I'm configuring a router that has a /27 of Internet IP's assigned, the router itself is assigned the IP x.y.z.130/27 and the remainder of the subnet (.131-.158) is NATd through to various IPs on the LAN side (10.x.x.x).
Have set up something similar in the past with a smaller subnet so it was easy enough to add the LAN IPs to the configuration as x.y.z.131/32, x.y.z.132/32, etc Obviously that becomes a little more awkward with a /27 or other larger subnet. Is there any "shortcut" to setting up the router to process the entire subnet without specifying each of the IP's separately? I had thought in the past at one point in another configuration that I'd been able to instead specify the subnet ie. x.y.z.128/27 but that does not seem to be working here (whereas specifying all 30 addresses individually as /32s does).
Mike
Re: Configuring Subnet of WAN IPs for NAT
Couple options here:
You could use netmap similar to this: viewtopic.php?t=107311
You're just using the Public addresses routed to your service in place of local IPs.
Alternatively you could set your router up as the gateway of a DHCP server in the Public IP subnet (of which it already has an address) - then hand out Public IP leases to your devices directly instead of NATing. Bear in mind you will need to create an address list and exclude these from any src-nat or masquerade rules you may have in place at the gateway router.
Just brainstorming, let me know what you think.
You could use netmap similar to this: viewtopic.php?t=107311
You're just using the Public addresses routed to your service in place of local IPs.
Alternatively you could set your router up as the gateway of a DHCP server in the Public IP subnet (of which it already has an address) - then hand out Public IP leases to your devices directly instead of NATing. Bear in mind you will need to create an address list and exclude these from any src-nat or masquerade rules you may have in place at the gateway router.
Just brainstorming, let me know what you think.
Re: Configuring Subnet of WAN IPs for NAT
The first thing about using multiple IPs on single interface is answer to the question: how does link peer (i.e. ISP router) deliver packets using those IP addresses? Are they routed towards your router (i.e. your router has IP address outside of that /27 subnet and ISP router is using that address as gateway) or are they delivered "directly" (i.e. your router only uses address(es) from same /27 subnet)?
If the former, then you can simply start using those addresses.
If the later, then you have to configure WAN interface with those IP addresses. The reason for that is that router has to know which addresses are "its own" so that it can answer to "ARP who has" queries (sent out by ISP router). The rest of config (NAT, netmap, whatever) is the same for both possibilities.
If the former, then you can simply start using those addresses.
If the later, then you have to configure WAN interface with those IP addresses. The reason for that is that router has to know which addresses are "its own" so that it can answer to "ARP who has" queries (sent out by ISP router). The rest of config (NAT, netmap, whatever) is the same for both possibilities.
Re: Configuring Subnet of WAN IPs for NAT
The first thing about using multiple IPs on single interface is answer to the question: how does link peer (i.e. ISP router) deliver packets using those IP addresses?
Good point, I took the liberty of assuming the subnet was routed to OP by the peer (ISP).
Re: Configuring Subnet of WAN IPs for NAT
Yup, its easy to fall into the assumption trap!!
Best thing is for every op.
a. to describe their WANIP ISP setup
b. provide a network diagram
c. provid config /export hide-sensitive file=anynameyouwish
Then there is less guessing and quicker resolution of issues.]
Personally I prefer to understand the user requirements and not talk about config or solutions until the needs are known.
Best thing is for every op.
a. to describe their WANIP ISP setup
b. provide a network diagram
c. provid config /export hide-sensitive file=anynameyouwish
Then there is less guessing and quicker resolution of issues.]
Personally I prefer to understand the user requirements and not talk about config or solutions until the needs are known.
Re: Configuring Subnet of WAN IPs for NAT
Sorry got pulled away on another project, thanks for everyone's responses. In particular @mkx I've known this but your explanation of why is the clearest I've seen.
With that said, what I was really asking for clarification in this case is when I do have to add the IPs to the router, do I have to add each IP individually, or is there a shortcut to add the whole subnet?
So am I adding 254 individual lines like this...
/ip address add address=1.2.3.1 interface=Bridge1 network=1.2.3.1
/ip address add address=1.2.3.2 interface=Bridge1 network=1.2.3.2
/ip address add address=1.2.3.3 interface=Bridge1 network=1.2.3.3
...
/ip address add address=1.2.3.254 interface=Bridge1 network=1.2.3.254
Or can I do something like this to accomplish the same?
/ip address add address=1.2.3.1/24 interface=Bridge1 network=1.2.3.0
Obviously with smaller subnets it's not a big deal either way, but on bigger subnets like /25, /24, etc that ends up as a lot of lines if they have to be done individually. Unfortunately in this case I'm doing changes on a router that a) I didn't orignally configure and b) that is live ... so I don't have the option to "test and learn" as I might otherwise do.
Cheers,
Mike
With that said, what I was really asking for clarification in this case is when I do have to add the IPs to the router, do I have to add each IP individually, or is there a shortcut to add the whole subnet?
So am I adding 254 individual lines like this...
/ip address add address=1.2.3.1 interface=Bridge1 network=1.2.3.1
/ip address add address=1.2.3.2 interface=Bridge1 network=1.2.3.2
/ip address add address=1.2.3.3 interface=Bridge1 network=1.2.3.3
...
/ip address add address=1.2.3.254 interface=Bridge1 network=1.2.3.254
Or can I do something like this to accomplish the same?
/ip address add address=1.2.3.1/24 interface=Bridge1 network=1.2.3.0
Obviously with smaller subnets it's not a big deal either way, but on bigger subnets like /25, /24, etc that ends up as a lot of lines if they have to be done individually. Unfortunately in this case I'm doing changes on a router that a) I didn't orignally configure and b) that is live ... so I don't have the option to "test and learn" as I might otherwise do.
Cheers,
Mike
Re: Configuring Subnet of WAN IPs for NAT
AFAIK there's no shortcut inside ROS. You can, however, use external tool (a shell or python script) which creates those 250 lines for you to copy-paste.
BTW, when setting addresses in ROS, address itself with netmask defines what we normally know as network address (e.g. 192.168.24.42/24 gives network address 192.168.24.0 and broadcast address 192.168.24.255). Default value of netmask is /32. The network property overrides the network address (and can usually be omited[*]) but doesn't give any info about broadcast address which also defines upper limit of network address space. So your example should be
[*]when configuring certain types of links, specially point-to-point, it is sensible to set property network to value unrelated to local IP address ... it's not just any value, but unrelated to address never the less. I could explain it in detail, but it's out of scope of this thread.
BTW, when setting addresses in ROS, address itself with netmask defines what we normally know as network address (e.g. 192.168.24.42/24 gives network address 192.168.24.0 and broadcast address 192.168.24.255). Default value of netmask is /32. The network property overrides the network address (and can usually be omited[*]) but doesn't give any info about broadcast address which also defines upper limit of network address space. So your example should be
Code: Select all
/ip address add address=1.2.3.1/24 interface=Bridge1
/ip address add address=1.2.3.2/24 interface=Bridge1
/ip address add address=1.2.3.3/24 interface=Bridge1
...
/ip address add address=1.2.3.254/24 interface=Bridge1
[*]when configuring certain types of links, specially point-to-point, it is sensible to set property network to value unrelated to local IP address ... it's not just any value, but unrelated to address never the less. I could explain it in detail, but it's out of scope of this thread.