Community discussions

MikroTik App
 
Andy365
just joined
Topic Author
Posts: 4
Joined: Fri Sep 16, 2022 8:04 am

Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 8:16 am

Hello guys
Hope you are doing well.

Recently i get from provider /29 routed public IP subnet, I want to use for some dedicated services.
From provider this /29 is routed to existing P2P .
This new subnet I assigned to one Bridge-Loopback.
I could not route to my client any of these new IPs because it is not reachable from outside.
Please if you could give me some help it will be appreciated

Thank you in advance
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 10:30 am

"I assigned to one Bridge-Loopback"? What mean? Not single IPs?

If you do not have a firewall problem, but thos IP are unreachable from outside, you musk ask your ISP for help,
on RouterBOARD you can not configure any for "force" the IPs to be reachable outside...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 10:54 am

Recently i get from provider /29 routed public IP subnet, I want to use for some dedicated services.
From provider this /29 is routed to existing P2P .
This new subnet I assigned to one Bridge-Loopback.

As @rextended wrote, explain the situation in more detail.

But as far as guessing goes: if the /29 subnet is being routed towards your existing P2P address by ISP, then you don't have to set router with any of those /29 addresses, packets targeting one of those IP addresses will land at your router anyway. You only have to configure router to rute packets forward towards end destination - if those IP addresses are used by client hosts. If the /29 address space will be used for NAT, then you only configure those addresses in NAT section of configuration (both SRC-NAT and DST-NAT according to wishes). Again you don't have to assign any of those addresses to your router. And yes, those IP addresses will not be just "visible" from internet, only the NAT-ed service ports will be visible. Packets not targeting any of NATed service ports will actually get routed back to ISP (and back to you until TTL expires) by default ... so actually you may want to add a black-hole route for that /29 subnet to avoid this ping-pong between you and your ISP.

Router only has to be assigned with those addresses if addresses are not routed towards it but router has to "advertise" that addresses are its addresses (which is what happens e.g. in case where router's WAN address is assigned by ISP via DHCP ... and router then answers to ARP who has queries with its own MAC address).
 
Andy365
just joined
Topic Author
Posts: 4
Joined: Fri Sep 16, 2022 8:04 am

Re: Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 4:14 pm

Thank you mkx & rextended for your help.

I want to clarify some things regarding previously that I posted.

This /29 subnet that I was assigned previously to one new interface bridge-loopback only for testing, I just removed.
Meantime, I routed statically first usable IP of this subnet as /32 to one client witch has RB, over private P2P.
Into this RB I configured bridge Loopback interface and I assigned that public IP that i routed previously on HQ router.
default route in client's router goes toward P2P private next-hop.
When I tried to ping Google DNS from Clients router I can reach it correctly.
But I'm not able to reach from Internet the public IP that I assigned in Client RB.

Please guys,

What I can do in NAT rules because I really think that NAT affects return packets.
Thank you in advance and so sorry for my English
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 5:21 pm

For the NAT part, it's fairly easy. Normal use would be where router has one IP address set to WAN interface and SRC NAT rule would be something like this one:
/ip firewall nat
add action=src-nat chain=srcnat out-interface=WAN

So whatever packets going out through WAN interface will be NATed to use IP address of that WAN. If there are multiple IP addresses set on WAN interface, then router will select one of them.

However, with routed IP addresses, SRC NAT should look slightly different:
/ip firewall nat
add action=src-nat chain=srcnat out-interface=WAN to-addresses=x.y.z.w
i.e. explicitly set IP address to which NAT should change source address of packets exiting via WAN interface.

One can add quite a few selector properties to NAT rule which narrow down selection, e.g. (original) src-address ... making used WAN address dedicated to certain LAN address (or a group of addresses, depending on configured NAT rules).

Likewise it's possible to pick the WAN addresses in DST NAT rules.

Mind that NAT (both SRC and DST) only really look at NAT rules for packets opening new connection. If connection tracking machinery determines that packet belongs to already established connection, NAT will do the proper thing according to what it did for the initial packets. Which includes return packets for e.g. DST_NATed packets. For example: one WAN address (x.y.z.A) is hosting say HTTPS server, which is actually hosted on a LAN server. However when same LAN server initiatest outgoing connections, SRC-NAT might select different WAN IP address (say x.y.z.C). Nothing wrong with this, it just might be confusing sometimes ...



If all packets with certain dst-address (one of the routed /29 addresses) are to be simply forwarded to downstream router unchanged, your main router needs a simple route such as this one:
/ip route
add address=x.y.z.w/32 gateway=<IP address ow downstream router>
Then it's up to configuration on downstream router to utilize the routed address.

Another possibility, when there's a P2P link between main router and downstream router, is to use /32 addressing of P2P link. In this case it doesn't matter if addresses on both sides of link are anywhere near the same subnet or not. And no special route needs to be configured.

config on main router:
/ip address
add interface=P2Plink address=10.20.30.40/32 network=x.y.z.w  # where x.y.z.w is IP address of remote end of tunnel
config on downstream router:
/ip address
add interface=P2Plink address=x.y.z.w/32 network=10.20.30.40  # where 10.20.30.40 is IP address of remote end of tunnel
/ip route
add dst-address=0.0.0.0/0 gateway=P2Plink
The same address can be used for all P2P links on main router side. It can be either some RFC1918 address or router's WAN IP address or one of addresses from /29 routed address space (but that's waste of precious addresses so I wouldn't do it). I'd go with the router's WAN IP address if that one is trully static (i.e. it's not static DHCP lease which might change due to some error on ISP side but address you typed in manually when configuring main router). Consequently the traceroute to/from downstream subnets looks really tidy and your main router reports with same address regardless the direction of traceroute.


As to the downstream router: personally I wouldn't set the IP address to some loopback interface/bridge. It doesn't help much but can cause some mental problems. So either use it as P2Plink local address (which will make NAT engine to use it automatically) or use it explicitly in NAT (both SRC and DST) rules. The later may come handy if you want to do some funky firewall rules, e.g. management only possible if downstream router is contacted at RFC1918 address (and main router has appropriate firewall filters and NAT rules which block connectivity to/from those RFC1918 addresses). This might get a bit convoluted though.
 
Andy365
just joined
Topic Author
Posts: 4
Joined: Fri Sep 16, 2022 8:04 am

Re: Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 7:07 pm

Thank you for your reply and detailed information.

In previous post I meant that masquerade could affect the routed /29 because I cant reach it from Inernet.

Or maybe I'm confused

Thanks a lot
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 7:17 pm

The remote clients, are MikroTik devices?

First to do anything, add a blackhole for your new /29 ip pool with distance=50, then do the rest.
 
Andy365
just joined
Topic Author
Posts: 4
Joined: Fri Sep 16, 2022 8:04 am

Re: Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 8:27 pm

Hi
Thanks
I did blackhole /29 as you advised.
I routed a /32 from this subnet over private p2p /30 to Client RB
On Client RB already was configured this public /32 in loopback interface (only testing)
But again I am unable to reach Client RB from Internet

And I am able to reach via private p2p client RB

Thank you
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 10:31 pm

I do not have to add any on what @mkx wrote, check twice if somewhere one firewall rule forbid the connection

Check if you add the /29 pool as allowed from WAN on firewall on forward chain.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 11:44 pm

Check the client's firewall as well. Setting public IP address to loopback interface means that WAN connection is likely to be handled by input chain of client's router (unless that particular setvice is DST-NATed).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Public IP routed from ISP needs to be excluded from NAT rule

Fri Sep 16, 2022 11:49 pm

In previous post I meant that masquerade could affect the routed /29 because I cant reach it from Inernet.
It can indeed. That very much depends on how exactly that src-nat rule looks like and you almost certainly want to exclude packets with src-address belonging to that WAN IP address space from being src-natted/masqueraded on main router.

Who is online

Users browsing this forum: GoogleOther [Bot] and 32 guests