Have been scratching my head for a couple of days on this one. We've received a Netflix OCA to install inside our network, and it comes with a configured IPv4 address from the address space we own under our AS. Our core router has two upstream connections, one we call DIA (Direct Internet Access), which is our original "baby steps" connection when we got started 6 years ago, and for which our upstream supplier gave us a /29 from the IPv4 space they own. Our router has various IPs in this space configured on the interface facing DIA.
The second link we added as we grew was IPT (transit) where we advertise a /24 we own over BGP. From this block, we carved out a /30 to use with the OCA, and set things up as shown:
The OCA has internet access, it can be reached from the internet, but any traffic that originates from it seems to appear as coming from one of the DIA IPs, not the assigned IP advertised through BGP. A traceroute to .253, the IP of the CCR, works fine, but against .254 returns the DIA IP as the last hop instead.
Some relevant configuration:
Code: Select all
## DIA block
/ip address add address=40.50.60.2/29 comment="Management" interface= SFP3 network=40.50.60.0
/ip address add address=40.50.60.3/29 comment="Public services" interface=SFP3 network=40.50.60.0
/ip address add address=40.50.60.4/29 comment="Public business" interface= SFP3 network=40.50.60.0
## IPT block
/ip address add address=100.10.20.1/24 comment="IPT #1" interface=SFP1 network=100.10.20.0
## OCA block
/ip address add address=100.10.20.253/30 comment="Netflix OCA" interface=SFP2 network=100.10.20.252
## Others
/ip firewall address-list add address=10.20.0.0/16 list=LAN_RANGES
## Ensure return traffic via IPT
/ip firewall mangle add action=mark-connection chain=prerouting comment="Mark connection inbound via IPT" in-interface=SFP1 new-connection-mark=IPT_INBOUND passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=IPT_INBOUND new-routing-mark=ROUTE_IPT passthrough=no
/ip firewall mangle add action=mark-routing chain=output connection-mark=IPT_INBOUND new-routing-mark=ROUTE_IPT passthrough=no
## Ensure return traffic for DIA
/ip firewall mangle add action=mark-connection chain=prerouting comment="Mark connection inbound via DIA" in-interface=SFP3 new-connection-mark=DIA_INBOUND passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=DIA_INBOUND new-routing-mark=ROUTE_DIA passthrough=no
/ip firewall mangle add action=mark-routing chain=output connection-mark=DIA_INBOUND new-routing-mark=ROUTE_DIA passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment="Route Netflix OCA traffic via IPT" disabled=no dst-address-list=!LAN_RANGES new-routing-mark=ROUTE_IPT passthrough=no src-address=100.10.20.253-100.10.20.254
## BGP
/routing bgp instance add as=<OUR_ASN> client-to-client-reflection=no comment="IPT IPv4" name=IPT router-id=100.10.20.1
/routing bgp instance add as=<OUR_ASN> client-to-client-reflection=no comment="Netflix OCA" name=NETFLIX_OCA router-id=100.10.20.253
/routing bgp network add comment="IPT IPv4 block" network=100.10.20.0/24 synchronize=no
/routing bgp peer add in-filter=IPT_IN instance=IPT name=IPT_IPv4 out-filter=IPT_OUT remote-address=196.x.x.100 remote-as=<UPSTREAM_ASN> ttl=default
/routing bgp peer add in-filter=NETFLIX_IN instance=NETFLIX_OCA name=NETFLIX_OCA out-filter=NEFLIX_OUT remote-address=100.10.20.254 remote-as=<NETFLIX_ASN> ttl=default
/routing filter add chain=IPT set-distance=2
## Routes
/ip route add check-gateway=ping comment="** PRIMARY GATEWAY ** DIA" distance=1 gateway=40.50.60.1
/ip route add check-gateway=ping comment="DIA gateway for marked traffic" distance=1 gateway=40.50.60.1 routing-mark=ROUTE_DIA
/ip route add check-gateway=ping comment="IPT gateway for marked traffic" distance=1 gateway=196.x.x.100 routing-mark=ROUTE_IPT
Anyone have any ideas as to why the OCA transmogrifies into a different IP address, or is there a better / correct way to do this? The goals are:
- Give the OCA a public IP with which it can access the internet freely.
- Establish a BGP connection with the OCA so we can mutually advertise local routes for our customers to use it (the BGP establishes fine with the current setup).
The OCA can be pinged, and web interface that returns 403 accessed from the internet, so access to it seems OK. A traceroute, however, reveals:
Code: Select all
traceroute to 100.10.20.254 (100.10.20.254), 30 hops max, 60 byte packets
1 static.x.x.x.x.clients.your-server.de (x.x.x.x) 0.905 ms 0.878 ms 0.849 ms
2 ... <VARIOUS HOPS>
10 xe-0-1-0-0.our_isp.net (190.x.x.47) 190.958 ms * *
11 40.50.60.2.our_isp.net (40.50.60.2) 196.826 ms 196.861 ms *
A traceroute to .253 is correct:
Code: Select all
traceroute to 100.10.20.253 (100.10.20.253), 30 hops max, 60 byte packets
1 static.x.x.x.x.clients.your-server.de (x.x.x.x) 0.335 ms 0.298 ms 0.267 ms
2 ... <VARIOUS HOPS>
9 100.10.20.253 (100.10.20.253) 185.087 ms et-0-1-11.our_isp.net (190.x.x.15) 189.929 ms 100.10.20.253 (100.10.20.253 253) 178.492 ms