Community discussions

MUM Europe 2020
 
stremetznet
just joined
Topic Author
Posts: 14
Joined: Tue Apr 08, 2008 2:20 pm
Location: Germany
Contact:

Multiple public subnets

Sun Nov 20, 2016 1:21 am

Dear all,
my RouterOS is connected to my ISP's router, that provides two public subnets, a /29 and another /28 subnet. Both are in a different range.

Situation (Example)

Internal Network <------->(Ether2) RouterOS (Ether1) <--------> Cisco ISP Router<--------Leased Line -----> Internet
Internale Addressrange 192.168.1.0/24
Pub Subnet1: 90.143.100.80/29
Pub Subnet2: 165.23.131.80/28
ISP Router IP: 90.143.100.81

I now configured my RouterOS with the IP 90.143.100.83 on the ether2 interface, set the default gateway and added some Firewall rules and NAT rules to allow traffic from the internal LAN to the Internet. So far so good.

I now got stuck in adding my other public IP addresses to interface ether1 and make them accessable for services via a destination NAT.

Also, I'm thinking about how to tell the RouterOS that two different subnets are connected and how the routing tables need to look like that everything works.

Would somebody please be so nice and help me with that?

Thank you very much.

T.
 
Sob
Forum Guru
Forum Guru
Posts: 5015
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple public subnets

Sun Nov 20, 2016 2:19 am

Default gateway (ISP Router IP) is from your /29 range, I'd expect that all addresses from this range need to be reachable on ether1, so either be assigned directly to ether1, or you'd need proxy ARP, if you added them elsewhere. If you have 90.143.100.83 on ether2 (which according to your description is LAN) and it works, you should probably post your current config, because it looks a little suspicious.

Assuming 165.23.131.80/28 is normal routed subnet, you don't need anything special. Packets to any address from this /28 will be sent to your router. You don't need to alter routing or anything. Just assign selected address from this /28 to ether1 or some loopback interface (you can use empty bridge as loopback in RouterOS) and you have it. In fact, you don't even need to assign it anywhere and you can still use it for src/dst NAT.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
stremetznet
just joined
Topic Author
Posts: 14
Joined: Tue Apr 08, 2008 2:20 pm
Location: Germany
Contact:

Re: Multiple public subnets

Sun Nov 20, 2016 2:00 pm

Hi Sob,

thanks for your reply.
To avoid any confusing, the subnets /29 and /28 are both on my external interface, ether1.
You are right, the /29 net works smoothly, out of the box by adding those addresses to ether1 interface.

With the /28 subnet I have several issues. When I try to add those addresses to a bridge interface, nothing happens, I don't even see traffic hitting in, when I ping the address for example, under the IP->Firewall-> Connections tab. I also tried enabling Proxy-Arp, no effect.

Looks like I'm missing something...
But right now I don't see it.
(On my old Router, which was a Juniper, I just needed to add all those /28-addresses to the external interface and they were available)

Thanks!
T.
 
Sob
Forum Guru
Forum Guru
Posts: 5015
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple public subnets

Sun Nov 20, 2016 3:01 pm

That's another possibility, /28 on WAN together with /29 where ISP's router would also have one of 165.23.131.x. If that was the case, you should be able to simply add 165.23.131.x/28 to WAN. You probably shouldn't need to do anything with gateways and routing, because both 90.143.100.81 and 165.23.131.x are most likely the same machine (with same MAC address, so it wouldn't matter from which IP address your router gets it).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
stremetznet
just joined
Topic Author
Posts: 14
Joined: Tue Apr 08, 2008 2:20 pm
Location: Germany
Contact:

Re: Multiple public subnets

Sun Nov 20, 2016 10:50 pm

Nope.

Both subnets, /29 and /28 have to use the same gateway 90.143.100.8.
I can currently only access the /29 subnet. I bound some /28 net IPs to the interface ether1 but I'm unable to access them.
Any further ideas?

Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 5015
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple public subnets

Sun Nov 20, 2016 11:18 pm

It doesn't make much sense to me why would /28 have to be on ether1 then. It can be either routed subnet and then it can be anywhere, or connected subnet and then it would have to be on ether1. But what's the point of connected subnet it their router is not part of it?

In any case, putting /28 addresses on ether1 should just work for both scenarios. One default gateway is enough. If you use an address from /28 as source, it has the only (and right) way to go.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
stremetznet
just joined
Topic Author
Posts: 14
Joined: Tue Apr 08, 2008 2:20 pm
Location: Germany
Contact:

Re: Multiple public subnets

Sun Nov 20, 2016 11:38 pm

That is exactly why I wonder so much.
In my case, my ISP gave that /29 subnet first. After we ran out of public IPs, we asked for a bigger public address space and they just added that /28 subnet to their gateway router.
In the current setup (with Juniper equipment) we just bound addresses of the /28 subnet to the external interface and we were good to go.

Now as we are going to replace that box by a RouterOS system, I suppose it would just have to work similar. But it does not.
On the local system (RouterOS CLI), I can ping all bound IPs without issues.
From an external system, located on the internet, I can just ping the IP address of the /29 subnet, the second IP in the /28 space will just receive timeouts.
I can also notice, that pings to the IP of the /28 net won't even show up in the connections tab, which I guess means there is a routing issue.
 
Sob
Forum Guru
Forum Guru
Posts: 5015
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple public subnets

Mon Nov 21, 2016 2:10 am

But it should work the same way. I'd try this:
/ping src-address=165.23.131.x address=a.b.c.d
Where 165.23.131.x is an address assigned to router and a.b.c.d is address of some machine somewhere else on internet, which you have under control. It you use Tools->Torch on ether1, you must see packets from 165.23.131.x to a.b.c.d leaving the router. This is to make sure that you don't have problems with outgoing NAT or something. And if you run packet sniffer on remote machine, you should see same packets coming there and reply packets being sent back. Ideally, you should see those arriving to your router. Try it, it's easy and perhaps you'll discover something interesting.

Or you can also post your current config here and let us see if there could be some mistake there.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: mixig, racarr and 33 guests