Sorry - this is a long one, but I think it might be worth us all being aware of an ‘interesting’ issue which has taken us months to fix.
We run 25 VDSL lines - each with a Mikrotik router and a Draytek Vigor V130 ADSL modem. So far, so very boring. And on each (Zen) line we have a /29 address range - so we have five usable IP addresses - one of which (usually the top one) is the router. Again. So far, so boring.
On each Mikrotik we have two NAT rules (dstnat and srcnat) basically pushing individual customers onto fixed IP addresses.
And we have a static IP on the router, for each of these fixed IP addresses.
In the IP address field, we might have addresses like:
address_________________network______(in this case, the default gateway)
123.123.123.123/32______62.1.1.2______(static for customer #98)
123.123.123.124/32______62.1.1.2______(static for customer #99)
123.123.123.128/32______62.1.1.2______(dynamic, set by PPPoE client)
The 123… addresses are our ‘public’ IP addresses, and the 62.x.x.x address is our providers (Zen in this case) default gateway for these addresses. Again, so far so very boring.
We would have an IP routing entry of
target_______gateway___preferred source
0.0.0.0/0_____62.1.1.2__123.123.123.128 (our router public IP address)
However, over time, the VDSL line logs in again, and might pick up a new default gateway.
123.123.123.123/32______62.1.1.2______(static)
123.123.123.124/32______62.1.1.2______(static)
123.123.123.128/32______62.1.1.4______(dynamic, set by PPPoE client)
This then creates TWO IP routes (with the same ‘distance’):
target_________gateway______preferred source
0.0.0.0/0______62.1.1.2______123.123.123.123 Lowest ‘fixed’ ip address)
0.0.0.0/0______62.1.1.2______123.123.123.128(our router public IP address)
Ta-da! Our radius client would then try to talk to splynx using source address 123.123.123.123 (instead of .128) - and our course Splynx would correctly say ‘Hey, you’re not who I expected - get lost!’. As we’d want it to.
Turned out that we do NOT need to define the fixed IP addresses on our routers for each of our fixed IP address customers. Meaning that we do NOT get two IP routes, and then Splynx works like a dream (as it usually does), because our Mikrotik routers are using the correct source address.
This is the sort of ‘discovered check’ problem that will give you sleepless nights - it certainly gave us some.
The Radius client configuration in the Mikrotik router can specify the ‘source’ address too - and this was being ignored.
We saw this error from firmware versions 6.35.x right through 6.40.5.
And all because we used on-line mikrotik forums to construct and build a core part of our network design. D’OH.
Hope this helps someone else,
—* Bill
http://www.Marykirk.com