Return to Level1Techs.com

Ubiquiti Edgerouter Multiple Public IP's & SNAT not working

#1

Not sure if anyone is experience with Ubiquiti Edgerouters…

The ISP has provided me 2 public IP’s. For this example, I have Public IP “A” and Public IP “B” assigned to eth0 with Proxy ARP enabled.

ETH1 has LAN subnet A and ETH2 has LAN subnet B. I want LAN subnet A to use Public IP A… LAN subnet B to use Public IP B.

LAN subnet A NAT settings is using masquerade. Working fine, Public IP A comes up using “whatismyip”

Created SNAT rule for LAN subnet B with translation IP of Public IP B, outbound port is eth0. Move this rule ABOVE the masquerade rule. As soon as I do that, LAN subnet B loses internet connectivity.

I know I’m doing this right because I have another edgerouter to test with. When I do this on a DSL line that I have with the same ISP, which I have 2 static IP’s to use. This works perfectly fine. But does not work on this new fiber connection.

I tried calling the ISP, no help at all. However they did make a comment they could only see 1 public IP of mine. Not the other. Another thing to note about this ISP. In the past, they required me to provide the MAC address of a device I wanted the public IP assigned to, it had to be 2 separate devices, could not get them to assign both IPs to the same MAC. However they don’t require this anymore. I’ve called multiple times to verify this.

I’m starting to wonder if this is even possible now? Why would this work perfectly fine on a DSL line and not on this fiber circuit?

0 Likes

#2

could be network auth issue. where they wanted you to provide two separate mac addresses before then depending on your ER model, use two ports. i know the ERL has only 3 so thats a little more difficult. i have an ERX and it has 5 ports.

0 Likes

#3

Which router are you using? It’s difficult to diagnose without seeing some config.

Do both public IPs share the same next hop gateway?

Are both statically assigned?

Could you post your interface, routing and snat configs (censor the first 3 octets of any sensitive IPs).

0 Likes

#4

It’s edgerouter pro.

Same gateway for both IPs and are statically assigned.

Here is the router configs along with routing table interface on eth0 listing both IPs.

You probably noticed the firewall rule I created to allow icmp. For testing I was pinging both IPs externally. I was only getting a reply from x.98… NOT x.99

:~$ show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group RemoteUniFiSites {
            address x.x.x.218
            address x.x.x.73
            address x.x.x.179
            description "Remote Sites With Unifi"
        }
        network-group corp_network {
            description ""
            network 172.16.20.0/24
            network 172.16.17.0/24
        }
        network-group lan_networks {
            network 172.16.20.0/24
            network 172.16.16.0/23
            network 172.18.10.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name ETH1 {
        default-action accept
        description ""
        rule 1 {
            action accept
            description Established,Related
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Unifi Controller Communication"
            destination {
                port 8080
            }
            log disable
            protocol tcp
        }
        rule 30 {
            action accept
            description "Unifi STUN"
            destination {
                port 3478
            }
            log disable
            protocol udp
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            log disable
            protocol icmp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address x.x.x.98/24
        address x.x.x.97/24
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        ip {
            enable-proxy-arp
        }
        speed auto
    }
    ethernet eth1 {
        address 172.16.20.254/24
        description "Wifi MGMT"
        duplex auto
        firewall {
            out {
                name ETH1
            }
        }
        speed auto
        vif 16 {
            address 172.16.17.254/23
            description Wifi
            mtu 1500
        }
    }
    ethernet eth2 {
        address 172.18.10.254/24
        description eth2
        duplex auto
        ip {
        }
        speed auto
    }
    ethernet eth3 {
        description eth3
        duplex auto
        speed auto
    }
    ethernet eth4 {
        duplex auto
        speed auto
    }
    ethernet eth5 {
        duplex auto
        speed auto
    }
    ethernet eth6 {
        duplex auto
        speed auto
    }
    ethernet eth7 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN2 {
            authoritative disable
            subnet 172.18.10.0/24 {
                default-router 172.18.10.254
                dns-server 1.1.1.1
                dns-server 9.9.9.9
                lease 86400
                start 172.18.10.50 {
                    stop 172.18.10.100
                }
            }
        }
        shared-network-name Wifi {
            authoritative disable
            subnet 172.16.16.0/23 {
                default-router 172.16.17.254
                dns-server 9.9.9.9
                dns-server 1.1.1.1
                lease 86400
                start 172.16.16.15 {
                    stop 172.16.17.200
                }
            }
        }
        shared-network-name Wifi_MGMT {
            authoritative disable
            subnet 172.16.20.0/24 {
                default-router 172.16.20.254
                dns-server 9.9.9.9
                dns-server 1.1.1.1
                lease 86400
                start 172.16.20.20 {
                    stop 172.16.20.200
                }
                unifi-controller 172.16.20.10
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
          rule 5000 {
            description WAN2
            log disable
            outbound-interface eth0
            outside-address {
                address x.x.x.97
            }
            protocol all
            source {
                address 172.18.10.0/24
            }
            type source
        }
        rule 5001 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            source {
                group {
                }
            }
            type masquerade
        }
        rule 5002 {
            description "Hairpin Unifi Controller"
            destination {
                address 172.16.20.10
                port 8080
            }
            log disable
            outbound-interface eth1
            outside-address {
            }
            protocol tcp
            source {
                address 172.16.20.0/24
            }
            type masquerade
        }
        rule 5003 {
            description "Hairpin Unifi STUN"
            destination {
                address 172.16.20.10
                port 3478
            }
            log disable
            outbound-interface eth1
            outside-address {
            }
            protocol udp
            source {
                address 172.16.20.0/24
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    gateway-address x.x.x.1
    host-name RTR
      }
    name-server 9.9.9.9
    name-server 1.1.1.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
    traffic-analysis {
        dpi disable
        export disable
    }
}


RTR:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       > - selected route, * - FIB route, p - stale info

IP Route Table for VRF "default"
S    *> 0.0.0.0/0 [1/0] via x.x.x.1, eth0
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 172.16.16.0/23 is directly connected, eth1.16
C    *> 172.16.20.0/24 is directly connected, eth1
C    *> 172.18.10.0/24 is directly connected, eth2
C    *> x.x.x.0/24 is directly connected, eth0
C       x.x.x.0/24 is directly connected, eth0


RTR:~$ show interfaces ethernet eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:9f:c2:1b:c9:8f brd ff:ff:ff:ff:ff:ff
    inet x.x.x.98/24 brd x.x.x.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet x.x.x.97/24 brd x.x.x.255 scope global secondary eth0
       valid_lft forever preferred_lft forever
    inet6 scope link
       valid_lft forever preferred_lft forever
    Description: Internet
	
	 RX:  bytes    packets     errors    dropped    overrun      mcast
    137946228378  129153490          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
    21637682845   69476476          0          0          0          0
	
RTR:~$ show interfaces ethernet eth2
eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether f0:9f:c2:1b:c9:91 brd ff:ff:ff:ff:ff:ff
    inet 172.18.10.254/24 brd 172.18.10.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 scope link
       valid_lft forever preferred_lft forever
    Description: eth2

    RX:  bytes    packets     errors    dropped    overrun      mcast
       9580196      90573          0          0          0        768
    TX:  bytes    packets     errors    dropped    carrier collisions
     443367061     326715          0          0          0          0
1 Like

#5

Thanks. I have an er-pro with multiple public IPs as well and I don’t remember having an issue pinging them.

I haven’t tried to do what you’re doing with the snat rule though. I’ll take a look when I have a chance.

0 Likes

#6

I’m looking at my config right now and I’m realizing that I cannot ping the additional WAN IP addresses. In my case, the additional addresses are all used for port forwarding/dnat which they work fine for (I disabled the dnat rule to test the ping), but it’s curious that the WAN interface won’t respond to all of its addresses.

Have you tried adding a complimentary dnat rule? Maybe it needs that to work?

I’d experiment more on my end, but the unit is remote. I can’t afford to lock myself out of it.

0 Likes

#7

Understandable with not wanting to lock your self out :slight_smile:

I can try creating a DNAT rule and see if that helps at all.

Also to note, I have a ERPOE-5 hooked up to a DSL circuit, doing the exact same setup. It works exactly how I want it. And I can also ping both WAN IPs remotely.

Which is making me question how the ISP handles nodes on their network.

1 Like

#8

That’s good point, although in my case the router is in a datacenter, so there shouldn’t be any shenanigans there.

0 Likes