Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

How to Dial ADSL from my Mikrotik / avoid double NAT

Locked
 
witblitz
newbie
Topic Author
Posts: 38
Joined: Thu Sep 03, 2015 12:47 pm

How to Dial ADSL from my Mikrotik / avoid double NAT

Tue Sep 08, 2015 2:30 pm

Hey guys

So I have a pretty basic setup at the moment:

Mikrotik bridge handling DHCP and wireless - 10.0.0.253/24
Mikrotik ether1 WAN used to talk to ADSL router - 192.168.2.2/24
ADSL router handling PPPoE only - 192.168.2.1/24

bridge-local is as per default - ether2 + wlan1
ports 3-5 are slaves of port 2
ether1 WAN going straight to my ADSL router

Routes:
Code: Select all
 #     DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.2.1               1
 1 ADC  10.0.0.0/24        10.0.0.253      bridge-local              0
 2 ADC  192.168.2.0/24     192.168.2.2     ether1-gateway            0
NAT:
Code: Select all
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade src-address=10.0.0.0/24 
      out-interface=ether1-gateway log=no log-prefix=""
As I understand it, there is double NAT going on here as I've got both my Mikrotik and ADSL router involved.

I want to dial PPPoE from the MIktorik in order to avoid this.

SO - I put my ADSL router in bridge mode - what next? Could someone walk me through basic steps?

Mucho appreciacion...
WB
Top
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Tue Sep 08, 2015 2:38 pm

Never done it personally, but basically you would put the ADSL modem into bridge mode... then setup a PPPoE client on "ether1" on the mikrotik. Then just utilize "PPPoE" interface as your "gateway" interface instead of ether1.
Top
 
JB172
Member
Member
Posts: 304
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Tue Sep 08, 2015 2:45 pm

When you create the PPPoE client, tick the boxes "Use Peer Dns" and "Add Default Route"
Top
 
witblitz
newbie
Topic Author
Posts: 38
Joined: Thu Sep 03, 2015 12:47 pm

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Tue Sep 08, 2015 2:48 pm

thanks guys

no changes to my mikrotik setup other than that? i.e. routes or NAT ?

also, i've currently got my adsl router's internal IP (192.168.2.2) set up in IP > DNS section. Should I remove that?

Worth mentioning that my ISP gives me dynamic public IP and DNS servers, not static
Top
 
JB172
Member
Member
Posts: 304
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Tue Sep 08, 2015 3:05 pm

/ip firewall nat
add action=masquerade chain=srcnat out-interface=THE_PPPoE_NAME_HERE
add action=masquerade chain=srcnat out-interface=bridge-local

And to protect from DNS DDoS attacts
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=THE_PPPoE_NAME_HERE protocol=tcp
add action=drop chain=input dst-port=53 in-interface=THE_PPPoE_NAME_HERE protocol=udp
Top
 
witblitz
newbie
Topic Author
Posts: 38
Joined: Thu Sep 03, 2015 12:47 pm

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Tue Sep 08, 2015 4:03 pm

JB172

Thanks.

It "works" but then I seem to be unable to access my adsl router's web interface (192.168.2.1) although I can ping it... weird

Are you sure those NAT rules are accurate? Isn't this double NAT all over again?
Also, I was told not to NAT bridge-local...

Either way, should src addresses be filled in? Current NAT rule is:

action=masquerade
src addresses=10.0.0.0/24
out int=ether1

Lastly, should I set a DNS in IP\DNS section or not?

Sorry for all the questions...
WB
Top
 
JB172
Member
Member
Posts: 304
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Tue Sep 08, 2015 4:09 pm

When you have PPPoE client on RouterOS and bridged the ADSL router, then the ADSL router act as a modem only.
Then you have only 1 NAT, and that is on RouterOS.
Youl may have DNS of your provider or use 8.8.8.8 as primary and 8.8.4.4 as secondary
If you setup DHCP server on you LAN side you can put there and DNS.
If you are not use DNS in DHCP server (in Network tab), the clients on your lan uses the DNS of IP-DNS settings

Open "New Terminal" and type "export"
Then copy and paste it here. Change critical information like "PPPoE" username and password etc.
Top
 
witblitz
newbie
Topic Author
Posts: 38
Joined: Thu Sep 03, 2015 12:47 pm

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Wed Sep 09, 2015 11:26 am

hey JB

So I've got the mikrotik dialing out PPPoE and my ADSL router in bridge mode.

Everything works, EXCEPT I can not ping or access the ADSL router (192.168.2.1) from my LAN since I made the change and put PPPoE on my Eth1-Gateway port

I CAN however ping it from the mikrotik, so I know it's up (also the internet works :D )

I believe there is some additional NAT rule that I need from digging around the forums, but I've not found anything that can help me yet... Any ideas how to access the ADSL router?

Here is my export:
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out1 password=zzz use-peer-dns=yes user=zzz@zzz

/ip pool
add name=default-dhcp ranges=10.0.0.100-10.0.0.200

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=DHCP1

/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1

/ip address
add address=10.0.0.253/24 comment="default configuration" interface=bridge-local network=10.0.0.0
add address=192.168.2.2/24 interface=ether1-gateway network=192.168.2.0

/ip dhcp-server network
add address=10.0.0.0/24 comment="default configuration" dns-server=10.0.0.253,8.8.8.8,8.8.4.4 gateway=10.0.0.253 netmask=24

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1
add action=drop chain=input comment="PPPoE DDOS Protection (TCP). Int=PPPoE" disabled=yes dst-port=53 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="PPPoE DDOS Protection (UDP). Int=PPPoE" disabled=yes dst-port=53 in-interface=ether1-gateway log=yes log-prefix=DDOS-RULE protocol=udp

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1 src-address=10.0.0.0/24
holding thumbs
Top
 
JB172
Member
Member
Posts: 304
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Wed Sep 09, 2015 11:47 am

Cause 192.168.2.0/24 is a different network from 10.0.0.0/24 you have access to that network only from RouterOS.

Add IP Address 192.168.2.3/24 in ether2
In one pc give two static IP addresses. One from 10.0.0.0/24 and second from 192.168.2.0/24.
Hope that works. :)
Top
 
witblitz
newbie
Topic Author
Posts: 38
Joined: Thu Sep 03, 2015 12:47 pm

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Wed Sep 09, 2015 1:00 pm

but ether2 is bridged with my wlan. the bridge has the ip 10.0.0.253/24

your external router should always be on a different subnet than your LAN. The routes ive got set up should normally let me access the 192168.2.x subnet fine. It's only since I added the PPPoE interfact on Eth1 that I'm unable to get to 192.168.2.1 (adsl router)
Top
 
witblitz
newbie
Topic Author
Posts: 38
Joined: Thu Sep 03, 2015 12:47 pm

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Wed Sep 09, 2015 1:15 pm

The answer was to create a NAT rule (as I thought)

action=masquerade
chain=srcnat
dst. address = 192.168.2.0/24 (subnet of my adsl router)
out interface = Ether1

I changed my previous NAT masquerade rule so that everything went out over pppoe-out1 (it used to be Ether1-gateway). SO this makes sense

:mrgreen:
Top
 
JB172
Member
Member
Posts: 304
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: How to Dial ADSL from my Mikrotik / avoid double NAT

Wed Sep 09, 2015 1:59 pm

but ether2 is bridged with my wlan. the bridge has the ip 10.0.0.253/24

your external router should always be on a different subnet than your LAN. The routes ive got set up should normally let me access the 192168.2.x subnet fine. It's only since I added the PPPoE interfact on Eth1 that I'm unable to get to 192.168.2.1 (adsl router)
Your external router is act only as a modem right now and not as a router.
Technically speaking, you don't have any problem to have two different subnets on the same interface (bridge)
And yes, the NAT to 192.168.2.0/24 was missing for ether1-gateway.
So far so good :D
Top
Locked
  4. RouterOS
  5. Beginner Basics