Community discussions

MikroTik App
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 517
Joined: Mon Feb 14, 2005 2:48 am

PROXY-ARP solution SOLVED - howto

Tue Sep 06, 2005 6:48 pm

Hi,

You may have seen my previous postings asking for assistance with proxy-arp, well they went un-answred but hey as usual I solved it and thought I would share:

It's really if you have a NAT setup and want to set some public IP's inside the NAT for whatever reason.

It's pretty simple when you know but can be difficault to setup due to lack of resources especially when applied to MikroTik because authough it's essentially a Linux based router it's fairly proprietry in terms of setup compared to normal Linux.

1/ enable proxy-arp on both Public and Private interfaces.

2/ Choose a public IP in your Public block that is not used yet

3/ Go to the IP Routes in MT and add an entry as follows:

Destination = the Public IP you want to use
Gateway = the IP address of your MT private interface
Pref Source = the IP address of your MT private interface

4/ In the PC you want to have the Public IP now set it up as if it was in the Public side of the router with the gateway and DNS of your main ISP but using the new IP.

Simple queues only need to have the IP entered and work like normal so does mangle just as if it were a private IP which is good.
 
nbson
just joined
Posts: 15
Joined: Thu Mar 17, 2005 3:34 pm

yep

Thu Sep 29, 2005 11:13 pm

Destination = the Public IP you want to use
Gateway = the IP address of your MT private interface
Pref Source = the IP address of your MT private interface
We're doing this and don't have any proxy-arp turned on. And it works.
Also it doesn't work on Linksys routers(well, the befsr41 anyway).[/quote]
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 517
Joined: Mon Feb 14, 2005 2:48 am

Fri Oct 14, 2005 1:03 pm

Maybe it would work if you enabled proxy-arp?
 
Ronnie123
just joined
Posts: 8
Joined: Fri Oct 14, 2005 8:14 am

hmmmmmmmm....

Sat Oct 15, 2005 3:59 am

I am trying to add the IP Route in winbox, i cant get it to let me type an address for the destination. It won't accept anything other than 0.0.0.0

any suggestion?
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Sat Oct 15, 2005 8:48 pm

are you including the netmask?

if you enter a 32bit address you must put a /32 on the end of the address.

ex: 66.45.223.12/32
 
Ronnie123
just joined
Posts: 8
Joined: Fri Oct 14, 2005 8:14 am

Sun Oct 16, 2005 3:59 am

That was it. Thanks to both of you for the help.

off topic a bit.... with two wan ports, how do i set traffic from a specific NAT address on the LAN to always go out a specific wan port?
 
moya
just joined
Posts: 22
Joined: Sun Jul 10, 2005 8:14 pm

Sun Oct 16, 2005 8:01 am

I have followed the example and got it to work, but when I go to http://www.whatismyip.com it displays the public IP from the router. How do I get it to report the IP that I have assigned to the customer?

Thanks,

-Cesar
 
jaytcsd
Member Candidate
Member Candidate
Posts: 293
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Sun Oct 16, 2005 9:03 am

I think you need to do a src-nat rule, not sure if it's masquerade or nat from the action tab, I think forum user Cameron had this problem earlier and used this to solve it.
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 517
Joined: Mon Feb 14, 2005 2:48 am

Wed Oct 19, 2005 12:07 am

I have followed the example and got it to work, but when I go to http://www.whatismyip.com it displays the public IP from the router. How do I get it to report the IP that I have assigned to the customer?

Thanks,

-Cesar
Are you using web proxy? If so it will display the MT IP address.
 
moya
just joined
Posts: 22
Joined: Sun Jul 10, 2005 8:14 pm

Wed Oct 19, 2005 6:30 am

Spire2z, no Web Proxy is being used at all. By the way, I am using MT 2.9.6 if that makes a difference.

Jaytcsd, thanks for your input but I do need to give the customer a public IP

Thanks,

-Cesar
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Wed Oct 19, 2005 7:17 am

Spire2z, no Web Proxy is being used at all. By the way, I am using MT 2.9.6 if that makes a difference.

Jaytcsd, thanks for your input but I do need to give the customer a public IP

Thanks,

-Cesar
'
Moya,

All you need to do is create a src-nat rule.. choose the src-nat chain and add a new rule that says everythign from this local ip (10.10.10.10) NAT to this public IP (24.32.3.220)

ex (2.8.x):
/ ip firewall src-nat add src-address=10.10.10.10/32 action=nat to-src-address=24.32.3.220
That basically say's all traffic coming from local IP 10.10.10.10 Translate to 24.32.3.220...
 
Ronnie123
just joined
Posts: 8
Joined: Fri Oct 14, 2005 8:14 am

Wed Oct 19, 2005 7:41 am

Is there going to be any way to have the traffic transparently bridge? That way existing customers with static real address wouldnt need to make any configuration changes.
 
moya
just joined
Posts: 22
Joined: Sun Jul 10, 2005 8:14 pm

Wed Oct 19, 2005 10:12 am

Thanks WilBill, I will try it tomorrow morning.
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 517
Joined: Mon Feb 14, 2005 2:48 am

Thu Oct 20, 2005 7:40 pm

Spire2z, no Web Proxy is being used at all. By the way, I am using MT 2.9.6 if that makes a difference.

Jaytcsd, thanks for your input but I do need to give the customer a public IP

Thanks,

-Cesar
I used 2.8 for my setup. Still the fact you have the address set and it's working must mean your masquaradeing everything still for some reason.

Check your source NAT rules and enter the source addresses of the private network so it will only masquarde them and not the public address.

I know the MT docs tell you to just specify 0.0.0.0/0 which will masqurade everything to the WAN address. Use like 192.168.1.0/24 (or whatever your local range is?) instead so it will only masquarde private addresses.

That should sort it dude... If you do the 1 to 1 NAT you can't give customers a real IP and authough they will have the working setup they will think it's inferior to ADSL or something because it has a private address??? Also some stuff still wont work right with 1 to 1 NAT.
 
moya
just joined
Posts: 22
Joined: Sun Jul 10, 2005 8:14 pm

Sun Oct 23, 2005 12:16 pm

I hate it when you are right!!! :o)
I was masquerading the IPs all along, thus http://www.whatismyip.com reported the public IP from the router.
That said, and to help some poor soul from spending too much time on the same issue I will show you how I did in v2.9.6.

/ip firewall nat add chain=srcnat src-address=192.168.1.50 action=src-nat to-address=xxx.xxx.xxx.1 to-ports=0-65535

/ip firewall nat add chain=dstnat dst-address=xxx.xxx.xxx.1 action=dst-nat to-address=192.168.1.50 to-ports=0-65535


If you print it you should get something like this:

0 ;;; X Server
chain=srcnat src-address=192.168.1.50 action=src-nat to-addresses=xxx.xxx.xxx.1 to-ports=0-65535

1 ;;; X Server
chain=dstnat dst-address= xxx.xxx.xxx.1 action=dst-nat to-addresses=192.168.1.50 to-ports=0-65535

3 chain=srcnat out-interface=wan action=masquerade


The key factor is to make sure that you place the above rules (1 and 2) before you do the masquerading (3).

I hope this helps.

I do thank and appreciate all the help that you guys gave me. Without it I would still be fighting this.

Regards,

-César
 
User avatar
sublimespot
newbie
Posts: 45
Joined: Sun Sep 11, 2005 2:00 am

Wed Oct 26, 2005 10:57 am

I set this up like you said and have one problem.

If I try to connect to a computer behind hotspot (which has a public IP), the connection goes into the machine but the machine can not respond back. I can see the incoming connection with personal firewall on this machine. The syn request gets sent in.

What rule do I need to add in order to allow this machine behind hotspot (with public IP) to reply back?
 
jaytcsd
Member Candidate
Member Candidate
Posts: 293
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Wed Oct 26, 2005 11:11 am

I use mangle rules on my hotspot, otherwise the packets get rejected since the router wants them to be authenticated by the login screen.

;;; outbound packets for NATTED PC
src-address=192.168.0.173/32 action=accept mark-flow=hs-auth

;;; inbound packets for NATTED PC
dst-address=192.168.0.173/32 action=accept mark-flow=hs-auth
 
User avatar
sublimespot
newbie
Posts: 45
Joined: Sun Sep 11, 2005 2:00 am

Wed Oct 26, 2005 11:27 am

Hmm. My setup is a bit different. I want them to authenticate on the login screen, but then to have a public IP address so they can run services etc.

Maybe I'm barking up the wrong tree.

In the past Ive left them with a private IP, then setup SRC and DST NAT to route the public IP in to them.

Though, If theres an easier way then I'm all for it
 
jaytcsd
Member Candidate
Member Candidate
Posts: 293
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Fri Oct 28, 2005 9:18 am

We only have a few users who need to see a specific PC on the hotspot side of the router, I use MAC authorization for them to login, which eliminates them having to fill in the login screen.

I have also used this on IP video cameras.
 
User avatar
sublimespot
newbie
Posts: 45
Joined: Sun Sep 11, 2005 2:00 am

Wed Nov 02, 2005 10:47 pm

Man I feel like such an idiot!

I checked Interfaces and it has a setting "ARP: enabled".

I assumed this meant proxy arp was enabled. It does not.

The setting had to be changed to "ARP: proxy arp" - then things started working for me.
 
User avatar
sublimespot
newbie
Posts: 45
Joined: Sun Sep 11, 2005 2:00 am

Sun Nov 13, 2005 5:55 am

Things are working for the most part with one problem now..

I've got people behind hotspot in the way the original poster does. There are no NAT rules at all. We are using the Route table and the customer has a Public IP address set behind hotspot.

When the clients behind hotspot (with public IP) connect to any port (other than port 80) on a remote server, things behave as expected. The route works, and the source address matches thiers . EXCEPT for destination port 80. When connecting to any website on port 80 (such as whatismyipaddress.com), it shows the source address as the IP address of the Mikrotik. (as if they are being masqueraded)

There are NO firewall rules on this box. No masquerade rules at all.
 
User avatar
sublimespot
newbie
Posts: 45
Joined: Sun Sep 11, 2005 2:00 am

Sun Dec 04, 2005 8:36 am

The port 80 solution is do disable transparent proxy
 
daiceman
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Tue Mar 01, 2005 9:43 pm

Mon Dec 12, 2005 9:33 pm

Great How-To!!!

One question tho..

ipchicken.com is showing my IP and that of the Router

And

whatismyip.com shows my actual IP and a detected proxy that of the router.

Any ideas? I can not find any proxy setting that is enabled
 
daiceman
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Tue Mar 01, 2005 9:43 pm

Mon Dec 12, 2005 10:41 pm

I did just find the transparant proxy setting in the default users profile, but when I disable it, all trafic stops. :(
 
daiceman
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Tue Mar 01, 2005 9:43 pm

Any ideas?

Fri Dec 23, 2005 3:39 pm

I am pushing a static public thru the router as described at the top of this thread. When I go to whatismyip.com I get the results pictured below.

What is up with the PROXY?

Image

Here are snips from the MT config.

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   69.217.1.66/26     69.217.1.64     69.217.1.127    WAN      
 1   ;;; hotspot network
     10.5.50.1/24       10.5.50.0       10.5.50.255     HOTSPOT  
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf 
 #     DST-ADDRESS        PREFSRC         G GATEWAY         DISTANCE INTERFACE
 0 ADC 10.5.50.0/24       10.5.50.1                                  HOTSPOT  
 1 A S 69.217.1.80/32     10.5.50.1       r 10.5.50.1                HOTSPOT  
 2 ADC 69.217.1.64/26     69.217.1.66                                WAN      
 3 A S 0.0.0.0/0
[admin@MikroTik] > /ip web-proxy print
 enabled: no
             src-address: 0.0.0.0
                    port: 3128
                hostname: "proxy"
       transparent-proxy: no
            parent-proxy: 0.0.0.0:0
     cache-administrator: "webmaster"
         max-object-size: 4096KiB
             cache-drive: system
          max-cache-size: none
      max-ram-cache-size: unlimited
                  status: stopped
      reserved-for-cache: 0KiB
  reserved-for-ram-cache: 349184KiB

[admin@MikroTik] > /ip proxy print
  enabled: no
                       port: 8080
               parent-proxy: 0.0.0.0:0
  maximal-client-connecions: 1000
  maximal-server-connectons: 1000
[admin@MikroTik] ip hotspot profile> print
Flags: * - default 
 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot 
     rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 
     login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no 
     use-radius=no 

 1   name="hsprof1" hotspot-address=10.5.50.1 dns-name="" 
     html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 
     smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=0s 
     split-user-domain=no use-radius=yes radius-accounting=yes 
     radius-interim-update=received nas-port-type=ethernet
 
ceacu
just joined
Posts: 8
Joined: Tue Nov 08, 2005 12:22 am

To daiceman: "You FOOL don't have a ADMIN password"

Sun Dec 25, 2005 5:55 pm

To daiceman: "You FOOL don't have a ADMIN password".
Set a password A.S.A.P. and LOOK into Your Mikrotik LOGS.
Marry Christmas.
 
daiceman
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Tue Mar 01, 2005 9:43 pm

Mon Dec 26, 2005 12:11 am

Well, lets see here. I am not too sure what the big deal is. The 'puter is a crapply little box sitting next to my monitor.

What does it do? Nothing.
What is it protecting? Nothing.
No I have any sensitive info on it? Nope.

I did password the admin account so that you will be able to sleep tonight without worrying about it.

Happy Holidays

Who is online

Users browsing this forum: Burgi, dandare100, OriiOn and 131 guests