Infrastructura pentru 3 IP-uri publice

Buna,

Suntem o firma mica cu resurse si skill-uri minimale.
Avem 3 IP-uri publice, prin PPPoE. Configuratia actuala e asa:

ONT -> Switch - 3 routere consumer care fac PPPoE si de acolo clienti

Initial am nimerit la RDS un tehnician OK care mi-a deblocat 3 porturi pe ONT (Huawei) si am scapat de switch-ul de dupa. Cel curent a zis ca NU se poate. ONT-ul e in modul bridge.

Mai am un cisco catalyst 2960s-48fps mostenit. Si nu ma prea pricep la manageriat switch-uri. Imi inchipui ca pot separa grupuri de porturi pe el. Dar probabil nu stie el PPPoE.
https://www.cisco.co...itch/model.html

Care ar fi configuratia/investitia minima ca sa am cele 3 conexiuni cu un nr de clienti si sa scap de matzaraia cu mini switch-uri/routere?

Multumesc.

Depinde de ce soluție ai prefera să utilizezi, Mikrotik, Fortigate, Unifi, depinde de ce buget ai și de ce așteptări ai de la rețea.

Dacă vrei mai multe detalii, mă poți contacta în privat.

In principiu imi inchipui ca as vrea un singur echipament care sa faca cele 3 conexiuni PPPoE si optional sa aiba cateva porturi pentru fiecare LAN.
Fara optiunea asta, probabil fac 3 VLAN-uri pe switch-ul CISCO si ies de acolo.

In cel mai rau caz, probabil pot face treaba asta direct din server, folosind din cele 4 porturi Ethernet pe care le are. Acum are un Windows Server pe el, dar probabil ca trec pe Ubuntu (unde ma pricep si mai putin).

Asteptari:
- buget redus (inteleg ca MikroTik e ala, nu se poate si cu DD-WRT?)
- VPN pt conectat din afara in LAN-ul local
- mai tarziu poate load balancing cu alt ISP
- set it and forget it

Nu stiu daca se poate ce doresti tu. Adica un singur echipament L3 care pe care sa ai cele 3 conexiuni PPPoE. Este destul de posibil ca cei de la RDS sa verifice daca adresa L2 (MAC) este "conectata" adica exista deja o sesiune PPPoE activa care are ca sursa acea adresa si atunci sa nu mai permita alte conexiuni PPPoE de pe acelasi dispozitiv. O solutie, nu este testata asa ca nu am idee daca functioneaza sau nu, ar fi un router CIsco sau de la alt producator care sa permita sa setezi conexiunea PPPoE pe o interfata de loopback si interfetele alea de loopback sa aibe ca interfata de transmisie interfata fizica catre RDS. Dar, dupa cum am spus, nu am testat o asa solutie cum nu am testat nici daca se pot utilliza mai multe conturi PPPoE pe acelasi dispozitiv in acelasi timp.

PS: Ca parere personala eu as renunta la ideea de a folosi prostia de bubuntu. FreeBSD, Slackware, ArchLinux, CentOS 7. Daca folosesti o distributie GNU/Linux atunci pui OpenVPN si il configurezi sa foloesti certificate si / sau user / parola per client si impingi prin VPN rute catre prefixele din LAN.

Set it and forget it inseamna ceva enterprise deci mai scump ca o solutie in house folosind soft open source. Desi si folosind o solutie open source daca solutia e implementata corect poti ajunge la acelasi rezultat.

2960 este switch L2 deci in nici un caz nu ai cum sa il folosesti sa creezi conexiuni PPPoE pe el. dar poti folosi acel server de care ai mentionat ca sa ai cele 3 conexiuni PPPoE pe el si a 4a placa de retea sa fie tagged catre switch si pe switch sa ai VLAN-uri in functie de ce doresti sa faci. Exemplu: ppp0 cu vlan 100 si porturile gi0/10 - 0/19, ppp1 cu vlan101 si porturile gi0/20 - 0/29 si ppp2 cu vlan102 si porturile gi0/30 - 0/39.

Unde:
pppX este interfata ppp (interfata creata la conectarea PPPoE, 0 e prima, 1 a e doua si 2 e a treia.

Edited by MembruAnonim, 20 February 2021 - 15:19.

Care-i cerinta principala de rezolvat, pentru care aveti nevoie de mai multe IPuri?

Am avut si eu problema asta cu abonament business Digi care vine cu 3 conturi separate de pppoe si 3 IP-uri dedicate.

Cu un router Mikrotik merge sa definesti toate 3 conturi de pppoe pe el, si apoi sa le "trimiti" in anumite directii in reteaua ta, ori in functie de cablurile conectate in Mikrotik (eth2, eth3, eth4), ori dupa IP-uri locale, etc, sunt multe metode.

Sunt ceva reguli de facut prin Mikrotik, dar odata setat, e foarte OK.
Routerele Mikrotik cam toate stiu sa faca asta, si cele de 150 RON. Mai il alegi doar in functie de CPU si RAM eventual, sau alte functii necesare (wifi, display, etc).

Edited by adrianTNT, 11 March 2021 - 00:25.

Buna @adrianTNT.

Acum am routerul, as aprecia daca mi-ai spune de reguli. Am definit 3 interfete PPPoE, 3 VLAN-uri (cred), Pun mai jos configul meu cenzurat, ca sa vezi alocarea porturilor pe VLAN-uri.
Ideea e sa directionez fiecare IP public catre propriul subnet/server. Multumesc!

# feb/27/2022 21:39:29 by RouterOS 6.49.3
# software id = 8M9R-5B02
#
# model = RB3011UiAS
# serial number = E7E90F0F9E2E
/interface bridge
add admin-mac=DC:2C:6E:65:1A:C5 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether01-WAN1
set [ find default-name=ether2 ] name=ether02-WAN2
set [ find default-name=ether3 ] name=ether03
set [ find default-name=ether4 ] name=ether04
set [ find default-name=ether5 ] name=ether05
set [ find default-name=ether6 ] name=ether06
set [ find default-name=ether7 ] name=ether07
set [ find default-name=ether8 ] name=ether08
set [ find default-name=ether9 ] name=ether09
/interface pppoe-client
add add-default-route=yes interface=ether01-WAN1 keepalive-timeout=disabled \
	name=pppoe-out1-54 user=A
add add-default-route=yes interface=ether01-WAN1 keepalive-timeout=disabled \
	name=pppoe-out2-55 user=B
add add-default-route=yes disabled=no interface=ether01-WAN1 name=\
	pppoe-out3-56 use-peer-dns=yes user=C
/interface vlan
add interface=ether03 name=vlan1A-54 vlan-id=1
add interface=ether04 name=vlan1B-54 vlan-id=1
add interface=ether05 name=vlan1C-54 vlan-id=1
add interface=ether06 name=vlan2A-55 vlan-id=2
add interface=ether07 name=vlan2B-55 vlan-id=2
add interface=ether08 name=vlan3A-56 vlan-id=3
add interface=ether09 name=vlan3B-56 vlan-id=3
add interface=ether10 name=vlan3C-56 vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.199
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\
	bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether02-WAN2
add bridge=bridge comment=defconf interface=ether03
add bridge=bridge comment=defconf interface=ether04
add bridge=bridge comment=defconf interface=ether05
add bridge=bridge comment=defconf interface=ether06
add bridge=bridge comment=defconf interface=ether07
add bridge=bridge comment=defconf interface=ether08
add bridge=bridge comment=defconf interface=ether09
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add comment="IP 54" independent-learning=yes ports=ether03,ether04,ether05 \
	switch=switch1 vlan-id=1
add comment="IP 55" independent-learning=yes ports=ether06,ether07 switch=\
	switch2 vlan-id=2
add comment="IP 56" independent-learning=yes ports=ether08,ether09,ether10 \
	switch=switch2 vlan-id=3
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether01-WAN1 list=WAN
add interface=pppoe-out3-56 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip accounting
set account-local-traffic=yes enabled=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
	192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether01-WAN1
/ip dhcp-server lease
add address=192.168.0.105 client-id=0:8:f1:ea:f4:95:16:0:0:0 mac-address=\
	08:F1:EA:F4:95:16 server=defconf
add address=192.168.0.127 client-id=1:8c:89:a5:3f:87:fa mac-address=\
	8C:89:A5:3F:87:FA
add address=192.168.0.124 client-id=1:88:d7:f6:57:23:3e mac-address=\
	88:D7:F6:57:23:3E server=defconf
add address=192.168.0.100 mac-address=98:F2:B3:26:2B:0F
add address=192.168.0.125 client-id=1:d4:3d:7e:63:97:f1 mac-address=\
	D4:3D:7E:63:97:F1 server=defconf
add address=192.168.0.123 client-id=1:e0:3f:49:79:49:c8 mac-address=\
	E0:3F:49:79:49:C8 server=defconf
add address=192.168.0.122 client-id=1:88:d7:f6:57:23:2f mac-address=\
	88:D7:F6:57:23:2F server=defconf
add address=192.168.0.203 client-id=1:8c:b8:4a:80:98:f7 mac-address=\
	8C:B8:4A:80:98:F7 server=defconf
add address=192.168.0.141 client-id=1:ec:e5:12:13:d7:f3 mac-address=\
	EC:E5:12:13:D7:F3 server=defconf
add address=192.168.0.126 client-id=1:50:2b:73:c5:d:7c mac-address=\
	50:2B:73:C5:0D:7C server=defconf
add address=192.168.0.133 client-id=1:0:22:58:58:11:2f mac-address=\
	00:22:58:58:11:2F server=defconf
add address=192.168.0.132 client-id=1:3c:2a:f4:37:19:e0 mac-address=\
	3C:2A:F4:37:19:E0 server=defconf
add address=192.168.0.131 client-id=1:9c:ae:d3:ea:29:c6 mac-address=\
	9C:AE:D3:EA:29:C6 server=defconf
add address=192.168.0.205 client-id=1:8c:25:5:ca:f7:58 mac-address=\
	8C:25:05:CA:F7:58 server=defconf
add address=192.168.0.206 mac-address=10:7B:44:68:92:03 server=defconf
add address=192.168.0.204 client-id=1:82:cc:88:c7:16:f mac-address=\
	82:CC:88:C7:16:0F server=defconf
add address=192.168.0.121 mac-address=98:29:A6:8F:BE:71 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
	"defconf: accept established,related,untracked" connection-state=\
	established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
	protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
	invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
	"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
	in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
	ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
	ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
	connection-state=established,related
add action=accept chain=forward comment=\
	"defconf: accept established,related, untracked" connection-state=\
	established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
	connection-state=invalid
add action=drop chain=forward comment=\
	"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
	connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
	ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="SB Server e pe vechiul IP" \
	dst-address=x.x.x.x dst-port=22 log=yes log-prefix=vlad_ protocol=tcp \
	to-addresses=192.168.0.103 to-ports=22
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
	192.168.89.0/24
/lcd
set time-interval=hour
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 adrianTNT, on 11 martie 2021 - 00:23, said:

Salut Dalvi
Prin vlans nu am facut, banuiesc ca ar fi una din metode dar nu retin de ce nu am facut prin metoda aia, probabil ceva nu mi-a iesit.
Eu am facut prin "routing mark" se pune o eticheta pe traficul care intra in router si se directioneaza prin reteaua locala in functie de etichetele astea.
Atasez imaginea, sper ca iti ajuta. Mai mult de atat, poate te ajuta cei de pe forum la Mikrotik, stiu de toate oamenii pe acolo
Pe langa ce apare in imagine, cred ca iti ajuta sa fie dezactivat "detect internet", tin minte ca te incurca daca ai multe reguli manuale.

 mikrotik_setup_multiple_ISP_EDITED.jpg   216.2K   34 downloads