Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsNew Zealand BroadbandHelp: added /29 subnet (from 2degrees) not working (UFB via PPPoE)
aum108

14 posts

Geek
+1 received by user: 1


#295746 20-Apr-2022 12:17
Send private message

Hi all,

 

2degrees has informed me that a /29 subnet has been added to my fibre connection account, in addition to the existing single static IP.

 

However, despite trying numerous configuration options, I can't seem to get those added addresses live. I'm not even sure whether 2degrees is routing the /29 addresses properly to my connection, and their Tier 2 helpdesk is not answering calls or emails.

 

What I've tried:

 

  • Power-cycling the ONT and 2degrees modem to force reboot/reconnect. Modem comes up with just the static IP
  • Adding the /29 range into the 2degrees modem as an 'ISP-issued subnet'. These still do not appear in my connection
  • Bypassing the 2degrees modem altogether, and instead connecting to the ONT directly with a VyOS firewall/router (v1.3), with the outward ethernet interface eth0 set to use VLAN 10, and a PPPoE interface configured to use this
  • Manually adding the /29 range into the PPPoE interface. I can (of course) ping the /29 addresses locally, but nodes external to 2degrees can't ping in or connect to any of the /29s. Outside can definitely ping and connect to my static IP. And yes, I've set up the applicable NAT rules within my router, so if any packets are actually coming in with respect to the /29 IPs, I would see them

I would expect, in both the "via 2degrees modem" case, and the "direct connect from VyOS router" case, that configuring the PPPoE for DHCP would result in the 2degrees side pushing the /29 subnet in addition to the existing static IP.

 

However, the /29 addresses are still not appearing when I view the network interfaces.

 

I note that my VyOS box is successfully connecting to 2degrees, and getting traffic in and out to/from my static IP.

 

Has anyone else here managed to get a /29 subnet up on their end?

 

All help appreciated.

 

Cheers

 

David

 

 

 

 

 

 

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
nztim
4015 posts

Uber Geek
+1 received by user: 2714

ID Verified
Trusted
TEAMnetwork
Subscriber

  #2904286 20-Apr-2022 12:25
Send private message

you need a firewall which can handle complex routing from the likes of sonicwall/mikrotik/fortigate and the knowledge to write policies to deal with these




Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 



michaelmurfy
meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2904290 20-Apr-2022 12:34
Send private message

The /29 won't show. They simply route this to you over your main connection.

 

You need to either use static routes or SRC/DST-NAT rules to route from or to these IP's along with applicable firewall rules.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

aseni
52 posts

Master Geek
+1 received by user: 32


  #2904292 20-Apr-2022 12:35
Send private message

The /29 won't be assigned directly to your interface, it will probably be routed behind your static PPPoE IP address. You can confirm the routing is set up by running an external traceroute to one of the IPs in the /29 subnet and checking if your static IP shows in the path (assuming you are not blocking ICMP on the router), or running a tcpdump on the router (should be easy to do on VyOS) and checking for traffic destined to the /29 subnet.



aum108

14 posts

Geek
+1 received by user: 1


  #2904293 20-Apr-2022 12:35
Send private message

That's the issue - I've added the routes and firewall rules, and can't see any evidence that the addresses are being routed to me.

nztim
4015 posts

Uber Geek
+1 received by user: 2714

ID Verified
Trusted
TEAMnetwork
Subscriber

  #2904294 20-Apr-2022 12:37
Send private message

aum108:

That's the issue - I've added the routes and firewall rules, and can't see any evidence that the addresses are being routed to me.



What firewall are you using?




Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 

aum108

14 posts

Geek
+1 received by user: 1


  #2904296 20-Apr-2022 12:40
Send private message

I'm using VyOS 1.3 rc6, configured with a pppoe interface via VLAN 10 over external ethernet.

 

 

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).

Zal

Zal
257 posts

Ultimate Geek
+1 received by user: 26


  #2904303 20-Apr-2022 13:31
Send private message

I have a /30 from 2d.

 

I use a mikrotik cloud core router. Normal static comes in via PPOE and then I just route out using scnat the server or network I want to go out on one of the /29.

 

 

 

Mikrotik can also do a sneaky and use the addresses either side of the /30. To I get a total of 5 useable addresses inc the static via PPOE.

 

 

 

Works great. Mikrotiks are cheap.

 

 

 

 

aum108

14 posts

Geek
+1 received by user: 1


  #2904406 20-Apr-2022 14:09
Send private message

As I see these responses, and try out several different SNAT and DNAT options, I'm becoming more convinced that incoming traffic to the /29 addresses is simply not being routed to me.

 

I've even run tcpdump on my router to try and catch raw packets addressed to the /29 prefix IP, but nothing is coming in.

 

Can anyone suggest any other tests to confirm/deny that 2degrees simply isn't routing?

 

 

aum108

14 posts

Geek
+1 received by user: 1


  #2904409 20-Apr-2022 14:22
Send private message

aseni:

 

The /29 won't be assigned directly to your interface, it will probably be routed behind your static PPPoE IP address. You can confirm the routing is set up by running an external traceroute to one of the IPs in the /29 subnet and checking if your static IP shows in the path (assuming you are not blocking ICMP on the router), or running a tcpdump on the router (should be easy to do on VyOS) and checking for traffic destined to the /29 subnet.

 

 

Thanks aseni. Traceroute to addresses in my /29 from an outside box was the first think I tried.

 

When I traceroute to my static IP, it gets to 'ip4.gtt.net (209.120.165.10)', then one 'asterisks' hop, then it reaches the IP.

 

But when I traceroute to any of the /29 addresses, it gets to the same 'ip4.gtt.net (209.120.165.10)', then endless 'asterisks' lines until it gives up.

 

 

 

As for tcpdump, I've run that within the router. When I pipe to grep on my static IP, I see lots of packets coming in. But when I grep the /29 prefix, silence.

 

ICMP to my router is enabled, and I can ping the static IP from outside. But attempts to ping to any /29 addresses just hang.

 

Does anyone have any other ideas?

 

 

aseni
52 posts

Master Geek
+1 received by user: 32


  #2904429 20-Apr-2022 15:15
Send private message

aum108:

 

As for tcpdump, I've run that within the router. When I pipe to grep on my static IP, I see lots of packets coming in. But when I grep the /29 prefix, silence.

 

ICMP to my router is enabled, and I can ping the static IP from outside. But attempts to ping to any /29 addresses just hang.

 

Does anyone have any other ideas?

 

 

You can try adding one an IP on the /29 range to the router loopback and try pinging it from outside just to be sure, but from the tests you have already done it does look like a configuration issue on 2D side.

 

Even if you had a problem with your firewall or NAT rules, you should still see the incoming packet on the pppoe interface before the kernel drops the packet.

nztim
4015 posts

Uber Geek
+1 received by user: 2714

ID Verified
Trusted
TEAMnetwork
Subscriber

  #2904476 20-Apr-2022 17:10
Send private message

I gave detailed instructions here on doing this on a mikrotik

 

https://www.geekzone.co.nz/forums.asp?forumid=66&topicid=277298

 

never tried VyOS and have no idea if it has the capacity to do this




Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 

 
 
 
 

Shop on-line at New World now for your groceries (affiliate link).
aum108

14 posts

Geek
+1 received by user: 1


  #2904483 20-Apr-2022 17:39
Send private message

nztim:

 

I gave detailed instructions here on doing this on a mikrotik

 

https://www.geekzone.co.nz/forums.asp?forumid=66&topicid=277298

 

never tried VyOS and have no idea if it has the capacity to do this

 

 

Thanks for that, nztim. Unfortunately, the instructions (adapted for VyOS) aren't working. This technique is one of dozens I've tried over the last couple of days.

 

To reiterate:

 

traceroute from outside fails to get a path to any of the /29 addresses

 

tcpdump executed on the VyOS box shows no inbound packets addressed to any of the /29 addresses (even though I'm telnetting from outside)

 

 

 

I've tried the same traceroute and tcpdump commands but with my static IP. Traceroute finds the IP, and tcpdump shows a ton of inbound packets.

 

I'm still feeling pretty convinced that 2degrees are not routing any traffic addressed to the /29 addresses to me.

 

Anyway, here's my VyOS configuration excerpt with a NAT rule similar to what you gave (IP addresses changed):

 

Inbound DNAT:

 

 rule 100 {
     description "forward inbound addressed to /29"
     destination {
         address 111.22.33.45
         port 22222
     }
     inbound-interface eth0
     protocol tcp_udp
     source {
         address 0.0.0.0/0
     }
     translation {
         address 10.0.0.3
         port 22222
     }
 }

 

Outbound SNAT:

 

 rule 101 {
     description "outbound originating from /29"
     outbound-interface pppoe0
     source {
         address 111.22.33.45
     }
     translation {
         address masquerade
     }
 }

 

 

 

If any traffic addressed to any of the subnet IPs is actually getting delivered on the router's interface, I'd at least expect to see packets in tcpdump.

 

 

 

 

aum108

14 posts

Geek
+1 received by user: 1


  #2904498 20-Apr-2022 18:16
Send private message

Zal:

 

I have a /30 from 2d.

 

I use a mikrotik cloud core router. Normal static comes in via PPOE and then I just route out using scnat the server or network I want to go out on one of the /29.

 

 

 

Mikrotik can also do a sneaky and use the addresses either side of the /30. To I get a total of 5 useable addresses inc the static via PPOE.

 

 

 

Works great. Mikrotiks are cheap.

 

 

Zal, is your router connecting to 2degrees in the same way as "normal" fibre connections, that is:

 

  • ethernet interface with no addresses assigned
  • VLAN 10
  • PPPoE connection through this VLAN, with the usual 2degrees username/password?
  • PPPoE connection receives the local IP and peer IP from 2degrees?

Or are you making the WAN connection differently?

 

 

OmniouS
434 posts

Ultimate Geek
+1 received by user: 46

Trusted
Lifetime subscriber

  #2904597 20-Apr-2022 22:50
Send private message

VyOS definitely supports both options to handle additional subnets. I prefer the DNAT/SNAT option which gives you additional IP addresses to play with.

 

The easiest way to test this would be to take the standard masquerade rule that covers your outbound IPv4 traffic and change 'masquerade' to an IP address in the /29 allocation. Or one of your masquerade rules if you have multiple.

 

e.g. 

 

nat {
    source {
        rule 10 {
            outbound-interface pppoe0
            source {
                address 192.168.xx.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}

 

In the above, change 'masquerade' to one of your new IP addresses

 

Then check with any external IP reporting tool from an machine that has a private IP in the source range.

Zeon
3926 posts

Uber Geek
+1 received by user: 759

Trusted

  #2904614 21-Apr-2022 01:56
Send private message

I don't know much about the router you are using but I don't see why NAT even needs to be involved? Isn't simply creating a new interface with the /29 called say "Public Interface" (and making the first usable IP of that /29 your router's IP) then plugging whatever you want into that interface? Your default route should go out via the route being given by the PPP process. You can then see if say a PC with a statically assigned IP from that /29 can reach anything outside of your network.

 

This is how I do it with PFSense and there is literally nothing I need to configure beyond the "Public" interface....




Speedtest 2019-10-14

 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright