Mikrotik Routing Question

blazesolutions
blazesolutions used Ask the Experts™
on
Hello Everyone,

Here's a newby questionin regards to configuring some routing on a mikrotik router with
Time Warner fiber service..

I am using a mikrotik routerboard with ether13 plugged into the fiber, and ether12 plugged into my local network that i want to able to assign 24.153.245.2 thru 24.153.245.254 out to.

Here is the information provided by Time Warner:
DNS1=24.93.41.125, DNS2=24.93.41.126

Customer WAN Interface:
IP: 24.153.244.26
Subnet Mask: 255.255.255.248
Gateway/Next Hop: 24.153.244.25

Customer LAN (inside) Interface:
Usable IP's: 24.153.245.2 - 24.153.245.254
Default Gateway: 24.153.245.1
Subnet Mask: 255.255.255.0

(Interconnect: 24.153.244.24/29)

I want to be able to physically access any of the 24.153.245.* addresses from the internet without any firewall. Hopefully someone can kind of give me a basic explanation of how to get the router configured without much mikrotik experience.

Thanks!!!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
For reference: Here is my current configuration (still no access to the 24.153.245.* addresses though)

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0   ;;; default configuration
     address=192.168.88.1/24 network=192.168.88.0 broadcast=192.168.88.255
     interface=ether1 actual-interface=ether1

1   address=24.153.244.26/29 network=24.153.244.24 broadcast=24.153.244.31
     interface=ether13 actual-interface=ether13

2   address=24.153.245.1/24 network=24.153.245.0 broadcast=24.153.245.255
     interface=ether12 actual-interface=ether12


[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S  dst-address=0.0.0.0/0 gateway=24.153.244.25
        gateway-status=24.153.244.25 reachable ether13 distance=1 scope=30
        target-scope=10

1 ADC  dst-address=24.153.244.24/29 pref-src=24.153.244.26 gateway=ether13
        gateway-status=ether13 reachable distance=0 scope=10

2 ADC  dst-address=24.153.245.0/24 pref-src=24.153.245.1 gateway=ether12
        gateway-status=ether12 reachable distance=0 scope=10

3 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=ether1
        gateway-status=ether1 reachable distance=0 scope=10




[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
#     NAME                                        TYPE             MTU   L2MTU
0  R  ether12                                     ether            1500  1600
1  R  ether13                                     ether            1500  1600
2     ether11                                     ether            1500  1600
3     ether6                                      ether            1500  1598
4     ether7                                      ether            1500  1598
5     ether8                                      ether            1500  1598
6     ether9                                      ether            1500  1598
7     ether10                                     ether            1500  1598
8  R  ether1                                      ether            1500  1598
9     ether2                                      ether            1500  1598
10     ether3                                      ether            1500  1598
11     ether4                                      ether            1500  1598
12     ether5                                      ether            1500  1598



[admin@MikroTik] > /ip firewall export
# feb/08/1970 10:38:21 by RouterOS 4.15
# software id = 1YYD-2MPF
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
WissamSenior Network Engineer

Commented:
disable this...
/ip firewall connection tracking
set enabled=yes
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Disabled connection tracking, but no luck yet...

[admin@MikroTik] > /ip firewall export
# feb/08/1970 11:35:14 by RouterOS 4.15
# software id = 1YYD-2MPF
#
/ip firewall connection tracking
set enabled=no generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

Author

Commented:
Also, as a note, I can get internet access to a device configured as 24.153.245.100 if i turn masquerade on with src-interface ether13. However, then i am still publicly using the 24.153.244.26 ip address instead of the 24.153.245.100 address, and still don't have access to the 245.100 address remotely.


.....maybe something on Time Warner's side is configured incorrectly?
WissamSenior Network Engineer

Commented:
When a packet arrives at an interface, the NAT rules are applied first. The firewall and routing are applied after the packet has passed the NAT rule set. This is important when setting up firewall rules, since the original packets might be already modified by the NAT.
So you need to verify that NAT is disabled (since you dont need this, then firewall is not active as your request is to permit all)
WissamSenior Network Engineer

Commented:
what you are saying exactly means NAT is incuring...
/ip firewall nat disable
Syed_M_UsmanSystem Administrator
Top Expert 2011

Commented:
if i am not wrong you have 2 public IP pools,
Pool A /29, configured on WAN
Pool B /24, configured on LAN0 (inside network)
and you want to use 1 ip for internet and you want public IP to use on remote hosts (may be web, terminal server.....) as a DMZ or without firewall inspection.
if all above is correct than what the issue, this should not be a problem.

if i understand wrong ;can you draw a diagram.
Top Expert 2008
Commented:
Hi!

Your config looks perfect to me, assuming that the 24.153.245.0/24 subnet is routed via 24.153.244.26 by the upstream provider.

Connection tracking can be on or off - doesn't matter squat either way since you are not doing anything other than plain old routing.

My guess is that they are not routing that subnet properly - which seems to be the case when I compare traceroutes:

 C:\Documents and Settings\mike>tracert -d 24.153.244.26

Tracing route to 24.153.244.26 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  192.168.11.125
 .. etc ..
 23   235 ms   235 ms   235 ms  24.93.60.61
 24   235 ms   234 ms   238 ms  24.93.35.10
 25   235 ms   239 ms   236 ms  24.93.35.8
 26   238 ms   232 ms   234 ms  24.93.60.158
 27   239 ms   233 ms   243 ms  24.93.35.4
 28   235 ms   234 ms   235 ms  24.93.60.154
 29   236 ms   234 ms   239 ms  24.93.35.0
 30   234 ms   237 ms   232 ms  24.93.35.30
 31   236 ms   244 ms   240 ms  24.93.60.148
 32   237 ms   235 ms   351 ms  24.73.242.27
 33   233 ms   233 ms   234 ms  24.73.242.87
 34   237 ms   238 ms   257 ms  24.73.242.89
 35   245 ms   242 ms   232 ms  24.73.242.107
 36   235 ms   235 ms   234 ms  24.73.242.123
 37   235 ms   241 ms   234 ms  24.153.244.26

Trace complete.

C:\Documents and Settings\mike>tracert -d 24.153.245.1 -h 50

Tracing route to 24.153.245.1 over a maximum of 50 hops

  1     2 ms     1 ms     1 ms  192.168.11.125
 .. etc ..
 23   235 ms   239 ms   234 ms  24.93.60.61
 24   234 ms   239 ms   240 ms  24.93.35.10
 25   244 ms   243 ms   237 ms  24.93.35.8
 26   232 ms   232 ms   236 ms  24.93.35.6
 27   236 ms   235 ms   234 ms  24.93.35.4
 28   240 ms   236 ms   233 ms  24.93.35.2
 29   234 ms   233 ms   235 ms  24.93.35.0
 30   237 ms   237 ms   236 ms  24.93.60.150
 31   242 ms   230 ms   237 ms  24.93.35.28
 32  24.73.242.27  reports: Destination net unreachable.

Trace complete.

So you can see that the route path starts to go wrong at about hop 29 - that router does not know the correct path to your subnet and so you are essentially offline.  What you SHOULD see with these traces is an identical path for both, just with the extra hop on the end for your local subnet.

therefore, either you need to ask them to do it, or you need to advertise that subnet as reachable via your public address (24.153.244.26) by some routing protocol like bgp or ospf.

Get that upstream routing solved and you'll have your solution! :-)

Cheers!

Author

Commented:
Called Time Warner, and after speaking to three different techs, and escalating to a network engineer, they finally seemed to have found the issue on there side.

Thanks for the info to give them, looked like you had it on the money!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial