blazesolutions
asked on
Mikrotik Routing Question
Hello Everyone,
Here's a newby questionin regards to configuring some routing on a mikrotik router with
Time Warner fiber service..
I am using a mikrotik routerboard with ether13 plugged into the fiber, and ether12 plugged into my local network that i want to able to assign 24.153.245.2 thru 24.153.245.254 out to.
Here is the information provided by Time Warner:
DNS1=24.93.41.125, DNS2=24.93.41.126
Customer WAN Interface:
IP: 24.153.244.26
Subnet Mask: 255.255.255.248
Gateway/Next Hop: 24.153.244.25
Customer LAN (inside) Interface:
Usable IP's: 24.153.245.2 - 24.153.245.254
Default Gateway: 24.153.245.1
Subnet Mask: 255.255.255.0
(Interconnect: 24.153.244.24/29)
I want to be able to physically access any of the 24.153.245.* addresses from the internet without any firewall. Hopefully someone can kind of give me a basic explanation of how to get the router configured without much mikrotik experience.
Thanks!!!
Here's a newby questionin regards to configuring some routing on a mikrotik router with
Time Warner fiber service..
I am using a mikrotik routerboard with ether13 plugged into the fiber, and ether12 plugged into my local network that i want to able to assign 24.153.245.2 thru 24.153.245.254 out to.
Here is the information provided by Time Warner:
DNS1=24.93.41.125, DNS2=24.93.41.126
Customer WAN Interface:
IP: 24.153.244.26
Subnet Mask: 255.255.255.248
Gateway/Next Hop: 24.153.244.25
Customer LAN (inside) Interface:
Usable IP's: 24.153.245.2 - 24.153.245.254
Default Gateway: 24.153.245.1
Subnet Mask: 255.255.255.0
(Interconnect: 24.153.244.24/29)
I want to be able to physically access any of the 24.153.245.* addresses from the internet without any firewall. Hopefully someone can kind of give me a basic explanation of how to get the router configured without much mikrotik experience.
Thanks!!!
ASKER
For reference: Here is my current configuration (still no access to the 24.153.245.* addresses though)
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255
interface=ether1 actual-interface=ether1
1 address=24.153.244.26/29 network=24.153.244.24 broadcast=24.153.244.31
interface=ether13 actual-interface=ether13
2 address=24.153.245.1/24 network=24.153.245.0 broadcast=24.153.245.255
interface=ether12 actual-interface=ether12
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=24.153.244.25
gateway-status=24.153.244.
target-scope=10
1 ADC dst-address=24.153.244.24/
gateway-status=ether13 reachable distance=0 scope=10
2 ADC dst-address=24.153.245.0/2
gateway-status=ether12 reachable distance=0 scope=10
3 ADC dst-address=192.168.88.0/2
gateway-status=ether1 reachable distance=0 scope=10
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ether12 ether 1500 1600
1 R ether13 ether 1500 1600
2 ether11 ether 1500 1600
3 ether6 ether 1500 1598
4 ether7 ether 1500 1598
5 ether8 ether 1500 1598
6 ether9 ether 1500 1598
7 ether10 ether 1500 1598
8 R ether1 ether 1500 1598
9 ether2 ether 1500 1598
10 ether3 ether 1500 1598
11 ether4 ether 1500 1598
12 ether5 ether 1500 1598
[admin@MikroTik] > /ip firewall export
# feb/08/1970 10:38:21 by RouterOS 4.15
# software id = 1YYD-2MPF
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255
interface=ether1 actual-interface=ether1
1 address=24.153.244.26/29 network=24.153.244.24 broadcast=24.153.244.31
interface=ether13 actual-interface=ether13
2 address=24.153.245.1/24 network=24.153.245.0 broadcast=24.153.245.255
interface=ether12 actual-interface=ether12
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=24.153.244.25
gateway-status=24.153.244.
target-scope=10
1 ADC dst-address=24.153.244.24/
gateway-status=ether13 reachable distance=0 scope=10
2 ADC dst-address=24.153.245.0/2
gateway-status=ether12 reachable distance=0 scope=10
3 ADC dst-address=192.168.88.0/2
gateway-status=ether1 reachable distance=0 scope=10
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R ether12 ether 1500 1600
1 R ether13 ether 1500 1600
2 ether11 ether 1500 1600
3 ether6 ether 1500 1598
4 ether7 ether 1500 1598
5 ether8 ether 1500 1598
6 ether9 ether 1500 1598
7 ether10 ether 1500 1598
8 R ether1 ether 1500 1598
9 ether2 ether 1500 1598
10 ether3 ether 1500 1598
11 ether4 ether 1500 1598
12 ether5 ether 1500 1598
[admin@MikroTik] > /ip firewall export
# feb/08/1970 10:38:21 by RouterOS 4.15
# software id = 1YYD-2MPF
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
disable this...
/ip firewall connection tracking
set enabled=yes
/ip firewall connection tracking
set enabled=yes
ASKER
Disabled connection tracking, but no luck yet...
[admin@MikroTik] > /ip firewall export
# feb/08/1970 11:35:14 by RouterOS 4.15
# software id = 1YYD-2MPF
#
/ip firewall connection tracking
set enabled=no generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] > /ip firewall export
# feb/08/1970 11:35:14 by RouterOS 4.15
# software id = 1YYD-2MPF
#
/ip firewall connection tracking
set enabled=no generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
ASKER
Also, as a note, I can get internet access to a device configured as 24.153.245.100 if i turn masquerade on with src-interface ether13. However, then i am still publicly using the 24.153.244.26 ip address instead of the 24.153.245.100 address, and still don't have access to the 245.100 address remotely.
.....maybe something on Time Warner's side is configured incorrectly?
.....maybe something on Time Warner's side is configured incorrectly?
When a packet arrives at an interface, the NAT rules are applied first. The firewall and routing are applied after the packet has passed the NAT rule set. This is important when setting up firewall rules, since the original packets might be already modified by the NAT.
So you need to verify that NAT is disabled (since you dont need this, then firewall is not active as your request is to permit all)
So you need to verify that NAT is disabled (since you dont need this, then firewall is not active as your request is to permit all)
what you are saying exactly means NAT is incuring...
/ip firewall nat disable
/ip firewall nat disable
if i am not wrong you have 2 public IP pools,
Pool A /29, configured on WAN
Pool B /24, configured on LAN0 (inside network)
and you want to use 1 ip for internet and you want public IP to use on remote hosts (may be web, terminal server.....) as a DMZ or without firewall inspection.
if all above is correct than what the issue, this should not be a problem.
if i understand wrong ;can you draw a diagram.
Pool A /29, configured on WAN
Pool B /24, configured on LAN0 (inside network)
and you want to use 1 ip for internet and you want public IP to use on remote hosts (may be web, terminal server.....) as a DMZ or without firewall inspection.
if all above is correct than what the issue, this should not be a problem.
if i understand wrong ;can you draw a diagram.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Called Time Warner, and after speaking to three different techs, and escalating to a network engineer, they finally seemed to have found the issue on there side.
Thanks for the info to give them, looked like you had it on the money!
Thanks for the info to give them, looked like you had it on the money!
http://wiki.mikrotik.com/wiki/Enable_Disable_Firewall_Rules