Emerging Member
Posts: 49
Registered: ‎04-14-2014
Kudos: 6

multiple external IP's PPPoE with NAT

HI

I am trying to setup my ERL with multiple external IP's.  I get a /32 from my ISP on the PPPoE interface, but they route an additional block to me as well.  Is there a way to add these IP's onto a loopback or something similar.

I would like to have 2 internal networks NAT'ing to their own public IP.  Is this possible?

Eg.

1.1.1.1 = public IP assigned to PPPoE interface

2.2.2.2/24 = public IP ranged routed to ERL from ISP

eth0 = WAN Interface with pppoe0 assigned to it

eth1 = 192.168.29.1/24 (Internal LAN)

eth2 = 172.16.0.1/24 (2nd Internal LAN)

I have NAT masquerade setup currently from eth1 to pppoe0.  Can I setup another NAT masquerade from eth2 to a loopback IP or something else?

Thanks

Rich

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: multiple external IP's PPPoE with NAT

Please post your current config

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: multiple external IP's PPPoE with NAT

Maybe something like - LINK.

EdgeMAX Router Software Development
Emerging Member
Posts: 49
Registered: ‎04-14-2014
Kudos: 6

Re: multiple external IP's PPPoE with NAT

[ Edited ]

Here is my config below.  I have my additional IP set on eth0 as an address.  I can ping that address from the internet so know that the edge router is responding on that IP.

What I would like to do is have another NAT 'overload' masquerade rule to NAT any traffic form eth1-vif2 to the 80.xxx.67.224/32 address.  Id this possible.  If it is I guess the 2 masquerade rules need to be a bit more specific with source and destination interfaces?

Thanks

Rich

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify pppoe-out {
        description tst
        rule 1 {
            action modify
            modify {
                tcp-mss 1452
            }
            protocol tcp
            tcp {
                flags SYN
            }
        }
    }
    name LAN-WAN {
        default-action accept
        description ""
    }
    name WAN-LAN {
        default-action drop
        description ""
        enable-default-log
        rule 1 {
            action accept
            description "allow established traffic to LAN"
            log disable
            protocol all
            source {
                group {
                }
            }
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action accept
            description esxi
            destination {
                address 192.168.29.9
            }
            log disable
            protocol all
            source {
                address 212.xxx.xxx.209
            }
        }
        rule 3 {
            action drop
            description "drop invalid / new traffic to LAN"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new enable
                related disable
            }
        }
    }
    name WAN-ME {
        default-action drop
        description "Traffic destined to router"
        enable-default-log
        rule 1 {
            action accept
            description "allow established traffic to me"
            log disable
            protocol all
            source {
                group {
                }
            }
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action accept
            description "allow openvpn traffic"
            destination {
                port 1194
            }
            log disable
            protocol udp
        }
        rule 3 {
            action accept
            description "allow xxxx plusnet"
            log disable
            protocol all
            source {
                address 212.xxx.xxx.78
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 4 {
            action accept
            description "allow rich dekstop"
            log disable
            protocol all
            source {
                address 212.xxx.xxx.210
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 5 {
            action accept
            description "allow rich vpn"
            log disable
            protocol all
            source {
                address 212.xxx.xxx.99
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 6 {
            action accept
            description "allow rich vm"
            log disable
            protocol all
            source {
                address 212.xxx.xxx.209
            }
        }
        rule 7 {
            action accept
            description "allow rich"
            log disable
            protocol all
            source {
                address 10.0.50.0/24
            }
        }
        rule 8 {
            action accept
            description nagios-primary
            log disable
            protocol icmp
            source {
                address 213.xxx.xxx.0/28
            }
        }
        rule 9 {
            action accept
            description thinkbroadband
            log disable
            protocol icmp
            source {
                address 80.xxx.xxx.164/28
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 80.xxx.67.224/32
        description WAN
        duplex auto
        firewall {
            in {
                name WAN-LAN
            }
            local {
                name WAN-ME
            }
        }
        mtu 1508
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN-LAN
                }
                local {
                    name WAN-ME
                }
                out {
                    modify pppoe-out
                }
            }
            mtu 1492
            name-server auto
            password ****************
            user-id xxxxxxx@xxxxxxx.co.uk
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.29.1/24
        description LAN
        duplex auto
        firewall {
            out {
                name LAN-WAN
            }
        }
        speed auto
        vif 2 {
            address 172.16.0.1/24
            description Gardening
            mtu 1500
        }
    }
    ethernet eth2 {
        address dhcp
        duplex auto
        firewall {
            local {
            }
        }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        encryption aes256
        hash sha512
        local-port 1194
        mode server
        openvpn-option --comp-lzo
        openvpn-option "--user nobody --group nogroup"
        openvpn-option "--tls-auth /config/auth/ta.key 0"
        openvpn-option "--verb 3"
        protocol udp
        server {
            client rich {
                ip 192.168.30.10
                push-route 192.168.29.0/24
            }
            client rich-dg {
                ip 192.168.30.11
                push-route 0.0.0.0/0
            }
            subnet 192.168.30.0/24
        }
        tls {
            ca-cert-file /config/auth/ca.crt
            cert-file /config/auth/xxxx-router.crt
            dh-file /config/auth/dh2048.pem
            key-file /config/auth/xxxx-router.key
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name xxxxxx-dhcp {
            authoritative disable
            subnet 192.168.29.0/24 {
                default-router 192.168.29.1
                dns-server 192.168.29.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.29.200 {
                    stop 192.168.29.254
                }
                static-mapping HP-Printer {
                    ip-address 192.168.29.31
                    mac-address 00:18:71:5d:5f:18
                }
                static-mapping Xerox-Printer {
                    ip-address 192.168.29.30
                    mac-address 00:00:AA:A7:2E:AE
                }
                static-mapping backup {
                    ip-address 192.168.29.12
                    mac-address 00:02:a5:22:09:3d
                }
                static-mapping backup-nfs {
                    ip-address 192.168.29.71
                    mac-address 00:13:20:e5:c5:fd
                }
                static-mapping xxxxxxxx-sw {
                    ip-address 192.168.29.8
                    mac-address 00:1d:e5:bf:da:40
                }
                static-mapping bosun-new {
                    ip-address 192.168.29.13
                    mac-address 00:0c:29:7b:5d:fd
                }
                static-mapping xxxx-laptop-wireless {
                    ip-address 192.168.29.43
                    mac-address 00:16:6f:50:12:ae
                }
                static-mapping osprey-birdcam {
                    ip-address 192.168.29.70
                    mac-address 00:02:a5:94:9d:12
                }
                static-mapping raspberry-pi {
                    ip-address 192.168.29.16
                    mac-address b8:27:eb:f0:e0:70
                }
                static-mapping rich-laptop-wired {
                    ip-address 192.168.29.41
                    mac-address 00:17:a4:e6:29:77
                }
                static-mapping rich-laptop-wireless {
                    ip-address 192.168.29.40
                    mac-address 00:1b:77:34:27:d2
                }
                static-mapping solo {
                    ip-address 192.168.29.42
                    mac-address 00:30:48:ba:9b:f2
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 1000
            listen-on eth1
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 1 {
            description esxi
            destination {
                address 80.xxx.xxx.165
                port 80
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.29.9
                port 80
            }
            log disable
            protocol tcp
            source {
                address 212.xxx.xxx.209
            }
            type destination
        }
        rule 2 {
            description "esxi https"
            destination {
                address 80.xxx.xxx.165
                port 443
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.29.9
                port 443
            }
            log disable
            protocol tcp
            source {
                address 212.xxx.xxx.209
            }
            type destination
        }
        rule 3 {
            description "esxi 902"
            destination {
                address 80.xxx.xxx.165
                port 902
            }
            inbound-interface pppoe0
            inside-address {
                address 192.168.29.9
                port 902
            }
            log disable
            protocol tcp_udp
            source {
                address 212.xxx.xxx.209
            }
            type destination
        }
        rule 5000 {
            description "Internet Overload"
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
}
system {
    domain-name xxxxxx.co.uk
    host-name xxxxxx-router
    login {
        user xxxx {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name “xxxxxxxxx”
            level admin
        }
        user rich {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
                public-keys rich@staff4-desktop {
                    key ****************
                    type ssh-rsa
                }
            }
            full-name “xxxxxxxxxxx”
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding disable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/London
}

 

Highlighted
Emerging Member
Posts: 49
Registered: ‎04-14-2014
Kudos: 6

Re: multiple external IP's PPPoE with NAT

It seems I cant use source interface on masquerade statement....

[edit service nat rule 5000]
rich@xxxxxx-router# show
 description "Internet Overload"
+inbound-interface eth1
 log disable
 outbound-interface pppoe0
 protocol all
 type masquerade
[edit service nat rule 5000]
rich@quavey-router# commit-confirm
commit confirm will be automatically reboot in 10 minutes unless confirmed
Proceed? [confirm][y]
[ service nat ]
NAT configuration error: cannot specify inbound interface with "masquerade" or "source" rules

Commit failed
[edit service nat rule 5000]

 Any ideads on how i can get around this?