Hi
Please see diagram attached
Our ISP has offered us with a Public IP list of /26 sub-net. We currently have 4 sites that each require a public IP
In our ISP's Data center we have a Mikrotik CCR 1036 and each site respectively has a Mikrotik RB1100AH
The ISP has setup separate Vlans from each of their termination points where the 1100AH's connect in order for us to connect to the Core from each site via the ISP's internal infrastructure (ADSL wireless etc).
Each site has a public 196.x.x.x/26 IP. On the CCR Mikrotik in NOC I have created a bridge interface and made all the Site allocated Vlans part of the Bridge. I have assigned the IP of our Mikrotik CCR in NOC on the Bridge interface. This way each site can speak to the Mikrotik in NOC which is in essence each site's Mikrotik 1100AH's default Gateway. Isolation is put in place so that the sites can't see each other as if on a lan.
My question is, wheat routing type must be in place for the main Mikrotik CCR router in NOC to route inbound traffic from WWW destined for a specific router (1100 AH). Another option would be to give each 1100AH a private IP, assign the Mikrotik CCR the complete /26 IP range on a bridge and create a 1-1 Nat to each site from the CCR in NOC, but is there another way to do this?
-
-
ferdinandbabst
newbie
- Posts: 31
- Joined:
ISP Router Configuration
You do not have the required permissions to view the files attached to this post.
Re: ISP Router Configuration
Without knowing what the topology looks like under that dark cloud, it's hard to tell you the best solution. You can do the 1:1 NAT as you suggested, but there are other ways that might be preferable.
If your infrastructure is in place using RFC address space, you can do this by putting a /32 on each RB1100, then either using OSPF to advertise these routes, or use static routes on the CCR. My personal preference is to use OSPF, as it makes infrastructure expansion a trivial job.
If you have a relatively simple topology, you can bridge everything in and use the /26 in the most obvious way. Use split-horizon to isolate the routers from each other.
If, however, you need to be able to communicate from site-to-site without the sites seeing each other directly, use VLANs to isolate the broadcast domain, then use PTP routing to do the rest:
On the core, put your GW address: 196.x.x.1/26 on your primary LAN interface.
Then, on the VLAN interface, add the same address, but differently so that it properly populates the kernel routing table:
/ip address add address=196.x.x.1/32 network=196.x.x.2 interface=vlan1002
/ip address add address=196.x.x.1/32 network=196.x.x.3 interface=vlan1003
/ip address add address=196.x.x.1/32 network=196.x.x.4 interface=vlan1004
...
Last, configure your RB1100:
/ip address add address=196.x.x.2/32 network=196.x.x.1 interface=vlan1002
/ip route add gateway=196.x.x.1
If your infrastructure is in place using RFC address space, you can do this by putting a /32 on each RB1100, then either using OSPF to advertise these routes, or use static routes on the CCR. My personal preference is to use OSPF, as it makes infrastructure expansion a trivial job.
If you have a relatively simple topology, you can bridge everything in and use the /26 in the most obvious way. Use split-horizon to isolate the routers from each other.
If, however, you need to be able to communicate from site-to-site without the sites seeing each other directly, use VLANs to isolate the broadcast domain, then use PTP routing to do the rest:
On the core, put your GW address: 196.x.x.1/26 on your primary LAN interface.
Then, on the VLAN interface, add the same address, but differently so that it properly populates the kernel routing table:
/ip address add address=196.x.x.1/32 network=196.x.x.2 interface=vlan1002
/ip address add address=196.x.x.1/32 network=196.x.x.3 interface=vlan1003
/ip address add address=196.x.x.1/32 network=196.x.x.4 interface=vlan1004
...
Last, configure your RB1100:
/ip address add address=196.x.x.2/32 network=196.x.x.1 interface=vlan1002
/ip route add gateway=196.x.x.1