Hi Folks,

I really, really want to achieve the scenario where my network infrastructure (AP's CPE's switches backhauls and other gear) uses private IP's for their operation and managemnet and then over that infrastructure I route a public IP (or subnet like a /30) to my customers router.

I am currently doing this with 1:1 NAT, but what I want to achieve is the scenario where there is no NAT and the public IP is configured directly on the customers router.

The following diagram shows what I want.

so:

1) is this possible?
2) can anyone give me some pointers? Rgds

Alex

Discussed many times. Not possible.

Discussed many times. Not possible.

Forgive me if I am misunderstanding your reply, but if I understand Alex's question properly, I believe I am doing nearly exactly what he is wanting to do already.

My infrastructure is fully routed, completely addressed with private IP's (172.16.0.0/16 address space to be exact), and have public subnets assigned to the customer AP's. Private IP's on infrastructure gear are all NAT'ed out one public IP simply to allow simple connectivity checks (ping) to be done from infrastructure equipment to external addresses if ever needed.

The main differences between my setup and the one Alex is asking for is that he is putting a public IP subnet on the ethernet side of the customer router, and I have a Cisco router at the front of the network facing the Internet.

It realistically would require he have either autonomous routing (OSPF, etc) configured and working, or a fair amount of static routing work on a network with any size, but it can indeed be done.

All of my public and private IP space can be reached from inside the network (on-net if you will), but only the public IP's can be reached via the Internet as a whole. All AP and CPE services (with the exception of Winbox) are limited to the 172.16.0.0/16 networks. The Winbox port is blocked globally at the border router, which allows for Winbox access everywhere (including from the ethernet side of customer CPE equipment regardless of IP range), but blocks it from the Internet.

Yes, privately addressed backhaul messes with traceroute, but ordinary traffic works just fine. And, it's becoming common practice to kill the ability to traceroute into many networks simply because they are either privately addressed, or the admins just don't want people outside to see the internal structure of their networks.

Perhaps I'm missing something in his question, after all it is getting a bit late for me


Brad

Can you give a hypothetical routing example?

Can you give a hypothetical routing example?

I'll give a not so hypothetical example - I'll give some details on the routing from my main gateway (behind the Cisco), to the external IP of the NAT'ed machine I'm posting this from, we have (all MT gear listed):

xxx.xxx.28.76/29 - ether1, main gateway (public IP space)
172.16.32.254/24 - ether5, main gateway (private IP space)
(ethernet)
172.16.32.241/24 - ether1, uplink site, unit 1 (private IP space)
172.16.123.242/30 - wlan1, uplink site, unit 1 (private IP space)
(ptp wireless)
172.16.123.241/30 - wlan1, site 1, unit 1 (private IP space)
172.16.123.254/29 - ether1, site 1, unit 1 (private IP space)
(ethernet)
172.16.123.253/29 - ether1, site 1, unit 2 (private IP space)
172.16.123.230/30 - wlan2, site 1, unit 2 (private IP space)
(ptp wireless)
172.16.123.229/30 - wlan1, site 2, unit 1 (private IP space)
172.16.123.182/29 - wlan2, site 2, unit 1 (private IP space)
(ptp wireless)
172.16.123.181/30 - wlan1, site 3, unit 1 (private IP space)
172.16.123.166/30 - wlan2, site 3, unit 1 (private IP space)
(ptp wireless)
172.16.123.165/30 - wlan1, site 4, unit 1 (private IP space)
xxx.xxx.125.158/27 - wlan2, site 4, unit 1 (public IP space)
(ptmp wireless)
xxx.xxx.125.129/27 - wlan1, customer cpe, unit 1 (public IP space)
xxx.xxx.127.6/29 - ether1, customer cpe, unit 1 (public IP space)
(ethernet)
xxx.xxx.127.3/29 - ether 1, customer equipment (public IP space)
192.168.251.254/24 - ether 3, customer equipment (NAT'ed to xxx.xxx.127.3)
(ethernet)
192.168.251.10/24 - the machine I'm posting this from

The only place there is any NAT going on is immediately after my machine to the public IP space.


Brad

I do this.

OSPF rulez!

Internal network filled with private IP space and publically accessible IP subnets, but only of course the public IP ones are accessible from the outside world. I also have a public IP subnet as a backbone so I can access any of the routers from outside the network.

I can use any of the IP addresses from any one of my 5 public /28's (arping to me from provider) on any router, OSPF distributes the routes to the other routers and to the edge router, so the edge knows where to find the IP on the internal network! it prevents IP address waste, and doesnt restrict me to locking /28 subnets to any particular router.

It would not work well for large amounts of PPPoE sessions, but works great for 70 sessions great!

alex_rhys-hurn
It is doable.

OSPF would be great to use if you are familiar with it. If not, good 'ole static routing will work just fine.

Here are the basic routes you'll need to insert in to your system.

Whatever 196.200.x.x/27 is (the customer IP block you want to route to the customer router) has to be routed to your main Gateway - I am assuming this is already done...if not that is the first thing that needs to happen.

Gateway router, add a route that 'says' 196.200.x.x/27 (customer IP block) gateway 10.0.0.2 (Access Point)

10.0.0.2 (Access Point) here add another route, 196.200.x.x/24 gateway 10.0.0.3 (cutomer CPE)

Put 196.200.x.x/27 - (pick an address here to use as the gateway for this /27 network) on the CPE LAN

Put a 196.200.x.x/27 IP on the customer router. Now in the customer router the remaining IP addresses will have to be NAT'd there in the router. It has to be one that understands multiple NAT's (1:1 NAT'ing).

OR

For the last part - instead of putting the 196.200.x.x/27 on the CPE LAN side - you could route 196.200.x.x/27 to the customer router and have it handle the entire /27 as a 1:1 NAT. You would simply add a route like this 196.200.x.x/27 gateway Customer Router Private IP Address. NAT the public 196.200.x.x/27 in the customer router.

Now for either of the last two to work it is important that the customer router be able to perform the functions necessary to handle the NAT. So it can not be just ANY router...

R/

alex_rhys-hurn
I was just looking over your diagram again... is this a bridged network? Or did you just sort of throw this diagram together looking for a little knowledge on how to route this over your network?

Beacuse if it is bridged then you have to add only only route to the CPE - bridging takes care of the rest (hopefully this is not a bridged network - bridged networks are wasteful and messy...).

R/

Hi,

It is a routed network and is based on what I want to achieve with the network that I already have.

It is a real life scenario that I want to achieve, right now the Customer routers all have statis private IP's and I want to change that to static publics, as my mini ISP grows I want to try and do things properly for the customer.

So, thanks for all the tips guys, I am now going to go an research the OSPF method as I havent used it before and I need to learn something new anyway.

Cheers!

Alex

Hello all,
This can be done. I have already done it on my network.

Just do ospf, and if you pppoe pptp or whatever point to point, then you can assign public ips without loosing them on creating small network and broadcasts adressess. there's another thing you can do is to try to deploy proxy-arp, then you can set a public ip, but this is not recommended. PPPoE + OSPF this is the solution that many many have deployed and are happy with that

Cheers
Michal

Yep, this is not an issue. Several ways of doing it! Just contact someone that has done it before and I'm sure you can get some help.

Ok, thanks for all the tips folks.

Actually turned out to be much simpler than I thought. I used a static route version, exactly as galaxynet suggested.

Next step is to go and learn OSPF...

One thing I learned to watch out for is how NAT is handled. Up until a basic masquerade rule for all traffic sufficed for my needs, but now of course I have to change this to make SRC-NAT rules for each private IP subnet. This will stop the masquerade rule form interfering with the routed public subnet.

Regards

Alex

This is exactly what I have been looking for! Why hasn't anyone been able to answer my questions? Probably because I was explaining it all wrong. Thanks for this guys.

kccoyote -

So did the post here answer your question or are you looking for more info?

R/

No it did not. I went ahead and posted more information, questions, and my configuration over in

http://forum.mikrotik.com/viewtopic.php?f=2&t=24797

If there is any way that someone can help me, it would be appreciated.