i bought mikrotik router 750r2 and my isp ogero in lebanon gave me internet efm with 5 real ip

they install their modem in bridge mode

and tell me to configure my router using PPPoe and to disable nat and enable ripv2 so i can connect to internet and get access to my real ip.



Hello, When fixed public IP is required by the customer, the modem must then be place in bridge mode, and the PPPoE must be handled behind it on your separate Ethernet-only router. Note that the router must support the required configuration, that is you must enable RIP V2 and disable NAT. You (eventually your IT) are solely responsible for the configuration of your firewall/router, and we at OGERO do not get involved and cannot provide support to this task nor do we get involved in the router selection task.



Here’s your account credentials as well as the assigned public IP subnet that was readily assigned to your account.



subnet mask: 255.255.255.248 (29)

gateway: 77.42.216.33

Usable ip address: 77.42.216.xx 5 ips

dns servers: dns1: 77.42.128.32

dns2: 77.42.130.32



they gave me username and password to create PPPoe connecting and the ips

i know how to create PPPoe connection but i dont know how to configure the ripv2 and other

can you help me to configure it????

When you configure and enable the PPPoE connection, I suppose the PPPoE server assigns some address outside the public range to that pppoe-outX interface, is that true?

After disabling NAT on PPPoE interface, You need to setup RIP, but still details are missing.

To set up RIP:
You need first to have your public IPs assigned, this is usually done on the own router on empty bridge(s) (loopback device), using dst-nat afterwards to connect internal services to Internet.

Can you post a /ip print once PPPoE is connected? is 77.42.216.33 the remote IP of the tunnel? (appears as network on IP > Addresses)

To set up RIP:

Code: Select all

routing rip> set redistribute-connected=yes ...

I'd be cautious to set redistribute-connected to yes just like that, without filtering on prefixes, you never know how the ISP will handle the incoming advertisement of RFC1918 networks eventually connected at OP's side.

After disabling NAT on PPPoE interface, You need to setup RIP, but still details are missing.

To set up RIP:

Code: Select all

routing rip> set redistribute-connected=yes redistribute-static=yes
routing rip interface> add interface=YOURPPPoE_interface receive=v2 send=v2 passive=no
routing rip network> add network=77.42.216.xx/29

You need first to have your public IPs assigned, this is usually done on the own router on empty bridge(s) (loopback device), using dst-nat afterwards to connect internal services to Internet.

Can you post a /ip print once PPPoE is connected? is 77.42.216.33 the remote IP of the tunnel? (appears as network on IP > Addresses)

dear
i did that the internet work but without my real ip

dear
i did that the internet work but without my real ip

Dear,

there was a question in both mine and @Pukkita's post and you happily ignored it

The point is that your ISP is a bit cryptic on how exactly he expects you to set your side up, there are several ways how it could be done, and from the data they gave you it is not clear which one they choose on their side and expect you to follow. So we need to know the output of /ip address print and /ip route print when the PPPoE interface is up. Don't forget to replace your public addresses by some alias names but leave private addresses, if any, unchanged.

dear
i did that the internet work but without my real ip

Dear,

there was a question in both mine and @Pukkita's post and you happily ignored it

The point is that your ISP is a bit cryptic on how exactly he expects you to set your side up, there are several ways how it could be done, and from the data they gave you it is not clear which one they choose on their side and expect you to follow. So we need to know the output of /ip address print and /ip route print when the PPPoE interface is up. Don't forget to replace your public addresses by some alias names but leave private addresses, if any, unchanged.

each time i connect pppoe it gave me ip like 94.187.61.165 and dns 77.42.128.32 and 77.42.130.32

And what is the remote IP? I gave you the exact commands not for fun, sending the complete output will save us a lot of time. Press "terminal" button in Winbox or Webfig and paste the commands to the window which opens, then copy-paste the response here (no point in obfuscating the addresses as you have disclosed them in the first post anyway).

dear sir
i have same problem like najifares and my isp is the same one and gave me this email that is not clear at all
now i have created pppoe connection and the rip settings as stated above but the problem the real ip i got is not mine and its dynamic and changes every time i connect
i did ip address print
the remote address is 77.42.129.xx and the local address is 94.187.28.154 while mine are different
the ISP is not willing to help or give information i don't know why.
the only information they give is disable NAT, enable ripv2 and use loopback

is there anything i can do ?
another question how do i disable NAT on my pppoe connection ?
thank you in advance

now i have created pppoe connection and the rip settings as stated above but the problem the real ip i got is not mine and its dynamic and changes every time i connect

That's a misunderstanding. The address provided to you using PPPoE (in this run, 94.187.28.154) is used only for the inteconnection, so it can be any address, public or private, except the one(s) assigned to you. So it is not important what it is and that it changes.

The whole idea is that you manually assign "your" public address(es) to one of the interfaces of your Mikrotik (other than the PPPoE one!), and you use RIP to inform the router behind the PPPoE channel that this address is accessible via that channel.

The background is that while you only have got a single static public IP, e.g. the OP has got a whole subnet, and a subnet cannot be assigned using PPPoE as the name suggests. But on the other hand, PPPoE is the only way how to use commodity ADSL modems. So the ISP has everything based on PPPoE.

the only information they give is disable NAT, enable ripv2 and use loopback

Almost correct.

• "Disable NAT" should have actually read "disable NAT on the PPPoE interface" because otherwise packets sent from your static public address would be NATed to the dynamically changing one assigned to the PPPoE. But you may want to NAT everything to your static public IP, and it is possible of course.
• "enable ripv2" means that you will inform the neigbour (the PPPoE server) that your static public address can be routed to via your PPPoE client address. The PPPoE server will update its routing tables accordingly.
• "use loopback" is there because they don't know you use Mikrotik (and don't care either), so what they actually tell you is that you have to assign the static public address to some other interface than the PPPoE one, and if you don't have any (which can be the case where a PC has a single Ethernet port connected to the modem), you should use the virtual interface called loopback or lo on unix-like systems. So in your case, you have to create an /interface bridge name=my-public-ip-holder protocol-mode=none and assign your static public address to it (/ip address add address=your.static.public.ip/32 interface=my-public-ip-holder). Do not make any other interfaces member ports of that bridge.

another question how do i disable NAT on my pppoe connection ?

I assume you use the default firewall and in /ip firewall nat, the is a rule saying chain=srcnat action=masquerade out-interface=pppoe-out1 (or maybe out-interface-list=WAN).

By removing (or disabling) that rule, you disable the NAT.

To NAT packets from your LAN subnet to your static public IP while preserving the RIPv2 packets from getting modified, you have to replace that rule by
chain=srcnat action=src-nat src-address=your.lan.subnet/mask to-addresses=your.static.public.ip out-interface=pppoe-out1

If it doesn't work, follow the suggestion in my automatic signature.

So dear
What should be my configuration step by step?
Thank you

If I don't know the starting point, I cannot give you a step-by-step guide. Press the [terminal] button in WebFig or Winbox and follow the instructions in my automatic signature.

And tell me how you are going to use your 5 public addresses, i.e. whether you are going to assign them to some other devices connected to the LAN side of your Mikrotik, or to your own PPPoE clients, or all of them will be only used to NAT the private addresses of the devices on the LAN.

Plus if you can, revoke the marking of the post by @rabienz as a solution, it is clearly not a solution of your OP.

If I don't know the starting point, I cannot give you a step-by-step guide. Press the [terminal] button in WebFig or Winbox and follow the instructions in my automatic signature.

And tell me how you are going to use your 5 public addresses, i.e. whether you are going to assign them to some other devices connected to the LAN side of your Mikrotik, or to your own PPPoE clients, or all of them will be only used to NAT the private addresses of the devices on the LAN.

Plus if you can, revoke the marking of the post by @rabienz as a solution, it is clearly not a solution of your OP.

dear there is my configuration that i did
should it work?
also i need that when i connect a pc to a port of mikrotik i should put real static ip on pc lan to get internet

/interface bridge
add name=EFM protocol-mode=none
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=XXXXXXXXXXXXXX use-peer-dns=yes user=\
L407722@ogeronet-2M.com
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=77.42.216.32/29 interface=EFM network=77.42.216.32
/ip firewall nat
# pppoe-out1 not ready
add action=src-nat chain=srcnat out-interface=pppoe-out1 src-address=\
192.168.88.1 to-addresses=77.42.216.32/29
/routing rip interface
add interface=pppoe-out1 receive=v2
add disabled=yes receive=v2
/routing rip network
add network=77.42.216.32/29
add network=192.168.88.0/24
/system identity
set name="EFM Jieh"
/system routerboard settings
set cpu-frequency=850MHz protected-routerboot=disabled

Thank you

dear sir
i have same problem like najifares and my isp is the same one and gave me this email that is not clear at all
now i have created pppoe connection and the rip settings as stated above but the problem the real ip i got is not mine and its dynamic and changes every time i connect
i did ip address print
the remote address is 77.42.129.xx and the local address is 94.187.28.154 while mine are different
the ISP is not willing to help or give information i don't know why.
the only information they give is disable NAT, enable ripv2 and use loopback

is there anything i can do ?
another question how do i disable NAT on my pppoe connection ?
thank you in advance

dear Rabih can you send me your phone number??
thank you

If I don't know the starting point, I cannot give you a step-by-step guide. Press the [terminal] button in WebFig or Winbox and follow the instructions in my automatic signature.

And tell me how you are going to use your 5 public addresses, i.e. whether you are going to assign them to some other devices connected to the LAN side of your Mikrotik, or to your own PPPoE clients, or all of them will be only used to NAT the private addresses of the devices on the LAN.

Plus if you can, revoke the marking of the post by @rabienz as a solution, it is clearly not a solution of your OP.

Dear
I want to use my public real ip on each ethernet port on mikrotik so the pc connected to mikrotik should have static real ip address to work
Thank you

dear sir
i have same problem like najifares and my isp is the same one and gave me this email that is not clear at all
now i have created pppoe connection and the rip settings as stated above but the problem the real ip i got is not mine and its dynamic and changes every time i connect
i did ip address print
the remote address is 77.42.129.xx and the local address is 94.187.28.154 while mine are different
the ISP is not willing to help or give information i don't know why.
the only information they give is disable NAT, enable ripv2 and use loopback

is there anything i can do ?
another question how do i disable NAT on my pppoe connection ?
thank you in advance

dear Rabih can you send me your phone number??
thank you

Sent from my iPhone using Tapatalk

Thank you sindy for the reply
i also have /29 subnet
that means 5 addresses i must use
i want to be able to use them on a separate devices on LAN
should i add each public address to interface and add it to the bridge?
please if you can send step by step configuration in order to solve this confusion

after your post i knew some facts on what is happening
thank you in advance

So you both have about the same configuration and requirements in terms that you both want to connect something to the LAN ports which has to get one of those public addresses.
(I could call you too but all my Arabic consists of "mumke bukra" so it wouldn't be helpful )

So based on the configuration posted by @Najifares:

First remove this bridge or keep it in place but use its name everywhere below instead of the public-ip-lan:
/interface bridge
add name=EFM protocol-mode=none

Add two bridges (or reuse the one above for one of them). You'll connect devices which need a public address to one of them and devices for which a private address is enough to the other one.
/interface bridge add name=public-ip-lan protocol-mode=none
/interface bridge add name=private-ip-lan protocol-mode=none

Now unless you are connected using Winbox via MAC address of the Mikrotik, you must enter the two following commands on a single line in the terminal window (you cannot do it by clicking) exactly as written here (except the name of the bridge if you have chosen another one, and except @rabienz as your current state may be different). And before doing it, press Ctrl-X to enter safe mode - if something fails, the change will revert after about a minute and you'll be able to get back again:

/ip address set interface=private-ip-lan [find interface=ether2];/interface bridge port add bridge=private-ip-lan interface=ether2

If the change was successful, /ip address print should show you that address 192.168.88.1/24 is on interface private-ip-lan and /interface bridge port print should show you that interface ether2 is a member port of bridge private-ip-lan. If this is true, you may press Ctrl-X again to exit safe mode.

Next, as you will be connecting the box to public addresses, define tight firewall rules limiting access to Mikrotik itself, otherwise some malware will conquer the box in no time:
/ip firewall filter
action=accept chain=input connection-state=established,related
action=drop chain=input connection-state=invalid
action=accept protocol=icmp
action=accept chain=input in-interface=public-ip-lan disabled=yes comment="permit any access from LAN with public IPs if really sure you need it"
action=accept chain=input in-interface=private-ip-lan comment="permit any access from LAN with private IPs"
action=accept chain=input in-interface=pppoe-out1 protocol=udp dst-port=520 comment="permit incoming RIP packets"
action=drop chain=input

Provide also firewall filter rules protecting the LAN devices, once everything starts working you may add rules permitting access from the internet side to those addresses for some services:
/ip firewall filter
action=fasttrack-connection chain=forward connection-state=established,related
action=accept chain=forward connection-state=established,related,untracked
action=drop chain=forward connection-state=invalid
action=accept chain=forward in-interface=public-ip-lan
action=accept chain=forward in-interface=private-ip-lan
action=drop chain=forward

Keep this in place:
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=XXXXXXXXXXXXXX use-peer-dns=yes user=L407722@ogeronet-2M.com

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

This has been already changed above:
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0

so now it says
/ip address
add address=192.168.88.1/24 interface=private-ip-lan network=192.168.88.0

replace this line
add address=77.42.216.32/29 interface=EFM network=77.42.216.32
by the following one:
add address=77.42.216.33/29 interface=public-ip-lan network=77.42.216.32
The address must be the one out of the /29 subnet which has not been assigned to you - the idea behind is that this will be the gateway in that public subnet. So maybe it is actually not 77.42.216.33 but 77.42.216.38, I cannot know.

replace this NAT rule
/ip firewall nat
# pppoe-out1 not ready
add action=src-nat chain=srcnat out-interface=pppoe-out1 src-address=192.168.88.1 to-addresses=77.42.216.32/29

by the following one, so that you would only NAT addresses from private-ip-lan as they will access internet, to the address dynamically assigned by the ISP:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=192.168.88.0/24

replace the following
/routing rip interface
add interface=pppoe-out1 receive=v2
add disabled=yes receive=v2
by just this:
/routing rip interface
add interface=pppoe-out1 receive=v2 transmit=v2 passive=no

Keep this:
/routing rip network
add network=77.42.216.32/29

but remove this:
add network=192.168.88.0/24

Now, add an ethernet interface or more (I don't know your device model so cannot be more precise) to the bridge named public-ip-lan:

/interface bridge port
add bridge=public-ip-lan interface=ether3


By now it should work, so if you connect a PC to ether3 and manually set one of the public IPs from the /29 subnet on it, with Mikrotik's address on the bridge as gateway, and open some "what's my IP" web page, it should show that PC's public address.

Dear Sindy
i make the configuration but when i connect the pc with static ip (one of my real ip) to ether3 i didn't get internet to my pc

# jul/25/2018 12:20:50 by RouterOS 6.35.4
# software id = Q5RM-NL4J
#
/interface bridge
add name=private-ip-lan protocol-mode=none
add name=public-ip-lan protocol-mode=none
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=xxxxxxxxxxxxxxxxxxxxxxxxx use-peer-dns=yes user=\
L407722@ogeronet-2M.com
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=private-ip-lan interface=ether2
add bridge=public-ip-lan interface=ether3
/ip address
add address=192.168.88.1/24 interface=private-ip-lan network=192.168.88.0
add address=77.42.216.33/29 interface=public-ip-lan network=77.42.216.32
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add chain=input comment=" permit incoming RIP packets" dst-port=520 \
in-interface=pppoe-out1 protocol=udp
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=\
established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add chain=forward in-interface=public-ip-lan
add chain=forward in-interface=private-ip-lan
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
192.168.88.0/24
/routing rip interface
add interface=pppoe-out1 receive=v2
/routing rip network
add network=77.42.216.32/29
/system clock
set time-zone-name=Asia/Beirut
/system identity
set name=" EFM Jieh"
/system routerboard settings
set cpu-frequency=850MHz protected-routerboot=disabled

Before I start digging into it:

• have you set the public address on the PC manually or did you leave "automatic" there?
• if manually, have you configured any DNS server IPs?
• can you ping the Mikrotik's IP (77.42.216.33) from the PC?

And to speed it up, regardless the answers above, what do the four following command line commands return?

/routing rip print
/routing rip neighbor print
/routing rip interface print
/routing rip network print

Before I start digging into it:

• have you set the public address on the PC manually or did you leave "automatic" there?
• if manually, have you configured any DNS server IPs?
• can you ping the Mikrotik's IP (77.42.216.33) from the PC?

And to speed it up, regardless the answers above, what do the four following command line commands return?

/routing rip print
/routing rip neighbor print
/routing rip interface print
/routing rip network print

yes dear i configure static ip on my pc
ip:77.42.216.38
subnet mask:255.255.255.248
gateway:77.42.216.33
DNS: 77.42.128.32 77.42.130.32

yes i have reply when i ping 77.42.216.33

/routing rip print
distribute-default: never
redistribute-static: no
redistribute-connected: no
redistribute-ospf: no
redistribute-bgp: no
metric-default: 1
metric-static: 1
metric-connected: 1
metric-ospf: 1
metric-bgp: 1
update-timer: 30s
timeout-timer: 3m
garbage-timer: 2m
routing-table: main

/routing rip interface print
Flags: I - invalid, X - disabled, P - passive
# INTERFACE SEND RECEIVE AUTHENTICATION AUTHENTICATION-KEY
0 pppoe-out1 v2 v2 none

/routing rip neighbor print
Flags: X - disabled
# ADDRESS

/routing rip network print
Flags: X - disabled
# NETWORK
0 77.42.216.32/29

if u want also i can you access to my mikrotik to see it

Thank you

Dear sindy,
thank you for your reply
i tried your method and the pc did not work after assigning a public ip to it
i can ping to the mikrotik address which is the gateway
here is my configuration is my config correct ?
please help
thanks in advance

The description of RIP functionality in Mikrotik manual is precise but I didn't believe it first. The /routing rip network items do not define networks that should be advertised but those in which RIP should run. I believed it is not that bad but I was wrong.

Now the problem is that you've said before that every time you get a new PPPoE connection established, the address at your end changes; is this the case also for the remote address or the remote address remains the same? Try several disconnections and reconnections and if the remote address you get is always the same, it will be a bit simpler, because it is the remote address of the PPPoE interface which must match the /routing rip network item. So if it is stable, remember it.

And it would be fine if both of you (@Najifares and @rabienz) could compare the results - if the address is stable, whether both of you get the same one.

So before I ask you for a Teamviewer ID and pin, try the following:

/routing prefix-lists add chain=output prefix=77.42.216.32 prefix-length=29 action=accept
/routing prefix-lists add chain=output prefix=0.0.0.0 prefix-length=0 action=drop
/routing rip interface set [find interface=pppoe-out1] out-prefix-list=output
/routing rip set redistribute-connected=yes
/routing rip network print
/routing rip network remove 0


Now depending on whether the remote address on the PPPoE connection is stable or changes, choose one of the following:

• if it is stable, use /routing rip network add network=the.remote.address/32
• if it is changing, use /routing rip network add network=0.0.0.0/0 and we shall deal with some minor consequences later on.

In any of the two cases, at this moment your 'Tik should start talking with ISP's network using RIP. So provide again the output of the four /routing rip ... print commands, and also of /routing prefix-lists print.

Dear Sindy
i try it and it works
but now just ether3 works, ether2 and ether4 and 5 if i connect it to my pc dont work
is there any solution that ether 2, ether4 and ether5 work like ether2 ?
Thank you

Sure there is, it depends on you which ether ports you decide to make members of which bridge. So if you enable the firewall rule which I've recommeded you to keep disabled, so that you could configure your Mikrotik from a PC connected to the bridge where public IPs are used, you can assign ether2 to ether5 to bridge public-ip-bridge.

If you've used the /routing rip network add network=0.0.0.0/0 , the "minor consequences" are that the Mikrotik now attempts to run RIP on all your interfaces, i.e. including those looking towards the PCs. If you don't care, I do neither. If you do, it would require some additional tricks to get rid of that, depending on how much the remote address of the PPPoE connection is changing.

Dear Sindy
i need that all ether word as ether3
and ip of my pppoe change every time i connect and disconnect
also i cant access my real ip outside of my network
Thank you
hope i can get ur reply

dear
i add bridge=public-ip-lan interface=ether4 and 5
and it works
but still cant access my devices from outside my network

Yes, that's what I've warned you about - you first have to think which services (i.e. tcp and udp ports) on these devices you want to make accessible to the world and set up corresponding permissive firewall rules in the Mikrotik. If you don't want to use the Mikrotik to protect the devices, you may set the rules to permit everything.

Dear
i connect ether3 to my server that have on the wan one of my public ip
and the server manage my network and have kerio firewall on it
like the nvr take ip from server lan and kerio is making port forwarding
so from outside my network when i put the wan server ip with port i can access my nvr

also i cant access my remote desktop server from outside my network

/ip firewall filter add chain=forward action=accept dst-address=ip.of.that.server place-before=[find chain=forward in-interface=public-ip-lan]

offloads all the firewalling of that server to the Kerio.

/ip firewall filter add chain=forward action=accept dst-address=ip.of.that.server place-before=[find chain=forward in-interface=public-ip-lan]

offloads all the firewalling of that server to the Kerio.

Thank you Sindy
it works perfectly

Dear sindy,
i just want to thank you for your effort
my configuration worked

If I don't know the starting point, I cannot give you a step-by-step guide. Press the [terminal] button in WebFig or Winbox and follow the instructions in my automatic signature.

And tell me how you are going to use your 5 public addresses, i.e. whether you are going to assign them to some other devices connected to the LAN side of your Mikrotik, or to your own PPPoE clients, or all of them will be only used to NAT the private addresses of the devices on the LAN.

Plus if you can, revoke the marking of the post by @rabienz as a solution, it is clearly not a solution of your OP.

dear there is my configuration that i did
should it work?
also i need that when i connect a pc to a port of mikrotik i should put real static ip on pc lan to get internet

/interface bridge
add name=EFM protocol-mode=none
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=XXXXXXXXXXXXXX use-peer-dns=yes user=\
L407722@ogeronet-2M.com
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=77.42.216.32/29 interface=EFM network=77.42.216.32
/ip firewall nat
# pppoe-out1 not ready
add action=src-nat chain=srcnat out-interface=pppoe-out1 src-address=\
192.168.88.1 to-addresses=77.42.216.32/29
/routing rip interface
add interface=pppoe-out1 receive=v2
add disabled=yes receive=v2
/routing rip network
add network=77.42.216.32/29
add network=192.168.88.0/24
/system identity
set name="EFM Jieh"
/system routerboard settings
set cpu-frequency=850MHz protected-routerboot=disabled

Thank you

Dear naji can you send your phone number i have the same problem

03647634

If I don't know the starting point, I cannot give you a step-by-step guide. Press the [terminal] button in WebFig or Winbox and follow the instructions in my automatic signature.

And tell me how you are going to use your 5 public addresses, i.e. whether you are going to assign them to some other devices connected to the LAN side of your Mikrotik, or to your own PPPoE clients, or all of them will be only used to NAT the private addresses of the devices on the LAN.

Plus if you can, revoke the marking of the post by @rabienz as a solution, it is clearly not a solution of your OP.

dear there is my configuration that i did
should it work?
also i need that when i connect a pc to a port of mikrotik i should put real static ip on pc lan to get internet

/interface bridge
add name=EFM protocol-mode=none
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=XXXXXXXXXXXXXX use-peer-dns=yes user=\
L407722@ogeronet-2M.com
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=77.42.216.32/29 interface=EFM network=77.42.216.32
/ip firewall nat
# pppoe-out1 not ready
add action=src-nat chain=srcnat out-interface=pppoe-out1 src-address=\
192.168.88.1 to-addresses=77.42.216.32/29
/routing rip interface
add interface=pppoe-out1 receive=v2
add disabled=yes receive=v2
/routing rip network
add network=77.42.216.32/29
add network=192.168.88.0/24
/system identity
set name="EFM Jieh"
/system routerboard settings
set cpu-frequency=850MHz protected-routerboot=disabled

Thank you

Dear naji can you send your phone number i have the same problem

Did u solve ur problem? I can help u if u want


Sent from my iPhone using Tapatalk

Dear all
I have the same issue and i was able to configure mikrotik and real ip worked like a charm, and thanks to you guys
but i still have one issue, i need to open incoming http and https ports to the pc having the real ip
thank you

how i can open incoming traffic for http and https for the pc having the real ip ?
thanks

By adding an appropriate rule to an appropriate place in your firewall.

Follow the hint in my automatic signature below if you want more specific advice.

By adding an appropriate rule to an appropriate place in your firewall.

Follow the hint in my automatic signature below if you want more specific advice.

Thanks, very helpfull

Dear Sindy,

I have also the same issue but the public IPs pass to different appliance on lan using only one lan port

I have also the same issue

What exactly is the "same issue" in your case? This topic was dealing with multiple ones throughout its history - first, how to set up RIP to fulfil ISP's requirements so that they could send traffic for your public IP subnet to you, and later how to set up the firewall so that your Mikrotik would forward requests from the internet to the devices on your LAN. So describe in detail what you want to achieve and how far did you get, and post your actual configuration - see my automatic signature below for anonymization hints.

Dear Sindy,

first I would like to thank you for your response...

All my needs is to have alternative route if it is possible through ADSL for my public IPs when leased line goes down for the same ISP Without his intervention .since there is route for these Public IPs from ISP side to Leased line IP /30 that configured in our router interface with MPLS modem.

Appreciate your cooperation and support.

All my needs is to have alternative route if it is possible through ADSL for my public IPs when leased line goes down for the same ISP Without his intervention .since there is route for these Public IPs from ISP side to Leased line IP /30 that configured in our router interface with MPLS modem.

The scenario you describe is quite far from the original theme of this topic, and what is worse, there is no way to achieve exactly what you want without tight cooperation with your ISP. If I get you right and the same ISP company provides both the MPLS connection and the two ADSL connections, they may be able to use the ADSL connectivity as a backup route towards your public IP, but it largely depends on their overall network topology and their willingness to do so. If all the conditions above are met, it can be set up in a way that it doesn't require a human intervention but a dynamic routing protocol must be deployed to take care of the switchover.

If the two ADSL lines are from the same ISP but the MPLS line is provided by another ISP, it is doable by means of a VPN tunnel, so cooperation of the MPLS ISP is still necessary.

Without their cooperation, your only choice is to place a server (physical or virtual one) with a public IP address in some datacenter and either run the application which needs to run at public IP directly on that server or, if you've got strong reasons to run that application on a hardware in your premises, run a Mikrotik CHR on that datacenter server and build VPN tunnels from there to the Mikrotik at your premises via both (all three) uplinks. In this arrangement, the machine in the data center becomes the single point of failure; however, data centers usually have redundant connectivity to internet, and if you run the CHR in a virtual environment operated by the data center, it will usually be respawned on another hardware if the current one fails. So nothing else than a software bug on the CHR should cause a long-term outage of your service in this setup.

Hello Sindy

Sorry to hijack the post
Can you provide a config where all 5 public addresses are to be used to NAT to different private address subnets on LAN

Thank you so much!

If I don't know the starting point, I cannot give you a step-by-step guide. Press the [terminal] button in WebFig or Winbox and follow the instructions in my automatic signature.

And tell me how you are going to use your 5 public addresses, i.e. whether you are going to assign them to some other devices connected to the LAN side of your Mikrotik, or to your own PPPoE clients, or all of them will be only used to NAT the private addresses of the devices on the LAN.

Plus if you can, revoke the marking of the post by @rabienz as a solution, it is clearly not a solution of your OP.

Can you provide a config where all 5 public addresses are to be used to NAT to different private address subnets on LAN

If we leave aside all the security aspects, all you need is a set of src-nat and dst-nat rules. So for a bi-directional, port-agnostic 1:1 NAT between a public IP address A.A.A.A and a private IP address B.B.B.B, you would use
/ip firewall nat add chain=dstnat in-interface=pppoe-out1 dst-address=A.A.A.A action=dst-nat to-addresses=B.B.B.B
/ip firewall nat add chain=srcnat out-interface=pppoe-out1 src-address=B.B.B.B action=src-nat to-addresses=A.A.A.A

In the this topic, we consider a case where the traffic from the internet to A.A.A.A arrives to the Mikrotik via an L3 tunnel (PPPoE). In such a setup, there is no need that A.A.A.A was assigned to any interface on the Mikrotik itself.

Depending on your existing /ip firewall filter rules, you may have to explicitly permit the dst-nated traffic to pass from WAN to LAN.

If you don't want a port-agnostic 1:1 NAT but something more fine-grained, use as many dst-nat rules as needed.

I am talking about the same ISP with the same config
and same lack of explanation they give lol
Do i have to do the RIP rules?
I just wanna map different ports on different public ips to some servers on the LAN side
but how do I configure the public IP /29 range I'm assigned if I'm getting a different single ip on pppoe?

Thanks

Can you provide a config where all 5 public addresses are to be used to NAT to different private address subnets on LAN

If we leave aside all the security aspects, all you need is a set of src-nat and dst-nat rules. So for a bi-directional, port-agnostic 1:1 NAT between a public IP address A.A.A.A and a private IP address B.B.B.B, you would use
/ip firewall nat add chain=dstnat in-interface=pppoe-out1 dst-address=A.A.A.A action=dst-nat to-addresses=B.B.B.B
/ip firewall nat add chain=srcnat out-interface=pppoe-out1 src-address=B.B.B.B action=src-nat to-addresses=A.A.A.A

In the this topic, we consider a case where the traffic from the internet to A.A.A.A arrives to the Mikrotik via an L3 tunnel (PPPoE). In such a setup, there is no need that A.A.A.A was assigned to any interface on the Mikrotik itself.

Depending on your existing /ip firewall filter rules, you may have to explicitly permit the dst-nated traffic to pass from WAN to LAN.

If you don't want a port-agnostic 1:1 NAT but something more fine-grained, use as many dst-nat rules as needed.

Do i have to do the RIP rules?

I live quite far away from that ISP and only had the situation proxied by @rabienz and @Najifares.
So from what I got that way, you have to advertise those IPs to ISP's equipment using RIP so that it would send you the traffic. Don't ask me why the ISP needs it, and even more important, don't ask me what happens if you start advertising some other IPs than those assigned to you :)

I just wanna map different ports on different public ips to some servers on the LAN side

So you need more selective dst-nat rules, but the basic idea remains the same.

but how do I configure the public IP /29 range I'm assigned if I'm getting a different single ip on pppoe?

Since the time when the topic has started, I've set up a portable lab on my laptop, so I could now debug the configuration locally.
It seems that RIP can only advertise existing routes, i.e. you cannot add a route to be advertised unless it exists in your routing table.
But you can keep redistribution of all the route types (connected, static, ospf-learned, bgp-learned) disabled and specify networks to be handled by RIP, provided that connected routes to these networks exist. So you have to create a bridge with no member ports and assign any address from your.public.sub.net/29 to it (except the first and last one of course). Then, you configure the RIP:
/routing rip interface
add interface=pppoe-out1 receive=v2 transmit=v2 passive=no
/routing rip network
add network=pppoe.gate.way.ip/32
add network=your.public.sub.net/29
will make the ISP start sending the traffic to you via the PPPoE.

Adding a network=0.0.0.0/0 under /routing rip network causes all connected networks to be advertised, and I could not find a way to filter out the unnecessary ones using /routing filter or /routing prefix-lists. So if you can't find a way, you have to stay with network=pppoe.gate.way.ip under /routing rip network; if that address is different each time the PPPoE client connects, you'll have to use a /ppp profile item for the PPPoE interface with an on-up script that will modify the /routing rip network item accordingly.

Another bit of information you may find interesting: you can use all 8 addresses from the /29, not just 5. You can use dst-nat also for the "network address" and "broadcast address", as well as the own address of the Mikrotik in that subnet, and you can do so even if you assign those 5 addresses directly to the LAN devices and let the MikroTik be their gateway; the only limitation is that the "network" and "broadcast" addresses won't be accessible for the devices running on the other five.

now that is the best reply I ever got on any forum!
thanks a bunch!!!!

Do i have to do the RIP rules?

I live quite far away from that ISP and only had the situation proxied by @rabienz and @Najifares.
So from what I got that way, you have to advertise those IPs to ISP's equipment using RIP so that it would send you the traffic. Don't ask me why the ISP needs it, and even more important, don't ask me what happens if you start advertising some other IPs than those assigned to you :)

I just wanna map different ports on different public ips to some servers on the LAN side

So you need more selective dst-nat rules, but the basic idea remains the same.

but how do I configure the public IP /29 range I'm assigned if I'm getting a different single ip on pppoe?

Since the time when the topic has started, I've set up a portable lab on my laptop, so I could now debug the configuration locally.
It seems that RIP can only advertise existing routes, i.e. you cannot add a route to be advertised unless it exists in your routing table.
But you can keep redistribution of all the route types (connected, static, ospf-learned, bgp-learned) disabled and specify networks to be handled by RIP, provided that connected routes to these networks exist. So you have to create a bridge with no member ports and assign any address from your.public.sub.net/29 to it (except the first and last one of course). Then, you configure the RIP:
/routing rip interface
add interface=pppoe-out1 receive=v2 transmit=v2 passive=no
/routing rip network
add network=pppoe.gate.way.ip/32
add network=your.public.sub.net/29
will make the ISP start sending the traffic to you via the PPPoE.

Adding a network=0.0.0.0/0 under /routing rip network causes all connected networks to be advertised, and I could not find a way to filter out the unnecessary ones using /routing filter or /routing prefix-lists. So if you can't find a way, you have to stay with network=pppoe.gate.way.ip under /routing rip network; if that address is different each time the PPPoE client connects, you'll have to use a /ppp profile item for the PPPoE interface with an on-up script that will modify the /routing rip network item accordingly.

Another bit of information you may find interesting: you can use all 8 addresses from the /29, not just 5. You can use dst-nat also for the "network address" and "broadcast address", as well as the own address of the Mikrotik in that subnet, and you can do so even if you assign those 5 addresses directly to the LAN devices and let the MikroTik be their gateway; the only limitation is that the "network" and "broadcast" addresses won't be accessible for the devices running on the other five.

If anyone needs that script to update /routing rip networks with pppoe gateway:


:global pppoegateway;
#change these values accordingly:
:local pinterface "pppoe-OgeroFiber"
:local subnetogero "192.168.0.0/24"
#No more changes

:log info "Fetching Ogero Gateway"

:local currentgateway [/ip route get number=[find gateway=$pinterface && distance=0 && scope=10] dst-address];

:if ($currentgateway != $pppoegateway) do={

:log info "OgeroGateway: Update needed"

:set pppoegateway $currentgateway

/routing rip network

remove [find]

add network=$pppoegateway

add network=$subnetogero
}

Dear Sindy, and All.

I am in the same boat as @rabienz and @Najifares.
I just subscribed with the same ISP Ogero, providing me a single usable public IP (/30 subnet), received the same E-mail as them etc.

The only difference with my case is that my router is not a Mikrotik, it is a sonicwall firewall.

I was wondering if you could assist in applying all the above in the firewall i have.

Thank you.
Looking forward to hearing from you.

@markovic, the only thing I know about sonicwall is that it exists. So I've asked uncle Google for "sonicwall ripv2" and got this link. It looks pretty simple at first glance to me provided that you have some understanding on what you need to set up to satisfy Ogero, and my previous post should help with that part. What I don't know is whether there is any scripting possibility - if not, you'll have to update the the ARS configuration manually if/when/whenever the address assigned by PPPoE changes.

@markovic, the only thing I know about sonicwall is that it exists. So I've asked uncle Google for "sonicwall ripv2" and got this link. It looks pretty simple at first glance to me provided that you have some understanding on what you need to set up to satisfy Ogero, and my previous post should help with that part. What I don't know is whether there is any scripting possibility - if not, you'll have to update the the ARS configuration manually if/when/whenever the address assigned by PPPoE changes.

Dear Sindy,
Apologies for the late reply.
Sonicwall has a command line interface where we can make necessary configurations via command lines, scripting however i do not know.

We still are not benefitting from the public IP assigned to us, and neither Ogero is assisting, and i'm having a hard time from sonicwall support as well.

I am in no way an expert in configuring the device via command lines (and as far as the UI, i had trouble finding the necessary needed configurations), and looking at the entire commands document guide of the device, i feel like i will learn a whole new language just to get this configuration up and done.

What do you suggest i do?
should i dive in deeper into the configuration, in which in all honesty i will be entering a gray area.

Or should i just get a small router board, MK for example, and put it in between the modem of ogero and the sonicwall firewall to handle the public ip assignment.
(And in this case, what sort of device would you recommend, if you could provide something specific since i am not aware of Mikrotiks devices / models)

Thank you.

If it was me in your situation, inserting a Routerboard between the Sonicwall and the uplink would indeed be the easiest way, because I know something about Mikrotik but much less about Sonicwall. Whether it is also the easiest way for you is up to your own decision - to keep the settings of the Sonicwall totally unchanged, you'll need a little bit more configuration on the Mikrotik than what has been described in this topic so far.

Regarding the Mikrotik model to choose, it depends on the bandwidth your ISP provides you, so tell me the download & upload speeds for the current contract or, if you plan to get more bandwidth in a near future, the expected ones. It also depends in how much you want to modify the configuration of the Sonicwall - if it should keep acting as a PPPoE client, you have to set the Mikrotik to act as a PPPoE server, so the CPU requirements will be slightly higher and thus you may need a more powerful Mikrotik device than if you a use plain IPoE between the Mikrotik and the Sonicwall, which requires a modification of the WAN settings of the Sonicwall.

If it was me in your situation, inserting a Routerboard between the Sonicwall and the uplink would indeed be the easiest way, because I know something about Mikrotik but much less about Sonicwall. Whether it is also the easiest way for you is up to your own decision - to keep the settings of the Sonicwall totally unchanged, you'll need a little bit more configuration on the Mikrotik than what has been described in this topic so far.

Regarding the Mikrotik model to choose, it depends on the bandwidth your ISP provides you, so tell me the download & upload speeds for the current contract or, if you plan to get more bandwidth in a near future, the expected ones. It also depends in how much you want to modify the configuration of the Sonicwall - if it should keep acting as a PPPoE client, you have to set the Mikrotik to act as a PPPoE server, so the CPU requirements will be slightly higher and thus you may need a more powerful Mikrotik device than if you a use plain IPoE between the Mikrotik and the Sonicwall, which requires a modification of the WAN settings of the Sonicwall.

Our bandwith is 300mbps Down, and around half that Up, this is the max that the ISP has to offer, and we do not plan to increase it anytime soon.

Regarding the modification of the configurations,
SonicWall is currently configured as the main router behind Ogero Modem, connecting to Ogero via PPPoE at x1 interface. (it also acts as dhcp, firewall etc...)

The only change I plan to happen, is insert that new Router Board after Ogero Modem, to ONLY handle the current PPPoE IP assignment, with out public IP, and connect to Ogero.
Then connect the routerboard to Sonicwall on the same x1 interface, but instead of PPPoE, the new mode would be Static IP thus the entire network will receive the public IP.

A hAP ac² seems to be the cheapest device to deal with these requirements. For a hEX, it could be a bit too much; a 4011 or a 5009 would clearly be an overkill.

It may still be a bit of a quest to put it all together. I'm afraid we'll have to deal with it when the hAP ac² arrives.

A hAP ac² seems to be the cheapest device to deal with these requirements. For a hEX, it could be a bit too much; a 4011 or a 5009 would clearly be an overkill.

It may still be a bit of a quest to put it all together. I'm afraid we'll have to deal with it when the hAP ac² arrives.

Thank you sindy.
I checked the product.
Correct me if I'm wrong, but I says the product is only an access point and not a router.

And if indeed I am wrong, does it support all the protocols that Ogero requires us to do (disable nat, rip v2 etc...)
Will this device be enough for my configuration?

Which again, will be as follows :

Ogero modem in bridge mode - - - >
Mikrotik router to handle pppoe incoming connection with dynamic public IP, disable nat, advertise rip v2, output one Ethernet cable with our specific public ip that will go to SonicWall - - - >
SonicWall firewall that will be our internal main network device and will handle firewall services, dhcp etc...

I checked the product.
Correct me if I'm wrong, but I says the product is only an access point and not a router.

I use tens of these units and you can trust me that they do route

But it seems Mikrotik should reconsider the way they write product datasheets - for anyone who doesn't know that whatever is running RouterOS is always a router, it may indeed seem that the hAP ac² is just a wireless access point. So you have to look at https://mikrotik.com/product/hap_ac2#fndtn-testresults to see that they mention some routing throughput.

And if indeed I am wrong, does it support all the protocols that Ogero requires us to do (disable nat, rip v2 etc...)
Will this device be enough for my configuration?

From software point of view, all the RouterOS devices have all the routing capabilities, the only difference is the throughput and numbers of some objects that depend on license (like VPN tunnel interfaces). So yes, this device will be enough for your configuration.

Hey Guys,

I have the same issue setting up my public IPs with 3 different Ogero lines.

I have a sonicwall NSA 3600 that does most of the tasks that i need but i am more than okay to get any mikrotik device if it would do the static IP job before heading into the sonicwall.

Would anyone be able to help ?

I can help with the Mikrotik part if that's enough. Since you have 3 lines, it is quite likely you'll need 3 Mikrotiks, as I cannot see a way to make RIP advertise each of the 3 public IPs via another PPPoE client - no instances, no routing filters. If you have a spare PC with two Ethernet cards, it may save some expenses to run a virtual Mikrotik (CHR) on it, using a trial license, to prove the concept before investing into a hardware Mikrotik.

I can help with the Mikrotik part if that's enough. Since you have 3 lines, it is quite likely you'll need 3 Mikrotiks, as I cannot see a way to make RIP advertise each of the 3 public IPs via another PPPoE client - no instances, no routing filters. If you have a spare PC with two Ethernet cards, it may save some expenses to run a virtual Mikrotik (CHR) on it, using a trial license, to prove the concept before investing into a hardware Mikrotik.

Hey,
I would really appreciate you helping with the Mikrotik part, i can take care of the rest. ( I am not really familiar with Mikrotik's products and configurations that is why i am a bit confused)

I have a mikrotik cloud core that i bought just for testing purpose ( i will set up only 1 of the 3 lines that i have a public IP for).

If we can setup a teamviewer/remote session that we could work through it the mikrotik config part in order for it to push a static ip for the sonicwall i would really be grateful.

Thanks a lot in advance,

Have an awesome day

If we can setup a teamviewer/remote session that we could work through it the mikrotik config part in order for it to push a static ip for the sonicwall i would really be grateful.

Here you go: viewtopic.php?p=902082#p902082 (and the three posts after just in case).

If we can setup a teamviewer/remote session that we could work through it the mikrotik config part in order for it to push a static ip for the sonicwall i would really be grateful.

Here you go: viewtopic.php?p=902082#p902082 (and the three posts after just in case).

NVsXTVMzJ0k80Fwf/i1JAxewQsw7JfI38SQG0Cyium8TUMZubwbuPlszFsWax7rg
BkLYWCp9BjGR9qTk4gaIy2yv/jpK2Ra+qBcHNUSwATB5sI5ZYX1EwyUzrhgEd7A1
Uc4vnQJk8fnjgEfEWhHGr7ZkIn08YUE9qlGdbF45hoFW9/tGIuygnp8jKnVL0jz3
ELhokHNIH4mQmP9BKIJZmcbwY1vB9ZVtQEsF1wVNsOveh1K7Eum5kKwHvH9xq6Ml
zA77brbCzkdNOHbhFbWEMf+FWBw8KYURtKxqhOg1o8XW9Myu0SywlgroPiOnsi1B
Jx3izz+UN4viuiCDpnYC5rSMq8JlJET1TPF8tGBLmDJAIG2jw9eHbJRpORsruFGG
wnF9lKqSQO3K28MHGNTuMWkVfjKcbeshVWVHTU9utKAXeqFQfTH+lZVNil+6mVK6
TaZY3ExZ6FLZGuqJ3sEK66yerM4e6EY8fYaoVhh60+oCrnsfDNGMjTo+H9C7lYDq
jX+sgMSgHcG+936HOl8DmYSkFxt0muMbVVobLQckGOaPzATySGTTBzBd3Es6V9zx
+66hr4zUSXAP0GugGVEDIpUVRC2RJoxfJNeTML26qjB0JNbDOc/yNTANYyB4/x0H
12w8e+eqxmT47cNQvwH+h+0FctVFHz5XLwiW8L15jI0=

Is this the correct info that i should provide ?

Is this the correct info that i should provide ?

I don't like open ends, so yes, it is

Since you have 3 lines, it is quite likely you'll need 3 Mikrotiks, as I cannot see a way to make RIP advertise each of the 3 public IPs via another PPPoE client - no instances, no routing filters.

I have to correct myself - routing filters cannot be used with RIP, but routing prefix lists can, so we can control which addresses will be advertised via which uplink.

So the only reason to use multiple Mikrotik devices would be redundancy (which would make little sense unless the SonicWall would be redundant as well) and/or eventual throughput limits of the given Mikrotik model.

Dear Sindy,
I am confused, I have been looking at many posts to try and get a PPoE connection with static IP's working.
The PPoE connection works fine and gives me a dynamic address.
My ISP has given me a /29 block of addresses to use.
A post from 2014 suggested adding all 8 addresses to a loopback interface and use Firewall NAT rules to route each IP to the private IP I wanted to give a public IP. The dst-nat rules seemed OK, they all went above the masqurade rule in the NAT box, but on setting the scrnat rules only the address given to me as a default gateway went above the masquade rule, the others went below it and I could not move them.
Can you help me please?
David.

Can you help me please?

I assume I can help but I am not sure what the problem is.

The order of firewall rules is important but only within the same chain (i.e. rules in chain dstnat can be interleaved with rules in chain scrnat, only the mutual order of rules in the same chain actually matters). In Winbox, you can change the order of rules using drag&drop; in command line, there is the move command. Only dynamically generated rules cannot be moved.

Other than that, you can use the public addresses the above way or you can assign them to devices in your LAN directly, i.e. without any src-nat or dst-nat. It depends on your actual needs.

Dear Sindy,
Thank you for the very prompt reply.
Am I correct in thinking that both the scrnat and dstnat rules must be above the masquerade rule?
I've tried dragging and dropping the dstnat rules, and they don't move, I am using a Linux machine and WebFig. I have just added some more dstnat rules for another device, and they wont move also.
Any good ideas?
David.

There are chains srcnat and dstnat, and there are actions src-nat and dst-nat (and for the sake of completeness, there also connection states srcnat and dstnat that firewall rules in other tables than nat may use to match packets).

Action masquerade is a special case of action src-nat that a) determines the reply-dst-address to src-nat to automatically and b) drops all connections using that reply-dst-address if the router loses that address.

So the mutual order of action=src-nat and action=masquerade rules depends on what you want your firewall to do - if you want to use a 1:1 NAT between each static public IP address and exactly one private address on the LAN, and you want all the other devices in the LAN to get masqueraded to the dynamic public address, you have to put the 1:1 src-nat rules before (above) the masquerade one. If you can choose the LAN addresses you want to be 1:1 NATed to the public ones in such a way that the result of dividing their last byte by 8 would be the same for all of them, you can use a single action=netmap rule in the srcnat chain to replace the private prefix by the public one, keeping the least significant 3 bits unchanged, instead of 8 individual action=src-nat rules.

As I wrote before, the mutual order of rules in chain srcnat and rules in chain dstnat is irrelevant, as the router only looks at a single chain at a time (dstnat is inspected before routing, srcnat is inspected after routing).

I have no idea what browser you use, in Firefox on Windows, dragging the rules in Webfig works normally.

If you can't make it work, do the following in command line:
/ip firewall nat print chain=srcnat
You'll get a numbered list of rules. Choose the number of the rule you want to move (let's say 5) and choose the number of the rule you want to put it before (let's say 2). Then type
/ip firewall nat move 5 destination=2
You'll see in WebFig that the rule has moved, or you can use /ip firewall nat print chain=srcnat again.

To move a rule to the end of the list, use destination=*ffffffff.

Hi Sindy,
Thank you for the reply, I'll try the command line instructions a little later.
Something odd here, the dst-nat rules I entered, port forwarding for a local amateur repeater, were below the masquerade line when I entered them, and would not move, now they are in the correct place above the masquerade line.
Could it be that the router I'm using is the issue. It's an RB850Gx2 running ROS 6.47.9
David.

It's an RB850Gx2 running ROS 6.47.9

Could be that the problems you're seeing are related to older version of either ROS or Winbox. The version of ROS you have on your device is pretty dated. It's fine to stay with v6, but you should upgrade it to latest v6, which is 6.49.10 ... And make sure you'er using latest winbox version 3.40. Or are you using webfig (the web browser based UI)?

Hi Sindy,
The more I try with the RB850Gx2 router the more I doubt it's integrity, I logged into it with a windoze box and Winbox and found I could move the NAT rules as I wanted. But that caused me more issues, I had set up the scr-nat and dst-nat rules to try and allocate a public IP to a test router, this did not work, worse of all now if I try to connect to the routers private IP I get to log into another router, via OSPF which is an RB2011UiAS. It might be that both routers have issues. On the RB2011UiAS the loopback interface and a VLAN had been disabled.

Can you let me have the instructions for programming a LAN port with a public IP, without using scr-nat and dst-nat rules that you mentioned in a previous post.
Thank you.
David.

Can you let me have the instructions for programming a LAN port with a public IP, without using scr-nat and dst-nat rules that you mentioned in a previous post.

There are many ways, from one wasting 5 of your 8 addresses for "overhead" that works with any type of LAN client to more efficient ones where you can use all 8 addresses for your LAN clients but the on the LAN device side differs significantly between operating systems. For example, we were unable to set it up on an UBNT router.

See this post and come back with questions. It may not be the best post on the topic of assigning public addresses to clients efficiently but you can google the better ones here on the forum.

Hi Sindy,
Thank you for the link to a previous post, I can't understand it, I need to spend more time reading it.
What I have done that has had mixed results is change the router, now it's a hEX PoE known as RB950PS, with this one I can move /firewall/nat rules as expected with Webfig.
I set up a loopback address for each of the 8 'public IP's' in the /29. Using dst-nat and src-nat rules the first IP seemed to work. Now none of them work. The first address is allocated as Broadcast by my ISP. Has my ISP seen what I'm doing and blocked me? Since then I've disabled the IP's my ISP labelled as Broadcast, Default Gateway and NET, but the other public IP's still don't work. Should I try allocating the Public IP's without using the dst-nat and src-nat rules?
When I configured the hEX PoE the Firewal/Filter Rules ans Firwall/nat were empty, so I added the rules manually. Now I cannot ping any of the users on this router, although the customer traffic seems unaffected. I've tried disabling the rules I thought might be causing this, without success, any ideas what might be causing the router to block pings?
regards, David.

Post the export of the current configuration, replace any occurrence of the first three bytes of the 8 public addresses with pub.pub.pub and of course remove any usernames/passwords/secrets/private keys before posting, and tell me what kind of equipment it is that your users connect to it (other Mikrotiks, other router (which manufacturer, if in doubt send the first 3 bytes of MAC address), Windows PC, Linux PC, MAC, ...)

Hi Sindy,
I've tried to export a file, but it's not readable.
Can you suggest a method to obtain a plane file that I can edit?
David.

Hi Sindy,
Does this help?
David.
# nov/20/2023 11:47:33 by RouterOS 6.49.9
# software id = SIEV-7BGG
#
# model = 960PGS
# serial number = A51709BED650
/interface bridge
add name=Lo0
add name=Lo1
add name=Lo2
add name=Lo3
add name=Lo4
add name=Lo5
add name=Lo6
add name=Lo7
add name="bridge 208"
add admin-mac=B8:69:F4:82:7B:34 auto-mac=no name=bridge-PPoE
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] name="ether1 BT Fibre"
set [ find default-name=ether2 ] name="ether2 Local AP"
set [ find default-name=ether3 ] name="ether3 Test PPoE"
set [ find default-name=ether4 ] name="ether4 OSPF Radio" poe-out=off
set [ find default-name=ether5 ] poe-out=off
/interface pppoe-client
add add-default-route=yes default-route-distance=5 disabled=no interface=\
bridge-PPoE name=pppoe-out1 password=password user=\
username
/interface vlan
add interface="ether4 OSPF Radio" name="ether 4 VLAN 100" vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] distribute-default=if-installed-as-type-1 name=\
"BT Fibre" router-id=10.255.255.4
/interface bridge port
add bridge="bridge 208" interface="ether2 Local AP" multicast-router=disabled
add bridge="bridge 208" interface=ether5 multicast-router=disabled
add bridge="bridge 208" interface="ether 4 VLAN 100" multicast-router=\
disabled
add bridge=bridge-PPoE interface="ether1 BT Fibre"
add bridge=bridge-PPoE interface="ether3 Test PPoE"
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/ip address
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
add address=10.255.255.4 interface=loopback network=10.255.255.4
add address=172.16.1.18/30 interface="ether4 OSPF Radio" network=172.16.1.16
add address=192.168.208.1/24 interface="bridge 208" network=192.168.208.0
add address=81.xxx.42.216 disabled=yes interface=Lo0 network=81.xxx.42.216
add address=81.xxx.42.217 interface=Lo1 network=81.xxx.42.217
add address=81.xxx.42.218 interface=Lo2 network=81.xxx.42.218
add address=81.xxx.42.219 interface=Lo3 network=81.xxx.42.219
add address=81.xxx.42.220 interface=Lo4 network=81.xxx.42.220
add address=81.xxx.42.221 interface=Lo5 network=81.xxx.42.221
add address=81.xxx.42.222 disabled=yes interface=Lo6 network=81.xxx.42.222
add address=81.xxx.42.223 disabled=yes interface=Lo7 network=81.xxx.42.223
/ip dns
set servers=208.67.220.220,208.67.222.222
/ip firewall filter
add action=accept chain=input comment=\
"accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface=pppoe-out1
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related
add action=accept chain=forward comment=\
"accept established, related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="GB3WK port forward" \
connection-state=established,new dst-address=192.168.xxx.240 dst-port=\
5198,5199 out-interface=pppoe-out1 protocol=udp
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATED" \
connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forwarding for GB3WK" dst-port=\
5198,5199 in-interface=pppoe-out1 protocol=udp to-addresses=\
192.168.xxx.240
add action=dst-nat chain=dstnat comment="Port Forwarding for GB3WK" dst-port=\
5200 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.xxx.40
add action=dst-nat chain=dstnat comment=Global-1 dst-address=81.xxx.42.217 \
to-addresses=192.168.xxx.74
add action=src-nat chain=srcnat comment=Global-1 src-address=192.168.xxx.74 \
to-addresses=81.xxx.42.217
add action=dst-nat chain=dstnat comment=Global-2 dst-address=81.xxx.42.221 \
to-addresses=192.168.xx.61
add action=src-nat chain=srcnat comment=Global-2 src-address=192.168.xxx.61 \
to-addresses=81.xxx.42.221
add action=dst-nat chain=dstnat comment="GB3WK public IP" disabled=yes \
dst-address=81.xxx.42.216 to-addresses=192.168.xxx.240
add action=src-nat chain=srcnat comment="GB3WK public IP" disabled=yes \
src-address=192.168.xxx.240 to-addresses=81.xxx.42.216
add action=dst-nat chain=dstnat comment="GB3MW public IP" disabled=yes \
dst-address=81.xxx.42.223 to-addresses=192.168.xxx.201
add action=src-nat chain=srcnat comment="GB3MW public IP" disabled=yes \
src-address=192.168.xxx.201 to-addresses=81.xxx.42.223
add action=dst-nat chain=dstnat comment="GB7YJ public IP" disabled=yes \
dst-address=81.xxx.42.222 to-addresses=192.168.xxx.201
add action=src-nat chain=srcnat comment="GB7YJ public IP" disabled=yes \
src-address=192.168.xxx.201 to-addresses=81.xxx.42.222
add action=masquerade chain=srcnat comment=Masquerade ipsec-policy=out,none \
out-interface=pppoe-out1
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=80
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip upnp
set show-dummy-rule=no
/routing ospf interface
add authentication=simple authentication-key=scampy cost=5 interface=\
"ether4 OSPF Radio" network-type=nbma
add interface=loopback
/routing ospf nbma-neighbor
add address=172.16.1.17 priority=1
/routing ospf network
add area=backbone network=10.255.255.4/32
add area=backbone network=172.16.1.16/30
/system clock
set time-zone-name=Europe/London
/system identity
set name="BT Fibre"
/system note
set show-at-login=no
/system ntp client
set enabled=yes primary-ntp=192.168.xxx.204
/tool graphing interface
add interface="ether1 BT Fibre"
add interface="ether2 Local AP"
add interface="ether4 OSPF Radio"
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Does this help?

It defnitely does.

You can actually attach all the public addresses to a single interface, but having dedicated ones is not a mistake.

I can see your src-nat and dst-nat rules do not match on out-interface and in-interface, respectively, but that is also not a mistake in this particular case, as you probably want e.g. GB3WK to talk to GB3MW via their public addresses, is that a correct assumption?

In general I cannot spot anything that would explain the issues you describe. So make a terminal window as wide as your screen allows, run /tool sniffer quick ip-address=81.xxx.42.217,192.168.xxx.74 ip-protocol=icmp in it, and ping 81.xxx.42.217 from the outside.

What is the output?

Hi Cindy,
Sorry for the delayed response, work got in the way.
I think I've found the issue why I could not 'ping' certain addresses, in the latest router under OSPF, Instances, I had not allowed Redistribute Connected Routes.
The routes for GB3WK & GB3MW are to allow the repeaters to talk to an EchoLink server, this then allows, or disallows further communication. I have modified the rules and I think they are correct now.
I've tried to run the /tool sniffer line you suggested, without success. Trying to copy and paste the line into a terminal window failed, so I tried to enter the line manually, this also failed.
David.

Trying to copy and paste the line into a terminal window failed, so I tried to enter the line manually, this also failed.

Have you replaced the xxx in the IP addresses by the correct numeric values before pasting? But as you say you had to adjust the OSPF settings, maybe the sniffing is not necessary any more as it works as you expect now?

Hi Sindy,
Thank you for the reply. The 'ping' problem is now resolved.
I still cannot access private IP's when allocated with a public IP. If I use dst-nat and src-nat do I need to allocate an in-interface and out-interface? If so I presume pppoe-out is my in-interface? Is my out-interface the pppoe feed, in my case ether 1 BT Fibre?
I've been reading an older post that you sent, trying to understand how it works.
David.

If e.g. GB3WK needs to talk to GB3MW's public address, the dst-nat rule must act not only for in-interface=pppoe-out1 (or what the uplink interface name is) for access from the internet, but also for in-interface=bridge (or what the name of the interface to which GB3WK and GB3MW are connected is), so there is probably no need to specify in-interface at all. If the two GB3xx devices are in the same private subnet, you will also need the srcnat rule to ignore out-interface when replacing the provate source address by the public one.

For the sake of completeness, a dst-nat rule cannot match on out-interface because dst-nat takes place before routing, so the out-interface is not known at that stage of packet processing yet.

Hi Sindy,
I think I have confused you, the port forwarding for GB3WK & GB3MW is working.

I still cannot access private IP's when allocated with a public IP. If I use dst-nat and src-nat do I need to allocate an in-interface and out-interface? If so I presume pppoe-out is my in-interface? Is my out-interface the pppoe feed, in my case ether 1 BT Fibre? I have tried adding an in-interface and out-interface, the public IP then connects me to the router which has the PPPoE interface.

The config I'm trying is:-
dst-nat, dst.address public IP, action dst-nat, to address private IP 192.168 etc.
src-nat, src.address private IP,action src-nat, to address public ip.

Should I drop the idea of using dst-nat and src-nat rules and use another method? If so which one?
Thank you, David.

I still cannot access private IP's when allocated with a public IP.

I don't understand this sentence. Tell me the exact address you want to access and the exact address you want to access it from.

Should I drop the idea of using dst-nat and src-nat rules and use another method? If so which one?

I don't think so at this stage. The dst-nat/src-nat method is the smplest one to configure overall, it just doesn't allow the public addresses to be up directly on the "customer's" devices.

Hi Sindy,
The private IP I want to use is 192.168.121.200
The public IP I want to use is 81.143.42.218
David.

Please bear in mind that English is not my native language, which is probably the reason why I cannot extrapolate from your minimalistic descriptions.

I need an example of a particular connection that does not work, with the private (and public, if used) address of the initiator of that connection ("client") and the private (and public, if used) address of the responder in that connection ("server").

Because I still could not understand which connections to the "premium customers" (those that have a public address allocated) do work and which don't. I can imagine several categories of connections:

1. from an initiator in the internet to the public address of the "premium customer"
2. from an initiator in the LAN who only has a private address to the public address of the "premium customer"
3. from an initiator in the LAN who only has a private address to the private address of the "premium customer"
4. from an initiator in the LAN who is a "premium customer" himself to the public address of the "premium customer"

Do I assume correctly that all of these work except 2.?

Hi Sindy,
Sorry for the confusion I've caused.

As far as I can tell nothing, in-going or out-going is working.

I have setup a test Mikrotik router on my network with the address of 192.168.121.200, the router is a RB2011UAS. I can access this router using 192.168.121.200, but I cannot access it with 81.143.42.218

I would like to access this router with the public IP of 81.143.42.218

I have programmed the dst-nat and src-nat rules for the above. I have disabled the other 7 rules for public IP's in this /29

The dst-nat counter shows traffic is flowing with that rule, but the src-nat counter shows zero traffic.

Hope this helps.
David.

I can access this router using 192.168.121.200, but I cannot access it with 81.143.42.218
I would like to access this router with the public IP of 81.143.42.218

From where??? From a device on a private address in LAN or from a device in the internet, such as your mobile cphone connected to LTE rather than the WiFi AP in the LAN?

The dst-nat counter shows traffic is flowing with that rule, but the src-nat counter shows zero traffic.

That would be correct for inbound connections to the 81.x.x.x. Only the initial packet of each connection is handled by the rules in dstnat and srcnat chains, so for an inbound connection, the dst-nat rule translates the 81.x.x.x. to 192.168.x.x, but no src-nat rule matches (currently). The eventual actions taken by the dst-nat and/or src-nat rules is remembered in the context data of the tracked connection and repeated for each subsequent packet of that connection, with regard to its direction. So within an inbound connection, all the "responses" of the server are automatically "un-dst-nated" and all the "requests" from the client are automatically dst-nated the same way like the initial one was.

Hi Sindy,
I can access 192.168.121.200 from another connection to my LAN.
I have tried accessing 81.143.42.218 from my LAN which will route it over the fiber connection, I've also got a 5G backup with Vodafone, using this interface gives the same results, the dst-nat counter counts, but no connection to the router with the IP 192.168.121.200
David.

In the configuration export you have posted earlier, 192.168.121.0/24 does not exist, nor is there any route to that subnet via some tunnel. So I cannot give you any useful response until you clarify this discrepancy.

Hi Sindy,
Thank you for the reply.
I have replaced the 192.168.121.200 with a local address on the PPPoE router, and that works fine, the address 81.143.42.218 is still enabled if you wish to try it. It connects to a thin client running Devuan.

To my way of thinking this is therefore an OSPF issue, I use OSPF to connect all my routers.
Can you suggest on OSPF expert who may be able to help?
David.

Hi Sindy,
I have solved the problem, The scr-nat and dst-nat rules only work on IP's that are 'homed' on the router, even if they do appear in the routes table from the OSPF settings.
What I have done is set up a VLAN to the routers that require a public IP, and given the devices an IP from the PPPoE router, connected via the VLAN. All working now.
Thank you very much for your help.
David.

Hello everyone, Sorry for the duplicated, i created a new post where i could post here.

I have the same issue discussed in 2018 here. I've been going through it for few days now and i couldn't manage to make the configuration work.

I am not a network Engineer but more an advanced user with curiosity to solve issues. I would like some help if possible and i will explain my criteria:

I have the same provider and the same conditions in the previous article.

settings provided from ISP is PPPoE username and password. in addition they provided 1 static real IP to be used in a /30 subnet. and require to disable NAT and use RIPv2.

In design [ISP Fiber Modem in bridge mode] Connected Cat6 Cable to Mikrotik Port1 then Mikrotik Port2 connected to Fortigate Wan port.

what i want is to use the the real IP either directly on FortiGate or from Mikrotik and forward traffic from/to this IP.

I can reset the router and test/apply any configuration needed.

Good Morning,
I don't know how much help I can be, I got a /29 subnet working, with lots of help and guidance from Sindy. I did not disable NAT or use RIPv2.
I started off with a post from 2014 from which I extracted the following:-

ip firewall nat
# Nat everything for Server1
add chain=srcnat action=src-nat src-address=192.168.0.10 to-address=11.22.33.8
add chain=dstnat action=dst-nat dst-address=11.22.33.8 to-address=192.168.0.10
# Nat everything for Mail Server
add chain=srcnat action=src-nat src-address=192.168.0.100 to-address=11.22.33.9
add chain=dstnat action=dst-nat dst-address=11.22.33.9 to-address=192.168.0.100
# NAT only ports for Web Server
add chain=dstnat action=dst-nat dst-address=11.22.33.10 dst-port=80 \
to-address=192.168.0.80 to-port=80
add chain=dstnat action=dst-nat dst-address=11.22.33.10 dst-port=443 \
to-address=192.168.0.80 to-port=443
# NAT for outbound browing 'n stuff - use Dynamic Address
add chain=srcnat action=masquerade out-interface=pppoe-1

Hope this helps.
David.

settings provided from ISP is PPPoE username and password. in addition they provided 1 static real IP to be used in a /30 subnet. and require to disable NAT and use RIPv2.

In design [ISP Fiber Modem in bridge mode] Connected Cat6 Cable to Mikrotik Port1 then Mikrotik Port2 connected to Fortigate Wan port.

what i want is to use the the real IP either directly on FortiGate or from Mikrotik and forward traffic from/to this IP.

So there are actually two parts, only loosely related to each other. One is to set up the RIPv2 the necessary way to let the ISP know which public /30 to route to you (which still seems to me like a crazy way of doing things at their side, but that's how it is), and the other one is how to forward the traffic for one of those addresses to the Fortigate. Using just one of them for the Fortigate and wasting the rest on the interconnection between the Mikrotik and the Fortigate is the simplest and most stupid way of doing that, but it may be the only possible one depending on what the configuraion possibilities on Fortigate are.

So tell me what have you achieved so far and what are the WAN settings available at your Fortigate.

Hello,

Thank you David and also Sindy for replying.

my reply here is to sindy.
in the beginning i did not use the Mikrotik and tried to achieve this on Fortigate directly but it was painful to get it working and i couldn't. the WAN Interface on Fortigate has 3 options. Manual IP, DHCP and PPPoE. in addition, on fortigate i have SD-WAN Configured for loadbalancing and failover so NAT is a must here where i can only route 0.0.0.0/0 once. here where i tought i could add a mikrotik to handle the pppoe and the real IP from the ISP and i use the fortigate to communicate with mikrotik without messing with fortigate's configuration.

so the mikrotik right now is brand new i just did a factory reset. if you want we could start from scratch here.

so what do you suggest to do?

settings provided from ISP is PPPoE username and password. in addition they provided 1 static real IP to be used in a /30 subnet. and require to disable NAT and use RIPv2.

In design [ISP Fiber Modem in bridge mode] Connected Cat6 Cable to Mikrotik Port1 then Mikrotik Port2 connected to Fortigate Wan port.

what i want is to use the the real IP either directly on FortiGate or from Mikrotik and forward traffic from/to this IP.

So there are actually two parts, only loosely related to each other. One is to set up the RIPv2 the necessary way to let the ISP know which public /30 to route to you (which still seems to me like a crazy way of doing things at their side, but that's how it is), and the other one is how to forward the traffic for one of those addresses to the Fortigate. Using just one of them for the Fortigate and wasting the rest on the interconnection between the Mikrotik and the Fortigate is the simplest and most stupid way of doing that, but it may be the only possible one depending on what the configuraion possibilities on Fortigate are.

So tell me what have you achieved so far and what are the WAN settings available at your Fortigate.

I think I managed to make it work, I will share the below Configs. I would like to know if that's Okay or if i can improve something.

#
/interface bridge
add name=Ogero-Public-IP
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Ogero
set [ find default-name=ether2 ] name=ether2-FG
set [ find default-name=ether3 ] name=ether3-Management
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-Ogero name=Ogero-PPPoE password=XXXXXXXXXXXXXXXXXXXXXX user=\
F1XXXX4@ogeronet-2M.com
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=10.130.131.1/30 interface=ether2-FG network=10.130.131.0
add address=1X8.1X5.61.1X4/30 interface=Ogero-Public-IP network=1X8.1X5.61.1X2
/ip cloud
set update-time=no
/ip firewall filter
add action=accept chain=input comment="WinBox Rules" dst-port=8291 in-interface=ether3-Management protocol=tcp
add action=accept chain=input comment="Ping Rules" connection-state=established protocol=icmp
add action=accept chain=input connection-state=related protocol=icmp
add action=accept chain=input limit=5,30:packet protocol=icmp
add action=drop chain=input protocol=icmp
add action=accept chain=input comment="Established Rules" connection-state=established,related in-interface=Ogero-PPPoE
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Allowed Subnets" src-address=10.130.131.0/30
add action=accept chain=forward dst-address=10.130.131.0/30
add action=drop chain=input comment="Implicit All" in-interface=Ogero-PPPoE
add action=drop chain=forward
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1X8.1X5.61.1X4 to-addresses=10.130.131.2
add action=src-nat chain=srcnat src-address=10.130.131.2 to-addresses=1X8.1X5.61.1X4
/routing rip interface
add interface=Ogero-PPPoE receive=v2
/routing rip neighbor
add address=77.42.129.99
/routing rip network
add network=1X8.1X5.61.1X2/30
add network=10.130.131.0/30
##############
i was missing the highlighted in red above which is the gateway received when connected to PPPoE. my Concern is what if this gateway changes all of a sudden? is there a way to make it automated. i saw a script earlier in this topic... but i prefer a second opinion.

regards,

I would like to know if that's Okay or if i can improve something.

I have no idea what Mikrotik model you use and what DL/UL bandwidth Ogero gives you. Depening on these factors, you might want to save some CPU cycles per packet. Assigning the public IP directly to the Fortigate would remove the need for NAT, which in turn would remove the need for connection tracking of the communication between the Fortigate and the internet. To assign a public address directly to the Fortigate, you can set its own WAN address to that public one with a /32 mask and set the gateway to 10.130.131.1 - this is definitely possible if you set up a PPPoE server on the Mikrotik and set the WAN mode of the Fortigate to PPPoE, but doing that would somehow deny the purpose of lowering the CPU load. Whether the FG can accept such a setup in a plain IP-over-Ethernet configuration (static or DHCP) needs to be tested - some vendors can handle that, some cannot. In any of these "two and a half" variants, you would have to disable (and later remove if it works) the public address on the Mikrotik. The CIDR mask of the address assigned to ether2 would have to change from /30 to /32 and the network parameter of that address would have to change to the public address assigned to the FG.

A secondary effect of such change would be that you could use the remaining three public addresses from the /30 for other purposes - it may or may not be useful for you.

i was missing the highlighted in red above which is the gateway received when connected to PPPoE. my Concern is what if this gateway changes all of a sudden? is there a way to make it automated. i saw a script earlier in this topic... but i prefer a second opinion.

That's a task for someone else, I cannot provide a second opinion for a script suggested by myself But I could not find any other way in the meantime since posting that.

I would like to know if that's Okay or if i can improve something.

I have no idea what Mikrotik model you use and what DL/UL bandwidth Ogero gives you. Depening on these factors, you might want to save some CPU cycles per packet. Assigning the public IP directly to the Fortigate would remove the need for NAT, which in turn would remove the need for connection tracking of the communication between the Fortigate and the internet. To assign a public address directly to the Fortigate, you can set its own WAN address to that public one with a /32 mask and set the gateway to 10.130.131.1 - this is definitely possible if you set up a PPPoE server on the Mikrotik and set the WAN mode of the Fortigate to PPPoE, but doing that would somehow deny the purpose of lowering the CPU load. Whether the FG can accept such a setup in a plain IP-over-Ethernet configuration (static or DHCP) needs to be tested - some vendors can handle that, some cannot. In any of these "two and a half" variants, you would have to disable (and later remove if it works) the public address on the Mikrotik. The CIDR mask of the address assigned to ether2 would have to change from /30 to /32 and the network parameter of that address would have to change to the public address assigned to the FG.

A secondary effect of such change would be that you could use the remaining three public addresses from the /30 for other purposes - it may or may not be useful for you.

i was missing the highlighted in red above which is the gateway received when connected to PPPoE. my Concern is what if this gateway changes all of a sudden? is there a way to make it automated. i saw a script earlier in this topic... but i prefer a second opinion.

That's a task for someone else, I cannot provide a second opinion for a script suggested by myself But I could not find any other way in the meantime since posting that.

I am using x86 Mikrotik on a VMware ESXi.

for 280Mbps download and 150 Upload.

the script am talking about was posted by DjSam

:global pppoegateway;
#change these values accordingly:
:local pinterface "pppoe-OgeroFiber"
:local subnetogero "192.168.0.0/24"
#No more changes

:log info "Fetching Ogero Gateway"

:local currentgateway [/ip route get number=[find gateway=$pinterface && distance=0 && scope=10] dst-address];

:if ($currentgateway != $pppoegateway) do={

:log info "OgeroGateway: Update needed"

:set pppoegateway $currentgateway

/routing rip network

remove [find]

add network=$pppoegateway

add network=$subnetogero
}

please advise.

I am using x86 Mikrotik on a VMware ESXi for 280Mbps download and 150 Upload.

If so, conserving CPU on the Mikrotik VM might help the other VMs on the machine, but if that's not important, no need to change anything about the configuration.

the script am talking about was posted by DjSam

Indeed, I've said I've proposed to use a script, not that I've provided the contents of the script

Regarding the script itself - given that it will run once a day at most, there is no need to optimize it. The scripts spawned by on-up and on-down items of /ppp profile have access to a global variable holding the name of interface (and to several other global variables), so defining the interface name "manually" in the script could be avoided, but as said it doesn't deserve the time needed for debugging the change.

I am using x86 Mikrotik on a VMware ESXi for 280Mbps download and 150 Upload.

If so, conserving CPU on the Mikrotik VM might help the other VMs on the machine, but if that's not important, no need to change anything about the configuration.

the script am talking about was posted by DjSam

Indeed, I've said I've proposed to use a script, not that I've provided the contents of the script

Regarding the script itself - given that it will run once a day at most, there is no need to optimize it. The scripts spawned by on-up and on-down items of /ppp profile have access to a global variable holding the name of interface (and to several other global variables), so defining the interface name "manually" in the script could be avoided, but as said it doesn't deserve the time needed for debugging the change.

Thank you once again.

in regard for the vmware. they have plenty of available resources and mikrotik vm is only using 1 cpu. watching the cpu load it is not reaching 30% as a peek and most of the time below 10%.

i will keep an eye on the pppoe network if it changes, will consider the script or write a different one... i might get back here for guidance.

appreciate your kind support.

Good evening all,

I did not understand the architecture that is provided by Ogero for such services. Isn’t it possible to be just as simple as normal router configuration instead of bridge mode. I tried configuring some of the above configuration without success. Ogero provided me with /30 one usable real IP and I don’t know where this IP should be configured. Should it be places on an interface of the mikrotik or on the PC behind the mikrotik. Also I noticed that most of the configuration above is creating bridges as local ip and external IP, can those bridges be just interfaces.

Thanks in advance for the help.