ADSL router as bridge + MK

cpresto · Sat Aug 26, 2006 11:27 am

Hi all,
I've got an ADSL connection with a public IP address, that I'm trying to assign directly to one MK interface.
I've configured the ADSL as bridge, and assigned the public IP to on MK interface, network is as follows

ADSL rotuer (as bridge) <-----> MK

I've assigned the public IP address to the MK interface that connects to the ADSL router, masquerading all outgoing traffic from MK. MK Interface have two IP addresses: the public one and a private one in the same subnet of the router.
Router's logs tell me that everithing is OK, but connection doesn't work, despite I'm able to reach the router from MK. Is there something I'm doing wrong?

Thank you in advance

sten · Sat Aug 26, 2006 8:39 pm

Hi all,
I've got an ADSL connection with a public IP address, that I'm trying to assign directly to one MK interface.
I've configured the ADSL as bridge, and assigned the public IP to on MK interface, network is as follows

ADSL rotuer (as bridge) <-----> MK

I've assigned the public IP address to the MK interface that connects to the ADSL router, masquerading all outgoing traffic from MK. MK Interface have two IP addresses: the public one and a private one in the same subnet of the router.
Router's logs tell me that everithing is OK, but connection doesn't work, despite I'm able to reach the router from MK. Is there something I'm doing wrong?

Thank you in advance

If you expected the result to be different then you're doing something wrong. Please post your configuration if you want to know exactly what but from your explanation i see that the private and public is in the same subnet would be a clue to what's going wrong.

cpresto · Mon Aug 28, 2006 11:24 am

Some routers (e.g. Cisco 1721) allow to assign more than one IP address on their interface, these are called "secondary IP address". This is useful in order to save public IP address to connect two (or more) routers.
In my understanding MK should be able to manage such a configuration, so I gave two IP addresses on one interface (WAN interface), that will masquerade all IP traffic on its public IP and communicates with the (bridged) ADSL router on its private IP address.
Configuration is as follows

ADSL <----------------> MK
172.17.1.1

MK
IP 1 172.17.1.254
IP 2 81.73.132.xxx
DG 81.73.132.254
MASK 255.255.255.0

savage · Mon Aug 28, 2006 11:50 am

Past the results of:

/ interface ethernet
/ip address export
/ip firewall nat export

Then we can actually see what you did, and we might be able to help you.

cpresto · Mon Aug 28, 2006 5:26 pm

Quite long....

[admin@Adiesselle] > interface ethernet export
# aug/28/2006 16:21:59 by RouterOS 2.9.29
# software id = LS1J-A5N
#
/ interface ethernet
set ether1 name="ether1" mtu=1500 mac-address=00:0E:A6:0A:F9:F3 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set ether2 name="ether2" mtu=1500 mac-address=00:40:05:87:14:F2 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set ether3 name="ether3" mtu=1500 mac-address=00:11:95:65:6E:43 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
[admin@Adiesselle] > interface ethernet
[admin@Adiesselle] interface ethernet> ..
[admin@Adiesselle] interface> ..
[admin@Adiesselle] > interface ethernet print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R ether1 1500 00:0E:A6:0A:F9:F3 enabled
1 R ether2 1500 00:40:05:87:14:F2 enabled
2 R ether3 1500 00:11:95:65:6E:43 enabled
[admin@Adiesselle] > ip address export
# aug/28/2006 16:22:27 by RouterOS 2.9.29
# software id = LS1J-A5N
#
/ ip address
add address=172.17.1.254/16 network=172.17.0.0 broadcast=172.17.255.255 \
interface=ether1 comment="" disabled=no
add address=192.168.100.2/24 network=192.168.100.0 broadcast=192.168.100.255 \
interface=ether2 comment="" disabled=no
add address=192.168.5.1/32 network=192.168.5.0 broadcast=192.168.5.255 \
interface=ether2 comment="" disabled=yes
add address=192.168.5.1/24 network=192.168.5.0 broadcast=192.168.5.255 \
interface=ether2 comment="" disabled=no
add address=81.73.132.120/32 network=81.73.132.0 broadcast=81.73.132.255 \
interface=ether1 comment="" disabled=no
[admin@Adiesselle] > ip firewall nat export
# aug/28/2006 16:22:37 by RouterOS 2.9.29
# software id = LS1J-A5N
#
/ ip firewall nat
add chain=srcnat src-address=192.168.100.0/24 action=masquerade comment="" \
disabled=yes
add chain=srcnat dst-address=0.0.0.0 routing-mark=tecno-routing action=src-nat \
to-addresses=81.73.132.120 to-ports=0-65535 comment="" disabled=yes
add chain=srcnat src-address=!192.168.100.3 action=masquerade comment="Natta \
il traffico" disabled=no
add chain=dstnat dst-address=192.168.100.2 protocol=tcp dst-port=80-81 \
action=dst-nat to-addresses=172.17.1.5 to-ports=81 comment="Sito web \
Tecnospace" disabled=no
add chain=dstnat protocol=tcp dst-port=82 action=dst-nat \
to-addresses=172.17.1.3 to-ports=80 comment="????????????'''''" \
disabled=no
add chain=dstnat dst-address=172.17.1.254 protocol=tcp dst-port=5900 \
action=dst-nat to-addresses=172.17.1.5 to-ports=5900 comment="VNC" \
disabled=no
add chain=dstnat protocol=tcp dst-port=99 action=dst-nat \
to-addresses=192.168.5.2 to-ports=99 comment="" disabled=yes
add chain=dstnat protocol=udp dst-port=4679 action=dst-nat \
to-addresses=192.168.5.2 to-ports=4679 comment="" disabled=yes
add chain=dstnat dst-address=172.17.1.254 protocol=tcp dst-port=4668 \
action=dst-nat to-addresses=192.168.5.2 to-ports=4668 comment="Emule Test" \
disabled=no
add chain=dstnat dst-address=192.168.100.2 protocol=tcp dst-port=4668 \
action=dst-nat to-addresses=192.168.5.2 to-ports=4668 comment="" \
disabled=no
add chain=dstnat dst-address=172.17.1.254 protocol=udp dst-port=4679 \
dst-address-list=list action=dst-nat to-addresses=192.168.100.95 \
to-ports=4679 comment="" disabled=no
add chain=dstnat dst-address=172.17.1.254 protocol=tcp dst-port=4669 \
action=dst-nat to-addresses=192.168.5.4 to-ports=4669 comment="Emule \
DeMariano" disabled=no
add chain=dstnat dst-address=192.168.100.2 protocol=tcp dst-port=4669 \
action=dst-nat to-addresses=192.168.5.4 to-ports=4669 comment="" \
disabled=no
add chain=dstnat dst-address=172.17.1.254 protocol=tcp dst-port=4664 \
action=dst-nat to-addresses=192.168.5.7 to-ports=4664 comment="Emule \
A.Bertino" disabled=no
add chain=dstnat dst-address=192.168.100.2 protocol=tcp dst-port=4664 \
action=dst-nat to-addresses=192.168.5.7 to-ports=4664 comment="" \
disabled=no
add chain=dstnat dst-address=172.17.1.254 protocol=tcp dst-port=4663 \
action=dst-nat to-addresses=192.168.5.5 to-ports=4663 comment="Emule \
S.Bertino" disabled=no
add chain=dstnat dst-address=192.168.100.2 protocol=tcp dst-port=4663 \
action=dst-nat to-addresses=192.168.5.5 to-ports=4663 comment="" \
disabled=no
[admin@Adiesselle] >

jarosoup · Mon Aug 28, 2006 6:24 pm

Your public address assigned to ether1 has the wrong subnet mask.

add address=81.73.132.120/32 network=81.73.132.0 broadcast=81.73.132.255 \
interface=ether1 comment="" disabled=no

What subnet is assigned to your block of IPs? If it is not a /24 then you might want to delete the address and re-add it with the proper subnet mask so that the network and broadcast addresses match the intended subnet mask.

What's the output of "/ip route print"?

What are you trying to do with 172.17.1.254/16?

cpresto · Mon Aug 28, 2006 8:37 pm

Thank you jarosoup for reply,
I've corrected the subnet.
My ISP assigned me:
IP address 81.73.132.120
Subnet mask 255.255.255.0
DG 81.73.132.254

I can assign these to an ADSL router (DLink 504T) on the WAN interface, and everithing is ok. What I'm trying to do is to assign this address to MK (behind DSL504T), using the ADSL router as a bridge, in order to use the single public IP address on MK withouth asking the ISP for an IP public subnet (8 IPs).

Ip route print is as follows
# DST-ADDRESS PREF-SRC G GATEWAY DIS
0 ADC 81.73.132.0/24 81.73.132.120
1 ADC 172.17.0.0/16 172.17.1.254
2 ADC 192.168.5.4/32 192.168.5.1
3 ADC 192.168.5.5/32 192.168.5.1
4 ADC 192.168.5.7/32 192.168.5.1
5 ADC 192.168.5.239/32 192.168.5.1
6 ADC 192.168.5.240/32 192.168.5.1
7 ADC 192.168.5.250/32 192.168.5.1
8 ADC 192.168.5.251/32 192.168.5.1
9 ADC 192.168.5.253/32 192.168.5.1
10 ADC 192.168.5.254/32 192.168.5.1
11 ADC 192.168.5.0/24 192.168.5.1
12 A S ;;; Per raggiungere i clienti PPPoE Pace
192.168.6.0/24 r 192.168.100.3
13 ADC 192.168.100.0/24 192.168.100.2
14 A S 0.0.0.0/0 r 172.17.1.2
r 192.168.100.253
r 192.168.100.253
15 A S 0.0.0.0/0 r 192.168.100.1
16 S 0.0.0.0/0 81.73.132.120 r 81.73.132.254

172.17.1.254/16 is to communicate with the ADSL router, that has (on LAN interface) 172.17.1.1/16. I've added a static route to DSL504T that tells him how to reach 81.73.132.120 (on MK), and it works fine (I'm able to ping 81.73.132.120 from DSL504T)