Hello,

First of all, I am aware that people have asked similar questions, but none of them seem to be concerned with what I'm trying to do.

Anyway, yesterday, I got a RB2011UiAS-2HnD-IN to replace the gigabit switch, and also start learning about Mikrotik and networking in general. I got the basic setup done. I experimented with vpn servers and clients, etc. This is a home setup by the way.

The situation is: as seen in the diagram, the RB2011 currently runs in bridge mode. I can't replace the ISP supplied router because it provides VOIP, etc. The ISP also has a MAC address thingy, so it doesn't allow me to use other devices - though I know how to get around it, but then I can't use another VOIP device because I don't know the settings - and the ISP is being a jerk about it. The bridge mode is also disabled on the ISP router. The ISP router is a Huawei HG253s, with a lot of limited capabilities.

With RB2011 in bridge mode, I can't make use of its extended features. For example, when I had a vpn client to route traffic to certain IPs, I was able to do it inside RB (saw that the traffic goes through VPN when I pinged the IP), but not through my local clients (though I tried different rules etc).


Basically, my question is, is there a way to make use of RB's routing capabilities while having to keep it behind the ISP router?

I thought of having two subnets: ISP Router (192.168.1.0/24) -> Mikrotik (192.168.2.0/24 dhcp, nat etc) -> Rest of the devices. But I am not sure if this is a solution. Would port forwarding work with this for example? Would the ISP Router know how to communicate with Mikrotik and the rest? Can Mikrotik route all traffic to and fro?

DMZ -> When I put Mikrotik in DMZ, where do I use port forwarding? Still on ISP Router or on Mikrotik? Would all routing capabilities work like this?


It was rather long, but I tried to be as explicit as possible. Thanks for your time and help in advance!

Hi,

Most home grade routers support only two routable networks, one towards your ISP (which is the default gateway for all traffic towards the internet) and one for your LAN. This Huawei HG253s you have most likely falls into this category. If you want to use your mikrotik and huawei does not support bridging/IP passthrough or defineable static routes, you can do double NAT to make the setup work (eg. mikrotik uses NAT to translate your LAN traffic to the address between mikrotik and huawei, then huawei uses NAT to translate traffic between huawei/mikrotik and the ISP.

DMZ forwards all ports to the specified IP address (in your scenario the mikrotik router). If all ports are open for mikrotik, I imagine you can try to configure mikrotik to forward those ports again to the specified host you want. You still need to do NAT with mikrotik for the reason I mentioned above; if your LAN (behind mikrotik) is not the same network as the one used between huawei and mikrotik, huawei will try to forward your LAN's traffic towards the internet since it does not know where else to route it to.

I never tried these solutions myself because my ISP supports IP passthrough so all of this is a guesswork but I hope it helps you somewhat.

Destiny,

Thanks for your reply! While I am familiar with the terminology, I can't say I know much about what it means to have double NAT. I am guessing it means the isp router will be, say 192.168.1.0-255, and mikrotik will have an ip from that range. And mikrotik handing out IPs from say 192.168.2.0-255. And since I have no devices (as per the diagram) linked to my isp router, there won't be any communication issues etc?

I am guessing I'll have to set my mikrotik in normal router mode (rather than bridge mode) and connect a port on mikrotik designated as WAN to my isp router.

So this should leave no inbound/outbound traffic issues. Like, I would have no port forwarding issues as it is, right?

I am asking questions without actually trying but I am simply trying to be aware of alternatives to try before I mess up with my home network

Thanks again!

Edit: A quick search reveals that double nat can reduce network performance. Would it matter for a home user? As I said, I actually got the RB2011 to replace the switch I had, to boost the speed between NAS devices, for local file transfer, and also to learn more about networking - for hobby reasons, that is. So, would there be a noticable difference in, say web browsing or downloading?

Turn of NAT on your ISP supplied modem and let the RB2011 do the NATting.

You will most likely not have any use whatsoever of the routing capabilities of your RB2011 as most ISPs do not allow customers to participate in routing using BGP/RIP/OSPF. So you will have to configure static routes on the router (or just rely on DHCP and the default routes).

For most home users, a more home-oriented solution using consumer grade hardware is probably easier to manage, but you can do the exact same things with MT hardware, it will just be a bit more complex. I myself just ordered a CCR1009 for use in a similar situation...

Turn of NAT on your ISP supplied modem and let the RB2011 do the NATting.

You will most likely not have any use whatsoever of the routing capabilities of your RB2011 as most ISPs do not allow customers to participate in routing using BGP/RIP/OSPF. So you will have to configure static routes on the router (or just rely on DHCP and the default routes).

For most home users, a more home-oriented solution using consumer grade hardware is probably easier to manage, but you can do the exact same things with MT hardware, it will just be a bit more complex. I myself just ordered a CCR1009 for use in a similar situation...

Thanks agehall! can you also be more specific, with NAT disabled, do I still need two different subnets (192.168.0.1 and 192.168.1.1 etc)?

Sorry for being such a newbie :\ but one has to start somewhere, right?

Basically, most ISP supplied modems/routers steal the public IP and give you a NATted RF1918-net for you and your devices. What you want to do, is to log in to the modem and disable this (effectively turning it into a bridge) and instead do the NAT in your RB2011. That way, your RB2011 will have a public IP on the port connected to your ISP modem and what ever other ports you configure for NAT.

As I don't have my equipment yet, I can't post any configs, but once I'm home next weekend, I hope to be able to do so. (Or my wife will kill me - it's bad when you go on a 3 week business trip and a thunderstorm takes out the network equipment 4 days into it...)

great! thanks for dumbing it down for me

I'll get down to work soon today once I finish some real-life work related things. And will let you know if and how I solve the issue. I'll remember to backup my current config (which is actually the default bridge config with very little changes). I'll post how it goes later today.

Also, still, I'll appreciate if you could post your "scenario" and config when you can as you said

My scenario will look like this:
My ISP connection terminates in my living room. As I'm too lazy to wire a separate connection down to my basement, I use VLANs to ensure that the unfiltered traffic doesn't mix with my internal traffic. This is the reason for the RG260/GS.

The CCR1009 will be the core of the network. It will basically have three logical ports, the WAN, LAN and a DMZ. The LAN ports will be connecting the green VLAN and the CRS125. The CCR1009 will do NAT for IPv4 and firewalling for both IPv4 and IPv6. My IPv6 connectivity is provided thru tunnelbroker.net so the CCR will be the termination of that tunnel on my end as well.

All in all, it is a fairly straight forward setup.

i tried your suggestion yesterday, with partial luck.

disabled NAT on isp router and set my mikrotik as a router. Everything was working fine. traceroutes seemed to be OK. However, I wasn't able to forward ports. I forwarded the ports on my ISP router to mikrotik first. Then I forwarded them, inside mikrotik, to whatever device it was. I was able to see the packets were reaching to that particular port in Winbox. But I guess they simply don't get forwarded or something. I have no clue what the problem was. I reverted back to my previous config for now, until I have time to work on it again.

And also, after disabling NAT, mikrotik wasn't really getting the WAN IP - as I understood from your previous post that it should.

With NAT disabled on the ISP modem, I would expect it to act more as a transparent device, ie you wouldn't forward ports in it or anything, as the MT router should really have a public IP on the WAN interface hooked up to the modem.

What IP did the MT router get on your WAN interface?

with dhcp disabled on the isp router, it wasn't getting anything. Then I decided to give it a static local IP.

Here are the avaible NAT options on my huawei hg253s. Currently they are enabled as I reverted back to the settings.

I think you are looking in the wrong place on your modem. You want to turn it into a bridge instead of a router. Most modems I've seen, you just disable NAT and this happens. The screen shot you show looks like something else.

I think you are looking in the wrong place on your modem. You want to turn it into a bridge instead of a router. Most modems I've seen, you just disable NAT and this happens. The screen shot you show looks like something else.

agehall, sorry for not replying ealier - hectic week.

That's the problem I was describing in my first post This piece of junk hardware does not have that. in WAN settings, there is only PPPoE (bridge is disabled). This thing leaves me with no luck I guess.

I see. Then it is a bit of a problem I guess. Maybe you can get hold of a better modem? Or try to get to second level support with your ISP and ask them if it is possible with your current one.

Alper, i have similar network scenario with the few of my clients. I chose DMZ root (double NAT). This way if for some stupid reason ISP decides to replace, upgrade or reset the modem/router the only thing I have to do after is to set DMZ again

On ISP Router (lan-192.168.1.0/24) I would put DMZ to 192.168.1.2
On Mikrotik's (lan-192.168.2.0/24) WAN port use static 192.168.1.2/24

DHCP, port forwarding, vpn, queue, dyn scripts (if needed), etc I do on the mikrotik. I can assure that this configuration works 100%.
Really, ISP router job this way is 1 to 1 NAT

Happy Routing!