How do I setup router for public/29 address space

red6 · Mon Nov 25, 2013 5:53 pm

My ISP has assigned me a PPPoE login and with it they give me a static IP (that never changes) when the router connects. But I also asked for additional static IP's with a /29 bitmask. How do I add those addresses to the router?

The pppoe address looks like 206.243.xxx.yyy and the gatweway is 206.243.www.zzz. I think the gateway changes sometimes when the PPPoE login gets re-initalized.

The static IP's look like 108.ttt.uuu.216 to 108.ttt.uuu.223. My understanding is that 216 is the network, I need to assign a gateway 217 to the router, and then my 5 useable (for host boxes) IP's will 218, 219, 220,221 and 222. 223 will be the broadcast address that I can not use.

I can't find a tutorial or posting on how to set this up on my new RB2011. I am very familiar with OpenWRT and DD-WRT but now that I am past the hobbiest stage I need to the get this and many more Mikrotiks running in commercial environments.

I would appreciated help. Thanks.

troy · Mon Nov 25, 2013 6:57 pm

How silly of your provider to give you a static address (/32) that's not already in your static subnet, but that's beside the point, and it gives you 9 static IPs to work with instead of just 8.

You get your route from the PPPoE session, so that's taken care of.

Now, just put your subnet on your DMZ interface:

/ip address add address=108.xx.yy.217/29 interface=DMZ

Now, this leaves you with 5 usable addresses from your subnet, which may or may not be enough. You CAN use all 8 addresses though:

ros code

/int bridge add name=lo0
/ip address
 add address=192.168.1.1/24 interface=LAN
 add address=192.168.2.1/24 interface=DMZ
 add address=108.xx.yy.216/32 interface=lo0
 ...
 add address=108.xx.yy.223/32 interface=lo0
/ip firewall nat
 add chain=srcnat action=src-nat src-address=192.168.1.0/24 to-address=206.243.xx.yy
 add chain=dstnat action=dst-nat dst-address=108.xx.yy.216 to-address=192.168.2.216
 add chain=srcnat action=src-nat src-address=192.168.2.216 to-address=108.xx.yy.216
 ...
 add chain=dstnat action=dst-nat dst-address=108.xx.yy.223 to-address=192.168.2.223
 add chain=srcnat action=src-nat src-address=192.168.2.223 to-address=108.xx.yy.223

red6 · Mon Nov 25, 2013 7:23 pm

Now that you say silly - That makes me feel better. Maybe it's the only way they know how.

In any event, Thanks for the ROS code. I will try to implement that tonite.

I am guessing there are a few other ways to crack this nut.

But this is the first meaningful (ie: seems to make sense to me the MikroTik newbie) suggestion so far.

troy · Mon Nov 25, 2013 9:06 pm

Well, it's not really all that silly from a customer perspective, it just gives you an extra address to use.

As a provider though, it is silly, they're wasting an IP unnecessarily. Comcast does this as well, a customer with a subnet assignment also gets a static IP outside that subnet. What's infuriating about Comcast though, is that they keep the subnet captive within the router, which wastes 4 IP addresses (static, network, gateway, and broadcast). Bleh...

As a provider myself, if a customer wanted a static subnet, the static IP would be assigned out of that subnet, and the subnet itself would be routed to that static IP. The basic customer config would give them 5 IP addresses to use in the DMZ (use the GW address to NAT the LAN).

The customer could, however, bind all 8 IP addresses (as /32) to a loopback, then use NAT to take advantage of all 8 IP addresses, so long as they had a router that could handle such a configuration (which MT can).

On a managed customer network that needed 2 addresses, I'd give 'em a MT with a /31 as quick as you please! 3-4 addresses would get a /30, etc...

aaronhun22 · Mon Nov 25, 2013 9:44 pm

What a wonderful cheat! I never thought of NAT'ing the Public IP.

red6 · Wed Nov 27, 2013 6:12 am

How silly of your provider to give you a static address (/32) that's not already in your static subnet, but that's beside the point, and it gives you 9 static IPs to work with instead of just 8.

You get your route from the PPPoE session, so that's taken care of.

Now, just put your subnet on your DMZ interface:

/ip address add address=108.xx.yy.217/29 interface=DMZ

Now, this leaves you with 5 usable addresses from your subnet, which may or may not be enough. You CAN use all 8 addresses though:

ros code
/int bridge add name=lo0
/ip address
 add address=192.168.1.1/24 interface=LAN
 add address=192.168.2.1/24 interface=DMZ
 add address=108.xx.yy.216/32 interface=lo0
 ...
 add address=108.xx.yy.223/32 interface=lo0
/ip firewall nat
 add chain=srcnat action=src-nat src-address=192.168.1.0/24 to-address=206.243.xx.yy
 add chain=dstnat action=dst-nat dst-address=108.xx.yy.216 to-address=192.168.2.216
 add chain=srcnat action=src-nat src-address=192.168.2.216 to-address=108.xx.yy.216
 ...
 add chain=dstnat action=dst-nat dst-address=108.xx.yy.223 to-address=192.168.2.223
 add chain=srcnat action=src-nat src-address=192.168.2.223 to-address=108.xx.yy.223

I wiped my nat table clean and loaded the code as per above.
It did allow traceroutes from the outside to succeed in that they demonstrated that the routes were advertised.
Interestingly I would get 2 so called final hops (I guess because of the 2nd hop to the NAT'd address).
But the final hop was another 25 ms over the 2nd last hop. I guess that is latency in the RB2011.

In any event, I am not sure I accomplished anything because I could not get a host on the 192.168.2.0/24 network to find the internet. Always got unreachable. And when I get unreachable I know I am into something too complicated for me to figure out.

Is there a simpler way to set up for this router to get a /29 working?

troy · Wed Nov 27, 2013 2:06 pm

Troubleshooting... what fun!

The extra latency wasn't likely due to the 2011 itself as much as the network config.

Post your actual config:

/ip address export compact
/ip route export compact
/ip firewall export compact

Also a few traces:

/tool traceroute 8.8.8.8
/tool traceroute 8.8.8.8 src-address 192.168.1.1 (test your NAT rules for the LAN)
/tool traceroute 8.8.8.8 src-address 108.xx.yy.216 (test the network address of your subnet)
/tool traceroute 8.8.8.8 src-address 108.xx.yy.217 (test a host address of your subnet)

Assuming that everything looks good so far, post the IP configuration and routes from one of the hosts in the DMZ. Remember, in this config, we're trying to use all 8 of your static IPs, so your internal subnet needs to be larger. You can make it any size you want, but for simplicity, my config example assumed a /24:

IP: 192.168.2.216
Mask: 255.255.255.0
Gateway: 192.168.2.1

red6 · Wed Nov 27, 2013 6:45 pm

I forgot about the subnet having to be /24. I will try again. Thanks.

CelticComms · Sat Dec 07, 2013 7:01 pm

How silly of your provider to give you a static address (/32) that's not already in your static subnet, but that's beside the point, and it gives you 9 static IPs to work with instead of just 8.

It isn't really silly at all. If an ISP hands the /29 to the PPPoE interface or routes it via the PPPoE's assigned IP you have maximum configuration flexibility available in regard to the /29. For a larger commercial installation I would expect separation of the link net and allocated IP ranges and for a consumer/small business installation it is nice to have.