traffic to that specific client and leave it up to them to do their own firewalling.

Proxy ARP really wasn't designed to be used as you're trying to, and is more of a security risk because it allows users to use an unauthorized IP address to gain access to your network. Proxy ARP was designed to ease migration of large scale networks to new IP scheme's.. like say you're ISP had to move you from 121.52.39.0/24 to 121.52.40.0/24... then you could enable proxy arp to slowly migrate your network to the new ip scheme with little downtime.

Who is online

Users browsing this forum: andriys, InoX, olgale, Zacharias and 211 guests