Community discussions

MikroTik App
 
Vagelis
newbie
Topic Author
Posts: 26
Joined: Wed Jun 20, 2018 1:34 pm

Mikrotik device behind limited ISP modem

Sat Dec 26, 2020 8:12 pm

Hello,
I have an ISP-provided modem/router and a MT device
and I want to use the MT device to isolate two subnets.
The subnets will get access to the internet via the ISP device
as show in the diagram below which depicts the current situation.

My problem is the double NAT situation which I want to get rid of.
Given that the ISP modem/router does not allow changing
its static routing table what would you suggest as a topology/configuration?

Replacing the ISP device is out of the picture since
it also provides VoIP for telephony and the provider doesn't share its VoIP passwords.

Topology:
                    +--------------------+
                    |                    |
                    |                    |
                    |   ISP modem/router |
                    |                    |
                    |                    |
                    +------+------+------+
                     |DSL| | LAN1 |
                     +-+-+ +---+--+
                       |       |      172.16.0.2/24 masquerade/srcnat with its PPPoE iface
to                     |       |
wall <-----------------+       |
socket                         |
                               |
                               |
                             +-+----+ 172.16.0.1/24 masquerade/srcnat
                             | LAN1 |
                    +--------+------+------+
                    |                      |
                    |  MikroTik            |
                    |                      |
                    |                      |
                    |                      |
                    +--+------+--+------+--+
                       | LAN2 |  | LAN3 |
                       +------+  +------+

               172.16.1.1/24        172.16.2.1/24

 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Mikrotik device behind limited ISP modem

Sat Dec 26, 2020 8:25 pm

Bridge the ISP device, that will make it a simple layer 2 forwarding device. Bridge mode depends on make and model aka Transparent bridging.
 
Vagelis
newbie
Topic Author
Posts: 26
Joined: Wed Jun 20, 2018 1:34 pm

Re: Mikrotik device behind limited ISP modem

Sat Dec 26, 2020 8:39 pm

Hi DarkNate,
unfortunately the ISP device does not support bridge mode.
I am hoping for some creative solution that will allow me to get rid of the double NAT
given the plenty limitations of the ISP device.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mikrotik device behind limited ISP modem

Sat Dec 26, 2020 9:38 pm

There are two way to get rid of double nat.
1. ISP sets its modem in bridge mode.
2. You du use your MikroTik router as an Bridge/Switch, no nat at all.
 
Vagelis
newbie
Topic Author
Posts: 26
Joined: Wed Jun 20, 2018 1:34 pm

Re: Mikrotik device behind limited ISP modem

Sun Dec 27, 2020 12:25 am

Hi,
thanx for taking the time.
Well option 1 is unavailable, the ISP device does not support it.
For option 2, do you mean to bridge all interfaces and assign an IP to the bridge
on the same subnet as the ISP device?
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: Mikrotik device behind limited ISP modem

Sun Dec 27, 2020 12:48 am

This sounds like a Telia router in Lithuania, isn't it?
 
Vagelis
newbie
Topic Author
Posts: 26
Joined: Wed Jun 20, 2018 1:34 pm

Re: Mikrotik device behind limited ISP modem

Sun Dec 27, 2020 1:14 am

It's Vodafone branded, model H 300s in Greece
 
rodpp
newbie
Posts: 32
Joined: Thu Feb 05, 2015 1:45 am

Re: Mikrotik device behind limited ISP modem

Sun Dec 27, 2020 3:33 am

Another option is to have admin access to the ISP modem/router, and create your subnets there. Then in the Mikrotik you can create two bridges.

I had that same problem some time ago, having Internet and phone from the same box and no bridge mode possible. After complaing with the ISP, they replaced the fiber modem with another one that allow the bridge mode.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mikrotik device behind limited ISP modem

Sun Dec 27, 2020 12:33 pm

Another possibility would be to allow one LAN subnet to connect to ISP gadget (RB can act as a switch for that part) and have other subnets behind RB. That comes with lots of limitations though: all but one subnet still have to go through double nat, you don't have firewall under control, it's hard to prevent other subnets to communicate with theone handled directly by ISP gadget, etc.
If it's not possible to dumbify ISP gadget, then the best would be to configure permissive port forwarding towards RB on ISP gadget and live with (potential) slightly lower performance. And complain to ISP because of lack of flexibility.
 
mada3k
Long time Member
Long time Member
Posts: 687
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Mikrotik device behind limited ISP modem

Sun Dec 27, 2020 4:22 pm

Try to break into the thing and setup a static route, or find VoIP settings?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Mikrotik device behind limited ISP modem

Sun Dec 27, 2020 8:42 pm

For option 2, do you mean to bridge all interfaces and assign an IP to the bridge
on the same subnet as the ISP device?
Yes. Your MT Router will just be a switch with management.
 
Vagelis
newbie
Topic Author
Posts: 26
Joined: Wed Jun 20, 2018 1:34 pm

Re: Mikrotik device behind limited ISP modem

Mon Dec 28, 2020 9:57 am

mkx and mada3k thank you both for the input.
@mada3k: Yes I found out yesterday after searching a Greek forum that there is a way to enable some hidden administrative functions
by hacking the JavaScript based device UI.
So I could reveal the VoIP password and enable the configuration of static routes, yay!
So I am gonna look into that from a new standpoint and see how far I can go.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: Mikrotik device behind limited ISP modem

Mon Dec 28, 2020 10:24 am

Hi DarkNate,
unfortunately the ISP device does not support bridge mode.
I am hoping for some creative solution that will allow me to get rid of the double NAT
given the plenty limitations of the ISP device.
Is it PON? GPON/EPON? DOCSIS? DSL?

One method to bridge is either to use an explicit "bridge" mode on a per WAN interface on the CPE's interface or simply make WAN as null and it will automatically bridge into a layer 2 device.

Source: Helped people all over my country (India) with bridging hundreds of different brands/models.
 
jebz
Member
Member
Posts: 366
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: Mikrotik device behind limited ISP modem

Mon Dec 28, 2020 12:54 pm

Add routes to your ISP router for the routes on the Mikrotik. Some basic routers even support RIP. Then don't use NAT on the Mikrotik.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik device behind limited ISP modem

Thu Dec 31, 2020 3:35 pm

If you want to separate the LAN of the Mikrotik into multiple networks, possibly with some firewall rules between them, you can use arp-proxy at Mikrotik WAN side and separate LAN subnets on the Mikrotik. So the NAT would be done by the ISP router, and subnet separation by the Mikrotik.

Example:
ISP router's LAN address: 192.168.3.253/22
Mikrotik's WAN address: 192.168.3.254.0/30, arp=proxy-arp, no src-nat nor masquerade rule
Mikrotik's LAN1 address: 192.168.0.1/23
Mikrotik's LAN2 address: 192.168.2.1/24
Mikrotik's default route via 192.168.3.253

The Mikrotik will answer with the MAC address of its own WAN interface to all ARP requests of the ISP router for any IP address within 192.168.0.0/22, so the ISP will send the packets for any of these addresses to the Mikrotik, which will forward them to the actual destinations.

If you can set up static routes on the ISP router after hacking it, the arp-proxy setting is not necessary, just set the routes to 192.168.0.0/23 and 192.168.2.0/24 via 192.168.3.254 on the ISP router.
 
Vagelis
newbie
Topic Author
Posts: 26
Joined: Wed Jun 20, 2018 1:34 pm

Re: Mikrotik device behind limited ISP modem

Fri Jan 15, 2021 9:14 pm

Sindy that's very intersting, thanx for sharing!
 
dave12
newbie
Posts: 31
Joined: Sat Oct 09, 2021 2:35 pm

Re: Mikrotik device behind limited ISP modem

Wed Dec 01, 2021 5:20 pm

One method to bridge is either to use an explicit "bridge" mode on a per WAN interface on the CPE's interface or simply make WAN as null and it will automatically bridge into a layer 2 device.

Source: Helped people all over my country (India) with bridging hundreds of different brands/models.
DarkNate, so how should I do this bridging actually? A tried with CPE, no luck. One time I disabled my bridge and got connected to the ISP router anyway.
But I do not want to be locked out from the RouterOS again, so I am interested how to set WAN to zero?
 
spynappels
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 25, 2021 12:32 pm
Location: Northern Ireland
Contact:

Re: Mikrotik device behind limited ISP modem

Wed Dec 01, 2021 5:30 pm

Could you explain what the issue specifically is with double NAT in your case? Or is it port forwarding that is the actual problem?

Before getting FTTP, I had a similar situation with a Fritzbox, (I was too lazy to worry about bridge mode on the Fritzbox and I had no inbound services anyway) but I was able to set the Mikrotik as the DMZ host on the ISP modem so that I could do port forwarding on the Mikrotik if I needed to, all ports were forwarded directly to it by the Fritzbox.

Double NAT isn't the cleanest setup and should be avoided if practicable, but I've yet to see instances where it causes more issues than single NAT and am interested in understanding whether you were aware of any?
 
dave12
newbie
Posts: 31
Joined: Sat Oct 09, 2021 2:35 pm

Re: Mikrotik device behind limited ISP modem

Wed Dec 01, 2021 6:04 pm

Spynapples, the ISP's Cisco router does not forward any port when the connection is initiated from the internet. The Cisco router is protected with a password. Maybe I could break the password, but I do not want to mess with Cisco settings, because it might be problematic. Yes I am behind double NAT.

I noticed the following:

1. When I am connected to the Mikrotik router my ethernet name is 78942A.
2. When I am connected directly to the Cisco router, my ethernet name is Network 1
3. When I am connected to the Mikrotik router, and the Mikrotik is connected to the Cisco and I disable the bridge in RouterOS, then my ethernet name becomes XYDESKTOP-ARF...something and I have internet access, but I am locked out from RouterOS, no wifi connectivity and then I need to reset the router.

The third case illustrates, that when I disable the bridge the the Mikrotik router bridges into a layer2 device as described by DarkNate, which is my Cisco router. So my question was how to set WAN to zero and not get locked out of RouterOS.

Who is online

Users browsing this forum: CodeAlpha, Energizer and 77 guests