Analog ip unnumbered in Mikrotik RouterOS
I must say right away that I was inspired to write a post by a similar article published on Habré back in 2009. Therefore, I will not retell its contents and cite the configuration of Cisco devices.
Today, when IPv4 addresses have become even more scarce than the Moskvich car in Soviet times, it is a crime to allocate a / 30 or / 31 network to a client. Cisco has a “ip unnumbered” mode to work around these problems, which allows the client to assign a single address without wasting addresses. Let's see how this is done in the Mikrotik RouterOS. Imagine this (very simplified) scheme:
Our gateway (provider-gw) is connected by ether1 interface to the Internet via BGP (or in another way, it doesn’t matter) and we have our own “large” public network, for example - 123.45.60.0/22. The first client is connected to the vlan100 VLAN interface, which is, say, wired into ether2. The second - to vlan200.
The router must have an IP address from our public network. Let's say 123.45.60.1 with the / 22 mask. This address must be assigned to any free interface or vlan, even if they will not be used later. Let it be vlan1000:
Now let's make the settings on the router for our customers. To do this, select any free IP from the range of our public network, for example, 123.45.60.5 and 123.45.60.6. Add static routes for these addresses to the corresponding client VLANs. In this case, it is advisable to indicate the preffered source address of our router.
We configure client No. 1:
IP: 123.45.60.5
Mask: 255.255.255.252 (or / 22; yes, here we indicate the mask of our "large" public network)
Gateway: 123.45.60.1 We configure
client No. 2 in the same way. Only the IP address changes.
IP: 123.45.60.6
Mask: 255.255.255.252 (or / 22)
Gateway: 123.45.60.1
All. It's enough. After that, IP clients will be accessible from the Internet, without wasting addresses. The remaining clients are included in the same way, each in their own VLAN. But in this case, we have this situation: for example, client number 1 wants to transfer an IP packet to client number 2. Since the address of client No. 2 falls under the netmask / 22, client No. 1 believes that No. 2 is in the same broadcast domain with it and will try to send the packet not directly through the router, but directly, for which it will try to find out its MAC address using the ARP protocol. Of course, this will not work for him, since the clients are in different VLANs and cannot transmit ARP requests to each other.
If you need to isolate clients from each other, you can leave everything as it is, although from the point of view of the Internet this is wrong (each node must have an IP connection to another node). This situation is solved by enabling proxy-arp on client VLANs:
Now the router will respond to client arp requests by substituting its MAC address in the response and clients will be able to exchange IP traffic as if they are in the same segment.
As you might have guessed, in the same way, you can assign several IP addresses or even subnets to the same client VLAN, simply by creating static routes with the corresponding dst-address.
UPD:
As practice has shown, it is much better to create not static routes in / ip route, but simply add the IP address of the router to the interface with the desired IP address in the network field, the route will be created automatically. Example:
Today, when IPv4 addresses have become even more scarce than the Moskvich car in Soviet times, it is a crime to allocate a / 30 or / 31 network to a client. Cisco has a “ip unnumbered” mode to work around these problems, which allows the client to assign a single address without wasting addresses. Let's see how this is done in the Mikrotik RouterOS. Imagine this (very simplified) scheme:
Our gateway (provider-gw) is connected by ether1 interface to the Internet via BGP (or in another way, it doesn’t matter) and we have our own “large” public network, for example - 123.45.60.0/22. The first client is connected to the vlan100 VLAN interface, which is, say, wired into ether2. The second - to vlan200.
/interface vlan add disabled=no name=vlan100 vlan-id=100 interface=ether2 comment="Client 1"/interface vlan add disabled=no name=vlan200 vlan-id=200 interface=ether2 comment="Client 2"The router must have an IP address from our public network. Let's say 123.45.60.1 with the / 22 mask. This address must be assigned to any free interface or vlan, even if they will not be used later. Let it be vlan1000:
/interface vlan add disabled=no name=vlan1000 vlan-id=1000 interface=ether2/ip address add interface=vlan1000 address=123.45.60.1/22Now let's make the settings on the router for our customers. To do this, select any free IP from the range of our public network, for example, 123.45.60.5 and 123.45.60.6. Add static routes for these addresses to the corresponding client VLANs. In this case, it is advisable to indicate the preffered source address of our router.
/ip route add dst-address=123.45.60.5 gateway=vlan100 pref-src=123.45.60.1 comment="Static route to Client 1"/ip route add dst-address=123.45.60.6 gateway=vlan200 pref-src=123.45.60.1 comment="Static route to Client 2"We configure client No. 1:
IP: 123.45.60.5
Mask: 255.255.255.252 (or / 22; yes, here we indicate the mask of our "large" public network)
Gateway: 123.45.60.1 We configure
client No. 2 in the same way. Only the IP address changes.
IP: 123.45.60.6
Mask: 255.255.255.252 (or / 22)
Gateway: 123.45.60.1
All. It's enough. After that, IP clients will be accessible from the Internet, without wasting addresses. The remaining clients are included in the same way, each in their own VLAN. But in this case, we have this situation: for example, client number 1 wants to transfer an IP packet to client number 2. Since the address of client No. 2 falls under the netmask / 22, client No. 1 believes that No. 2 is in the same broadcast domain with it and will try to send the packet not directly through the router, but directly, for which it will try to find out its MAC address using the ARP protocol. Of course, this will not work for him, since the clients are in different VLANs and cannot transmit ARP requests to each other.
If you need to isolate clients from each other, you can leave everything as it is, although from the point of view of the Internet this is wrong (each node must have an IP connection to another node). This situation is solved by enabling proxy-arp on client VLANs:
/interface vlan set vlan100 arp=proxy-arp/interface vlan set vlan200 arp=proxy-arpNow the router will respond to client arp requests by substituting its MAC address in the response and clients will be able to exchange IP traffic as if they are in the same segment.
As you might have guessed, in the same way, you can assign several IP addresses or even subnets to the same client VLAN, simply by creating static routes with the corresponding dst-address.
UPD:
As practice has shown, it is much better to create not static routes in / ip route, but simply add the IP address of the router to the interface with the desired IP address in the network field, the route will be created automatically. Example:
/ip address add network=123.45.60.5 interface=vlan100 address=123.45.60.1 comment="IPoE Client 1"/ip address add network=123.45.60.6 interface=vlan100 address=123.45.60.1 comment="IPoE Client 2"