Help: added /29 subnet (from 2degrees) not working (UFB via PPPoE)

Forums › New Zealand Broadband › Help: added /29 subnet (from 2degrees) not working (UFB via PPPoE)

1 | 2

OmniouS

423 posts

Ultimate Geek

Trusted

Lifetime subscriber

#2904615 21-Apr-2022 02:13

Zeon:

I don't know much about the router you are using but I don't see why NAT even needs to be involved? Isn't simply creating a new interface with the /29 called say "Public Interface" (and making the first usable IP of that /29 your router's IP) then plugging whatever you want into that interface? Your default route should go out via the route being given by the PPP process. You can then see if say a PC with a statically assigned IP from that /29 can reach anything outside of your network.

This is how I do it with PFSense and there is literally nothing I need to configure beyond the "Public" interface....

Agreed - a routed subnet is the most straightforward solution. 2degrees would only assign me a /30 subnet so I went with the NAT option to get 4 usable IP addresses (instead of 2 with the routed option, not including the primary static IP). You have more flexibility with the /29!

Cheers

aum108

14 posts

Geek

#2904638 21-Apr-2022 08:15

OmniouS:

VyOS definitely supports both options to handle additional subnets. I prefer the DNAT/SNAT option which gives you additional IP addresses to play with.

The easiest way to test this would be to take the standard masquerade rule that covers your outbound IPv4 traffic and change 'masquerade' to an IP address in the /29 allocation. Or one of your masquerade rules if you have multiple.

e.g.

nat {
source {
rule 10 {
outbound-interface pppoe0
source {
address 192.168.xx.0/24
}
translation {
address masquerade
}
}
}
}

In the above, change 'masquerade' to one of your new IP addresses

Then check with any external IP reporting tool from an machine that has a private IP in the source range.

Hi Ominous,

That is actually something I hadn't tried earlier.

I created an SNAT rule from your above example, setting source address to a single box on my network.

However, when I committed the rule, this box became unable to make outbound connections. When I changed the outbound IP to 'masquerade', the box regained the ability to connect outbound.

Unless there's something big or simple I've missed, this to me is looking more like a 2degrees configuration issue.

(Is there anyone here who happens to be on a 2degrees tech team? I'm feeling frustrated at paying for a service that apparently has not been delivered in a usable form.)

nztim

3815 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2904654 21-Apr-2022 08:52

Zeon:

I don't know much about the router you are using but I don't see why NAT even needs to be involved?

Because IP addresses are precious and if you can use all 8 of a /29 with 1 to 1 NAT rules its way more efficient than losing one for your GW, One for your network start and one for broadcast

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

nztim

3815 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2904656 21-Apr-2022 08:53

OP are you Wellington Based?

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

aum108

14 posts

Geek

#2904657 21-Apr-2022 08:57

nztim:

OP are you Wellington Based?

Hamilton.

aum108

14 posts

Geek

#2905445 22-Apr-2022 16:26

After a couple of frustrating days hitting brick walls, I'm happy to confirm this issue is now sorted.

2degrees Tier 2 team finally got back to me to simply say they had "made a change in the subnet".

Following that, I reconnected with the VyOS router, and it's sending/receiving packets to/from the /29 subnet IPs.

Also, traceroutes from outside are finding paths to all the IPs.

SNAT/DNAT rules are working perfectly, so I'm able to route traffic exactly as needed.

Notably, the Fritz!Box router failed to send/receive /29 subnet packets, despite me configuring these into the Fritz!Box network settings.

But that's ok. The Fritz!Box is now obsolete and out of the loop!

Thanks everyone for your earlier help and suggestions.

2degrees are great to make these subnets available. But it can take a bit of time and persistence to get their senior techs to sort stuff on their end. But now sorted, it all simply just works! :)

gareth41

742 posts

Ultimate Geek

#2907574 27-Apr-2022 15:57

aum108:

I'm using VyOS 1.3 rc6, configured with a pppoe interface via VLAN 10 over external ethernet.

I don't know about VyOS, but I use a Mikrotik with a /29 on Voyager - I started out by assigning the first usable address to the router and then setting up DHCP to assign the other addresses to network devices. Each device connected to the lan ports on the router got assigned a public ip from the /29 - however I dont recommend this as its not secure. Use 1:1 NAT - this is what im using now.

If you can get yourself a Mikrotik I can give you a copy of the settings I use in my router. You also can't "ping" addresses in the /29 if using 1:1 NAT, you're basically just doing port forwarding from specific ip's/ports in the /29 (incoming), and then masquerading (outgoing) for specific LAN devices you want to be using the ip's when connecting to websites etc...

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

aum108

14 posts

Geek

#2907603 27-Apr-2022 16:20

gareth41:

aum108:

I'm using VyOS 1.3 rc6, configured with a pppoe interface via VLAN 10 over external ethernet.

I don't know about VyOS, but I use a Mikrotik with a /29 on Voyager - I started out by assigning the first usable address to the router and then setting up DHCP to assign the other addresses to network devices. Each device connected to the lan ports on the router got assigned a public ip from the /29 - however I dont recommend this as its not secure. Use 1:1 NAT - this is what im using now.

If you can get yourself a Mikrotik I can give you a copy of the settings I use in my router. You also can't "ping" addresses in the /29 if using 1:1 NAT, you're basically just doing port forwarding from specific ip's/ports in the /29 (incoming), and then masquerading (outgoing) for specific LAN devices you want to be using the ip's when connecting to websites etc...

Thanks for that, Gareth.

As it happens, VyOS has more than enough flexibility to manage the subnet traffic as needed via SNAT/DNAT directives.

I'm really happy with my setup now, even if it took 2degrees a few days to sort their end.

Cheers

David

1 | 2