I hava an RB450G.
Unfortunately I did not manage to make it work. I'll tel you a few things about what I want to do and about the ISP that will be used, so you'll make an idea.

Requirements: NAT for 2 PCs, each one getting IPs via DHCP, each PC in each own separate private network, so that they'll be completely isolated.

ISP: My ISP uses an authentication software developed by them inhouse. Some people that have seen the linux script that they offer for linux users say that they programmed it very silly.
The program can be tricked, many have done it on budget routers like Dlink DI-524.
The program connects to a DHCP server and receives IP,Subnet Mask, Gateway, DNS addresses.
In order to trick it I have to use 10.x.x.x local addresses instead of 192.x.x.x

Another aspect is that the ISP sends packets with TTL=1 so that entry level routers without TTL incrementing will not work.


Now let me tell you what I did:
1)I've set the WAN, LAN interfaces and TTL incrementing via terminal

/ ip address add address=85. ... ... ... /27 network=85. ... ... ... broadcast=85. ... ... ... interface=ether1

/ip route add gateway=85. ... ... ...

/ ip address add address=10.25.44.1 /29 network=10.25.44.0 broadcast=10.25.44.7 interface=ether2

/ ip address add address=10.25.45.1/30 network=10.25.45.0 broadcast=10.25.45.3 interface=ether3

/ip firewall mangle add action=change-ttl chain=prerouting new-ttl=set:64


2)I've set the DHCP server , the DNS server and NAT exacly as shown in this tutorial, for the first LAN(ether2), and then everything again, for the second LAN(ether3).
http://wiki.mikrotik.com/wiki/Internet_Sharing

The problem is that the ISP's application doesn't connect, it says "comunication error with the server"

Ping from WAN(ether1) to the gateway 85. ... works.
But ping from WAN(ether1) to LAN(ether2, ether3) timeouts.
ARP ping from WAN(ether1) to LAN(ether2, ether3) works but with around 25% packet loss.

What am I doing wrong?

What am I doing wrong?

Sounds like you are using the wrong ISP. You probably need an ISP that does not mind allowing more than one computer to connect on your account. That does seem to be the point of all that, doesn't it?

They're going to remove the program soon, but this isn't the issue here because using a simple router with TTL incrementing NAT will work without any problems.

IMHO I've set something wrong since I cannot ping from ether1 to ether2 or ether3.

IMHO I've set something wrong since I cannot ping from ether1 to ether2 or ether3.

If you use a srcnat or masquerade, you will not be able to ping ether2 or ether3 from ether1 if all is working correctly. You would need to forward a public ip to those private ips to do that.

I see.

Let's assume that there wasn't that authentication program, and the router would still not work.
What would you check in order to make sure that everything was set correctly?

I would set up my spare router as a fake "internet gateway" and connect it to that. If I can ping the ip assigned to the "gateway" on the spare router, and ping only the public ip on the test router from the spare router, then all should be ok. That will not test dns tho.

Something is wrong.
I've put one PC on ether1, as a fake gateway(just by setting the gateway address and the mask), and pinging the fake gateway from another PC connected to ether2 gives only timeouts.

Please post "/ip firewall nat print" and "/ip dhcp-server network print".

Can you ping ether2's ip (gateway on that network) from a computer connected to ether2? If not, please post "/ip address print". You may x out the first three numbers in any public ip if you feel security is a challenge.

ADD: Just to be sure...in "/ip address", insure the correct ip/netmask is assigned to ether1.

yes i can ping the gateway from a pc connected to that network, but i've typed the command anyway.

I see the challenge. It is the nat. Remove both nats and instead use

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

ADD: And if you want the dhcp clients to use domain names, I would insure you set the dns servers in
"/ip dhcp-server network". Then have all dhcp clients renew their lease.

Will do it right away, but I want 2 different networks. I want the PCs to be isolated from each other, instead of having them in the same network.

If you want to isolate those localnets, do that with

/ip firewall filter
add chain=forward src-address=10.223.44.0/29 dst-address=10.223.45.0/30 action=drop
add chain=forward src-address=10.223.45.0/30 dst-address=10.223.44.0/29 action=drop

You can change action=drop to action=reject if you want the requesting ip to be notified about the block.

It still doesn't ping on the fake gateway. I've deleted those 2 NAT commands and added the general one that you told me.
Haven't tried to isolate the local networks.

Can you ping the public ip on ether1? 85.xx.xx.134
Looks like the gateway on that public net should be 85.xx.xx.129, correct?
On the fake gateway you have 85.xx.xx.129/27 on that interface, correct?

Yes, I can ping from the fake gateway on ether1, and also from ether1 to fake gateway.
Yes I've used this command to add the gateway: /ip route add gateway=85.x.x.129
Yes, on the fake gateway I have 85.x.x.129 /27 or 255.255.255.224

LE: What about the Routes?

LE2: Please tell me what screenshots do you need.
I'm using WinBox and I will post all the needed screenshots no matter how many they are.

My bad! Can you ping 85.xx.xx.134 (ip of ether1) from the computer on ether2?

Yes, I can ping from the PC connected to ether2 to WAN(ether1 85.x.x.134).

Since you volunteered earlier, can you show "/ip route print"? Or screenshot if Winbox.

Just one second.

Here it is:

Just to be certain, check "/interface ethernet". Are there any master-port settings other than 'none'?
Check "/interface bridge". No bridges, correct?

Other than that, I don't see a reason you can't ping the gateway from ether2. The route table shows the public gateway ip as 'reachable', and the correct distance. I'll think about it a little....

ADD: Check the computer on ether2. What ip/netmask/gateway does it show? According to your dhcp server setup on the router, it won't have dns servers.

no bridges, master port none to all except ether1

Where is the computer on ether2? If there were an ethernet device connected to ether2, it would also have a 'R' before the name.

ADD:
pc on ether2:
IP:10.223.44.4
SM:255.255.255.248
GW:10.223.44.1
DNS:10.223.44.1 81.181.x.x 80.96.x.x

LE:It wasn't connected at that moment.

Try disabling the "/ip firewall mangle change-ttl" rule.

They were disabled during all these tests.

If you followed the example in that wiki link, the interfaces were incorrect for your setup. Is there anything in "/ip dhcp-client"? Insure the dhcp-server settings are on the correct interface.
I'm quickly running out of ideas here!

ADD: Anything in "/interface pppoe-client"?

Please wait 5 mins so I can switch the ISP connection to the other computer and I will post all the possible screenshots.

I think I have about all of them now on one post or the other. I see the ip/netmasks are changed from the wiki, so I was just checking everything else there. Take a look at "/interface pppoe-client". Anything there? If so, might disable it just as a test.

part1

part2

part3

nothing in pppoe-client.

LE: I forgot to hide the MAC address, is it bad?

I see nothing wrong. Maybe someone else will see something I dont.

ADD: I just checked my dhcp lease. Yours is incomplete for some reason. Maybe you edited the values out, but here is mine for my laptop in my test router.

i've attached the screenshot with pc2 connected.

LE: I forgot to hide the MAC address, is it bad?

I've started everything from the beginning and I've added only one local network. It seems to work now. The authentication program works too.

I'll try to configure QoS, Port Forwarding, Bandwith Management and Security. I'll come back with questions If I don't manage to configure them myself.

Can I adjust the bandwidth dynamically like 60% for one PC and 40% for the other when both connected, and 100% when single PC connected?