Community discussions

MikroTik App
 
ftan
just joined
Topic Author
Posts: 16
Joined: Tue Dec 15, 2020 12:09 pm

Static IP

Tue Jan 26, 2021 7:53 am

Hello,

I have several ISPS and they are connected to a switch. I just created VLANs for each ISP on the ccr1036 and added the public IP addresses and assigned them to the interface i created for each ISP.

I then do src-nat for most of my clients who get their IP from a DHCP server and are assigned a private IP address like 192.x.y.z.

I have one client who wants to put their own firewall and be assigned a public IP address. Any idea on the simplest way to do this?

Thanks.
 
ftan
just joined
Topic Author
Posts: 16
Joined: Tue Dec 15, 2020 12:09 pm

Re: Static IP

Wed Jan 27, 2021 5:49 pm

Anyone have any ideas on this?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Static IP

Wed Jan 27, 2021 6:04 pm

Some more info would help. Things like if you have spare public IP address, how exactly you get it from ISP, etc.
 
ftan
just joined
Topic Author
Posts: 16
Joined: Tue Dec 15, 2020 12:09 pm

Re: Static IP

Thu Jan 28, 2021 11:51 am

Hi Sob,

They gave us a /28 ip subnet. That entire subnet will be given to the client and they can do what they want with the all the IP addresses.

The line of the ISP is plugged into our switch which i assigned a VLAN to then i created an interface for that ISP and VLAN also on the Mikrotik. The Mikrotik is also connected to the switch.

I then created a route under IP routes in Mikrotik and pointed it to their gateway.

Thanks.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Static IP

Thu Jan 28, 2021 3:22 pm

Sorry, I can't say that it's very clear. But if ISP gave you (= routed to you) /28, and you want to give the whole thing to your client, then just route it further. Use existing connection to client and their router as gateway:
/ip route
add dst-address=x.x.x.x/28 gateway=<address of client's router>
Then make sure it's not blocked by firewall, and that should be it.
 
ftan
just joined
Topic Author
Posts: 16
Joined: Tue Dec 15, 2020 12:09 pm

Re: Static IP

Fri Jan 29, 2021 2:46 am

Hi Sob,

Sorry if I'm not explaining it well. Let me try to be a bit more.

We have around 5 ISP lines. The ISP line I want to assign to my client connects to my switch and i assign them VLAN 10. I have a cable from my Mikrotik going to the switch and connected to a trunk port.

Currently this is how I do it.

My client who is on the 7th floor is connected to our network by connecting to a switch on that floor and is on VLAN 700.

I also create an interface on Mikrotik and assign it VLAN 700. I create an address 192.168.1.254 (gateway of client) and assign it to the interface/vlan 700. I then add the addresses the ISP assigned me 103.x.y.z/28 to Mikrotik and assign them to VLAN 10.

I create my firewall nat and src-nat the public ip to the ip address range 192.168.1.0/24.

So what I want to do now is have the ISP connect as they are now but I don't want to NAT the client anymore since they have their own equipment now and would like the public ip assigned directly to their firewall. I can still use some of the IP addresses given by ISP on my Mikrotik and assign the remaining to client so as to make the config work.

Hope this helps a bit more.

Thanks much.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Static IP

Fri Jan 29, 2021 3:15 am

The important part here is how ISP handles this /28. Is it:

a) Routed to you. ISP on their router did (in RouterOS terms) "/ip route add dst-address=x.x.x.x/28 gateway=<your router>".
b) Assigned as subnet between you and ISP. ISP on their router did "/ip address add address=x.x.x.a/28 interface=<to-ftan>", you use x.x.x.a as gateway and the rest of addresses in /28 are yours.

If it's a), then you're free to use all addresses in /28 any way you want:

- keep 192.168.1.x subnet and route a single public address to their router
- use PPPoE to give them this address
- use point-to-point /32 addresses (not everything supports that)
- take /30 from /28 and use it as subnet between you and client (far from ideal, because you'd waste three public addresses)

If it's b), then you can use all that as with a), you'd just need to enable proxy ARP on WAN interface. Or you could skip VLAN 700 and add customer's port to VLAN 10 and let them take address directly from ISP. But that would probably require some bridge filters, to make sure that they don't do something they shouldn't.
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Static IP

Fri Jan 29, 2021 3:21 am

I think I'm interpreting your requirements differently than Sob, so don't mix our suggestions together.

Is the following what you're trying to do?

ISP1 --> ether1
ISP2 --> ether2
ISP3 --> ether3
ISP4 --> ether4
ISP5 --> ether5 (ISP5 is for the client in question and is dedicated to that client)

ether6 --> Trunk to another switch, so "The Client" is sharing this trunk with other clients.
-VLan700 (the vlan for the "The Client"


If the above is what you're trying to do, then I think you'd bridge ether5 with vlan700 and not do any routing at all. Don't assign IPs to the bridge, ether5 or vlan700. No src-nat and no firewall rules. Then they'd have access to ISP5 as if they were plugged directly into it.

The remote switch would be similar.

ether5 --> Port to client provided router
ether6 --> Trunk from 1st switch
-VLan700

Bridge ether5 with vlan700
 
ftan
just joined
Topic Author
Posts: 16
Joined: Tue Dec 15, 2020 12:09 pm

Re: Static IP

Fri Jan 29, 2021 7:30 am

The important part here is how ISP handles this /28. Is it:

a) Routed to you. ISP on their router did (in RouterOS terms) "/ip route add dst-address=x.x.x.x/28 gateway=<your router>".
b) Assigned as subnet between you and ISP. ISP on their router did "/ip address add address=x.x.x.a/28 interface=<to-ftan>", you use x.x.x.a as gateway and the rest of addresses in /28 are yours.

If it's a), then you're free to use all addresses in /28 any way you want:

- keep 192.168.1.x subnet and route a single public address to their router
- use PPPoE to give them this address
- use point-to-point /32 addresses (not everything supports that)
- take /30 from /28 and use it as subnet between you and client (far from ideal, because you'd waste three public addresses)

If it's b), then you can use all that as with a), you'd just need to enable proxy ARP on WAN interface. Or you could skip VLAN 700 and add customer's port to VLAN 10 and let them take address directly from ISP. But that would probably require some bridge filters, to make sure that they don't do something they shouldn't.
Hi Sob,

I believe it's option B they gave us ex. 103.1.1.0/28 our Gateway is 103.1.1.1. The useable IP addresses are 103.1.1.2- 103.1.1.14. I can either give them all the IP's or use one or 2 on our equipment if that is needed

I was thinking of putting the VLAN of the ISP on the same VLAN but I wanted them to still pas through the Mikrotik and not really change the current setup in the building.

I'm not familiar with Proxy-Arp do i just enable it on the VLAN interface I Created for the ISP?

Thanks.
 
ftan
just joined
Topic Author
Posts: 16
Joined: Tue Dec 15, 2020 12:09 pm

Re: Static IP

Fri Jan 29, 2021 8:00 am

I think I'm interpreting your requirements differently than Sob, so don't mix our suggestions together.

Is the following what you're trying to do?

ISP1 --> ether1
ISP2 --> ether2
ISP3 --> ether3
ISP4 --> ether4
ISP5 --> ether5 (ISP5 is for the client in question and is dedicated to that client)

ether6 --> Trunk to another switch, so "The Client" is sharing this trunk with other clients.
-VLan700 (the vlan for the "The Client"


If the above is what you're trying to do, then I think you'd bridge ether5 with vlan700 and not do any routing at all. Don't assign IPs to the bridge, ether5 or vlan700. No src-nat and no firewall rules. Then they'd have access to ISP5 as if they were plugged directly into it.

The remote switch would be similar.

ether5 --> Port to client provided router
ether6 --> Trunk from 1st switch
-VLan700

Bridge ether5 with vlan700
Hi Van9018,

The ISPs are not connected to the Mikrotik 1036 directly I put them on a switch created VLANs and connected the Mikrotik and all the other networks by creating a trunk port on the switch and connecting the Mikrotik there.

So i created VLANS for them VLAN 1 = ISP 1 and so on. I assigned them to the SFP interface which connects to the switch by trunk.

Thanks.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Static IP

Fri Jan 29, 2021 4:33 pm

Proxy ARP is simple. With config like yours, ISP has 103.1.1.1/28, then you have e.g. 103.1.1.2/28 on your router, and it's regular subnet and works well. If you want to route e.g. 103.1.1.3 further behind your router, you can easily do that using any of methods I listed. Your router won't have any problem with that, because it will know where 103.1.1.3 is. But ISP's router expects 103.1.1.3 to be directly reachable, same way as 103.1.1.2. But it isn't, so when ISP's router sends ARP request, nothing will respond and it will think that the address is unreachable. And that's what proxy ARP is for, it allows your router to respond and tell ISP's router that it has 103.1.1.3. It's not completely true, because it doesn't have it, but it knows where it is, so when ISP's router sends IP packet with destination 103.1.1.3 to yours, it will be correctly forwarded to real 103.1.1.3.

To enable it, you can either set arp=proxy-arp on interface connected to ISP's router (VLAN 10), or you can expose just a single address using:
/ip arp
add address=103.1.1.3 interface="VLAN 10" published=yes
Main difference between this and bridging client directly to ISP is that this is regular routing, so everything will be passing through firewall and you can easily block something, if needed. With bridging it's possible too, but it would be slightly different.
 
ftan
just joined
Topic Author
Posts: 16
Joined: Tue Dec 15, 2020 12:09 pm

Re: Static IP

Fri Jan 29, 2021 6:47 pm

Hi Sob,

Thanks for this.

Just a few more questions.

1. I'll enable proxy arp on VLAN 10.
2. I'll add the address 103.1.1.2 to my Mikrotik and assign it to interface VLAN 10?
3. I give the address 103.1.1.3 - 103.1.1.14 to my client and they will input that into their equipment and use the IP's as they see fit.
4. Do i need to add the 103.1.1.3 - 103.1.1.14 to Mikrotik router also or no need?
5. What is the gateway they put in their equipment?

Is that about it?

Thanks.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Static IP

Fri Jan 29, 2021 7:26 pm

Let's take one step back. All these addresses (whole /28) are only for one client, right? If that's the case, bridging could be better choice, because it would be completely standard config without any tricks.

But even better would be to talk to ISP and let them route whole /28 to you. That would be the option a) I described earlier, where ISP wouldn't have any address from this /28 on their router. You'd then do the same on your router, route the whole subnet to client, who would be able to use all 16 addresses. And you'd still have easy control over them.
 
ftan
just joined
Topic Author
Posts: 16
Joined: Tue Dec 15, 2020 12:09 pm

Re: Static IP

Fri Jan 29, 2021 7:31 pm

Hi Sob,

Yes, Just one client I can keep one or 2 for my use if needed.

I don't think I can get the ISP to route the whole /28 to me. That seems to be something they are not comfortable doing or have not done before.

Is bridging easier than the proxy arp? How would i go about that?

Thanks.
 
ftan
just joined
Topic Author
Posts: 16
Joined: Tue Dec 15, 2020 12:09 pm

Re: Static IP

Mon Feb 01, 2021 7:51 pm

Hello again,

So here is what i did.

Proxy ARP:
1. I enabled proxy arp on ISP VLAN 10 do i need to enable it on Client VLAN 700 also.
2. I put a static ip of 103.1.1.3 (static IP from ISP) on my PC and connected it to the switch in the clients unit and used gateway 103.1.1.1
3. I did not get any internet whatsoever.
4. Do i need to enable/disable any nat rules/mangle I have for client 700? Is there a step i'm missing here?

Bridge.
I went to bridge and created a new bridge and just game it a name bridge 1 and clicked ok. I then went to ports and added VLAN 10 and VLAN 700.

All internet stopped working for the whole building.

Any ideas/help?

Thanks

Who is online

Users browsing this forum: Google [Bot] and 22 guests