Page 1 of 1

Static IP for WISP Customer

Posted: Thu Mar 08, 2018 12:30 am
by WISPer7
Hi,
I have a wisp and all customers have been working on a single public IP address so far. Now I have a customer who requires a static IP address. I have used the next available IP address with the same gateway but not sure what else I need for this one customer. Because they will have a public IP there is no need for NAT or masquerade

Ether1 is my WAN connection
Ether2 is my LAN which EVERYTHING is connected to via a switch. The series of radios connected to the switch is my back haul. There is an AP that the customers connect to. They all have private LAN addresses. I'm trying to pass the one public WAN IP through to one customer which will be statically configured on his router.
I have added the address to IP addresses .19 in this case. Do I need a bridge between Eth1 and Eth2 to make that .19 address available to the end user? I have seen some tutorials that will do that with say Eth3 but because this is wireless network everything is running over a shared wireless brdige/back haul. Any advise would be greatly appreciated.
Best

Re: Static IP for WISP Customer

Posted: Thu Mar 08, 2018 12:59 am
by enuro12
My response isn't going to give you the an answer but get you thinking. I don't know how to do what you want. Your currently using your mikrotik as a traditional router with a wan/lan getting NAT'd. I think your going to have to completely change your infrastructure to get the ability to pass the IP to the customer.

Nasty Hack? Bridge your WAN port to a VLAN and pass that all the way to the customer.

Re: Static IP for WISP Customer

Posted: Thu Mar 08, 2018 7:22 pm
by WISPer7
Ok, thanks for the feedback. I'll look into that as a possibility.
Best

Re: Static IP for WISP Customer

Posted: Fri Mar 09, 2018 6:55 am
by millenium7
There's 2 proper ways to do this

Lets assume your public IP address is 1.1.1.1 and you have been also been allocated 2.2.2.2 and you want to give this to the customer. And your normal private IP range is 10.0.0.2 - 10.0.0.254

1) If you are using PPPoE for the customer....
Just assign them a public IP address on the PPP profile, and then on your 'head router' that faces the internet, make sure you are NOT masquerading the customer to the internet
Depending on what you currently have in Firewall->NAT you can either....
a) If you have an existing rule that is very broad i.e. 'out-address=ether1, action=masquerade' then add another rule above it with src-address=2.2.2.2 action=accept. This way it will bypass the broad masquerade rule and ensure he is not NAT'd
b) If you have specific rules i.e. src-address=10.0.0.0/24 out-interface=ether1, action=masquerade' then do nothing, because this rule doesn't apply since his IP is 2.2.2.2
And then all you need to do is assign him 2.2.2.2
Since he is PPPoE your router will dynamically add a routing rule and all traffic flow should work fine. Assuming that his PPPoE Session terminates on this head router and its all a bridged network behind it. Otherwise add static routes to all routers between him and you

2) If you are using Ethernet and DHCP for your clients...
This is a little trickier but not too hard. The only issue at first glance is that the way IP addressing works means you would need a /30 Public IP range (4 addresses) for the customer and you will be wasting 2 of them since you need a broadcast and a network address
So instead of that, use NAT1:1 which will allow you to conserve addresses and only use a single public IP for the customer
a) Same as above in the PPPoE example, fix the NAT'ing first
b) Either set up a static DHCP lease for them so they will ALWAYS get the same private IP i.e. 10.0.0.45
-or-
set up another DHCP server for this customer (i.e. a separate VLAN would be the easiest if you have fully bridged/layer2 network) so that instead they get i.e. 10.0.1.2 and your router is 10.0.1.1
c) Add 2 Firewall->NAT rules in your head router
chain=srcnat src-address=10.0.1.2 action=srcnat to-address=2.2.2.2
chain=dstnat dst-address=2.2.2.2 action=netmap to-address=10.0.1.2

These 2 rules will mean any packets coming from this customer, will have the source IP changed to the Public IP of 2.2.2.2. That way external servers will respond to 2.2.2.2 instead of '10.0.1.2' which wouldn't work
And that any packets coming in destined to 2.2.2.2 will get rewritten as a destination of 10.0.1.2 and thus successfully delivered to your customer.

Re: Static IP for WISP Customer

Posted: Fri Mar 09, 2018 5:34 pm
by WISPer7
millenium7,
your response was perfect and timely. I ended up using your option 2 example. I'm statically providing the customer in your example with a 10.0.0.2 ip address and did the 1to1 NAT rules in the firewall. Initially it didn't work but then I moved the two new rules to position 0 and 1 and then it was happy. Thanks for your response. I would like to deploy PPPoe but not sure how to smoothly transition to that without taking all my customers offline. I suppose a second network running simultaneously and transition 1 at a time to the new configuration would make the most sense.

Again thanks, its working great now.
Best

Re: Static IP for WISP Customer

Posted: Fri Mar 09, 2018 11:04 pm
by WISPer7
So the 1 to 1 nat works functionally but I actually want the public IP on the WAN port of the customer's router. Is the only way to do this PPPoe? Or is there some other way to make the public IP available to him?
Thanks

Re: Static IP for WISP Customer

Posted: Sat Mar 10, 2018 2:07 am
by Sob
a) Use VLAN & bridge as suggested in first reply.
b) Route the address to customer's private address (example). If yours is not routed to you, but it's supposed to be on your WAN interface, you can get around that with proxy ARP.

Re: Static IP for WISP Customer

Posted: Sat Mar 10, 2018 4:20 am
by millenium7
So the 1 to 1 nat works functionally but I actually want the public IP on the WAN port of the customer's router. Is the only way to do this PPPoe? Or is there some other way to make the public IP available to him?
Thanks
Not possible unless you waste IPs and only becomes viable if you have a large range i.e. a /24 then you only waste 3/256, but with smaller non contiguous ranges it gets hopelessly inefficient. If you used /30s and you had 5 customers you would waste an additional 15 IP addresses

PPPoE works well cause you can have a customer anywhere in your network. You also do not have to waste an IP address on your own router (10.0.0.0 local and 123.1.2.3 for your customer is perfectly valid) but the drawback to PPPoE is an MTU of 1492 instead of 1500. Probably doesn't matter to 99% of people but if possible I prefer to have at least 1500 the whole way through to avoid fragmentation. Slightly better latency and less CPU usage. Also your routing table gets larger cause there's 1 entry for each connection

The downside to NAT1:1 is explaining to tech people that "yes you are getting 10.2.4.5 but your actual IP is 2.2.2.2" and then inevitably answering their next questions with "yes you can still port forward, no you are not double NAT'd, this is NAT1:1 not PAT/masquerade which you are familiar with, yes you can still run VPNs. No there's no restrictions etc etc"

Re: Static IP for WISP Customer

Posted: Mon Mar 12, 2018 5:40 pm
by WISPer7
HELP PLEASE.......:)

Still trying to resolve this issue. I have gone the route of PPPoe. I have set it up with a secret and using a profile. I am able to authenticate from a test router but the router won't pass traffic. Here is a pic of my config(can't attach). Any suggestions? Kind of stumped now. My public network is .16/28 Thanks
I have made:
-PublicPPPoe PPPoe Service on ether2 (LAN port), MTU=1460
-public profile with local address .17(my public facing gateway) and remote .19 (public IP customer should get), ISP provided DNS everything else default.
-secret is using the public profile

I can see when I connect the router with the PPPoe credentials a route is created in the routes on the MikroTik. What should show up in the routes Dst Address and Pref. Source address. I feel like one of the IP addresses is in the wrong spot. Dst address is .19 the address I want the customer to have and .17 is in Pref. Source which is the public gateway. Again this is a shared LAN port with LAN customers on the same port as this one PPPoe client. One thought is to configure a separate port/interface but still using one wireless backhaul do the two interfaces then plug into a shared switch?

Thanks

Re: Static IP for WISP Customer

Posted: Wed Mar 14, 2018 3:35 am
by millenium7
Having a bit of a hard time understanding (there's no pic in your post?)
Maybe draw up a simple diagram in Visio and then upload a screenshot of it to an image site and paste the link here?

But essentially the only thing you should have to do is create a secret for the customer, set a local address (this will be the one your router gets, it can be pretty much anything, even a private IP) and then a remote IP address which will be what you want the customer to have. That's it, as the router will dynamically add a route into the routing table for the customer. So anything coming in from the internet will hit your router, and your router will forward it on just fine. And your existing default route will mean anything from that customer goes to the internet. 2 way communication is achieved

Re: Static IP for WISP Customer

Posted: Thu Apr 11, 2019 4:58 am
by sleerf
I have a similar issue. We have a /28 fiber connection connected to the SFP+ port. The building we're sending to has about 30 customers and 4 need PUBLIC static IP addresses that they can reach from remote locations outside the network. Everyone else is being handed DHCP address over ethernet. The wireless connection is a UBNT AirFiber . I need to figure out how to allow several customers on that building to use static IPs we have available

Re: Static IP for WISP Customer

Posted: Wed Aug 07, 2019 2:52 pm
by rapidcom
Hi,
You don't really need to do anything
All you need is both Wan Port and customer port to be on the same Brdige
Let's say the following apply:
Network Address: 1.1.1.0
Gateway 1.1.1.1
Your router IP address 1.1.1.2/29
Spare IP address 1.1.1.3-6
Broadcast address: 1.1.1.7
In this case all you need to do is to ask your costumer to setup IP address: 1.1.1.3 / subnet mask: 255.255.255.248 / Gateway 1.1.1.1
Nothing else to configure.

If Routing correctly configured on the provider side your customer can see outside and connect to their router from outside as well.
The only issue I have faced on this configuration is that sometimes the provider doesn't configure their side properly and when I check what is my IP address I see my router IP address instead of customer. In this case I will contact provider and they will fix it.
If they say everything is ok on their side (surely doesn't know what they are doing or they don't want to accept it)
The only way around it to make it work is to add 2 net-map configuration line on top of your NAT configuration list
/ip firewall nat
add action=netmap chain=srcnat comment="1-1 netmap" disabled=no src-address=1.1.1.3 to-addresses=1.1.1.3
add action=netmap chain=dstnat comment="1-1 netmap" disabled=no dst-address=1.1.1.3 to-addresses=1.1.1.3
This will resolve the issue.

Hope this helps
Rapidcom