Page 1 of 1
How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Tue Sep 08, 2015 2:30 pm
by witblitz
Hey guys
So I have a pretty basic setup at the moment:
Mikrotik bridge handling DHCP and wireless - 10.0.0.253/24
Mikrotik ether1 WAN used to talk to ADSL router - 192.168.2.2/24
ADSL router handling PPPoE only - 192.168.2.1/24
bridge-local is as per default - ether2 + wlan1
ports 3-5 are slaves of port 2
ether1 WAN going straight to my ADSL router
Routes:
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.2.1 1
1 ADC 10.0.0.0/24 10.0.0.253 bridge-local 0
2 ADC 192.168.2.0/24 192.168.2.2 ether1-gateway 0
NAT:
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade src-address=10.0.0.0/24
out-interface=ether1-gateway log=no log-prefix=""
As I understand it, there is double NAT going on here as I've got both my Mikrotik and ADSL router involved.
I want to dial PPPoE from the MIktorik in order to avoid this.
SO - I put my ADSL router in bridge mode - what next? Could someone walk me through basic steps?
Mucho appreciacion...
WB
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Tue Sep 08, 2015 2:38 pm
by efaden
Never done it personally, but basically you would put the ADSL modem into bridge mode... then setup a PPPoE client on "ether1" on the mikrotik. Then just utilize "PPPoE" interface as your "gateway" interface instead of ether1.
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Tue Sep 08, 2015 2:45 pm
by JB172
When you create the PPPoE client, tick the boxes "Use Peer Dns" and "Add Default Route"
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Tue Sep 08, 2015 2:48 pm
by witblitz
thanks guys
no changes to my mikrotik setup other than that? i.e. routes or NAT ?
also, i've currently got my adsl router's internal IP (192.168.2.2) set up in IP > DNS section. Should I remove that?
Worth mentioning that my ISP gives me dynamic public IP and DNS servers, not static
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Tue Sep 08, 2015 3:05 pm
by JB172
/ip firewall nat
add action=masquerade chain=srcnat out-interface=THE_PPPoE_NAME_HERE
add action=masquerade chain=srcnat out-interface=bridge-local
And to protect from DNS DDoS attacts
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=THE_PPPoE_NAME_HERE protocol=tcp
add action=drop chain=input dst-port=53 in-interface=THE_PPPoE_NAME_HERE protocol=udp
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Tue Sep 08, 2015 4:03 pm
by witblitz
JB172
Thanks.
It "works" but then I seem to be unable to access my adsl router's web interface (192.168.2.1) although I can ping it... weird
Are you sure those NAT rules are accurate? Isn't this double NAT all over again?
Also, I was told not to NAT bridge-local...
Either way, should src addresses be filled in? Current NAT rule is:
action=masquerade
src addresses=10.0.0.0/24
out int=ether1
Lastly, should I set a DNS in IP\DNS section or not?
Sorry for all the questions...
WB
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Tue Sep 08, 2015 4:09 pm
by JB172
When you have PPPoE client on RouterOS and bridged the ADSL router, then the ADSL router act as a modem only.
Then you have only 1 NAT, and that is on RouterOS.
Youl may have DNS of your provider or use 8.8.8.8 as primary and 8.8.4.4 as secondary
If you setup DHCP server on you LAN side you can put there and DNS.
If you are not use DNS in DHCP server (in Network tab), the clients on your lan uses the DNS of IP-DNS settings
Open "New Terminal" and type "export"
Then copy and paste it here. Change critical information like "PPPoE" username and password etc.
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Wed Sep 09, 2015 11:26 am
by witblitz
hey JB
So I've got the mikrotik dialing out PPPoE and my ADSL router in bridge mode.
Everything works, EXCEPT I can not ping or access the ADSL router (192.168.2.1) from my LAN since I made the change and put PPPoE on my Eth1-Gateway port
I CAN however ping it from the mikrotik, so I know it's up (also the internet works
)
I believe there is some additional NAT rule that I need from digging around the forums, but I've not found anything that can help me yet... Any ideas how to access the ADSL router?
Here is my export:
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out1 password=zzz use-peer-dns=yes user=zzz@zzz
/ip pool
add name=default-dhcp ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=DHCP1
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=10.0.0.253/24 comment="default configuration" interface=bridge-local network=10.0.0.0
add address=192.168.2.2/24 interface=ether1-gateway network=192.168.2.0
/ip dhcp-server network
add address=10.0.0.0/24 comment="default configuration" dns-server=10.0.0.253,8.8.8.8,8.8.4.4 gateway=10.0.0.253 netmask=24
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1
add action=drop chain=input comment="PPPoE DDOS Protection (TCP). Int=PPPoE" disabled=yes dst-port=53 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="PPPoE DDOS Protection (UDP). Int=PPPoE" disabled=yes dst-port=53 in-interface=ether1-gateway log=yes log-prefix=DDOS-RULE protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1 src-address=10.0.0.0/24
holding thumbs
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Wed Sep 09, 2015 11:47 am
by JB172
Cause 192.168.2.0/24 is a different network from 10.0.0.0/24 you have access to that network only from RouterOS.
Add IP Address 192.168.2.3/24 in ether2
In one pc give two static IP addresses. One from 10.0.0.0/24 and second from 192.168.2.0/24.
Hope that works.
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Wed Sep 09, 2015 1:00 pm
by witblitz
but ether2 is bridged with my wlan. the bridge has the ip 10.0.0.253/24
your external router should always be on a different subnet than your LAN. The routes ive got set up should normally let me access the 192168.2.x subnet fine. It's only since I added the PPPoE interfact on Eth1 that I'm unable to get to 192.168.2.1 (adsl router)
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Wed Sep 09, 2015 1:15 pm
by witblitz
The answer was to create a NAT rule (as I thought)
action=masquerade
chain=srcnat
dst. address = 192.168.2.0/24 (subnet of my adsl router)
out interface = Ether1
I changed my previous NAT masquerade rule so that everything went out over pppoe-out1 (it used to be Ether1-gateway). SO this makes sense
Re: How to Dial ADSL from my Mikrotik / avoid double NAT
Posted: Wed Sep 09, 2015 1:59 pm
by JB172
but ether2 is bridged with my wlan. the bridge has the ip 10.0.0.253/24
your external router should always be on a different subnet than your LAN. The routes ive got set up should normally let me access the 192168.2.x subnet fine. It's only since I added the PPPoE interfact on Eth1 that I'm unable to get to 192.168.2.1 (adsl router)
Your external router is act only as a modem right now and not as a router.
Technically speaking, you don't have any problem to have two different subnets on the same interface (bridge)
And yes, the NAT to 192.168.2.0/24 was missing for ether1-gateway.
So far so good