Hey guys, I'm just wondering if someone can point me in the right direction for setting up a router on a /26 connection that a client has installed from a cable provider.
The provider is not doing routing, and so we need to configure this router as the internal system.
In my experience, if i have servers in a datacenter, I'm given a set of IP addresses I can use, a gateway, subnet, etc. But int his case I'm just given the following:
P2P /30= 50.123.18.204
Subnet = 255.255.255.252
ISP = 50.123.18.205
CLIENT = 50.123.18.206
/26= 50.123.19.192
Subnet = 255.255.255.192
Sixty Two usables starting with 50.123.19.193
I'm not sure what to do with that info, but I'm going to make a guess...
I set the WAN port on my mikrotik to 50.123.19.193, and I create a route to 50.123.18.205 ??
I will need to set .193, 194, 195, etc, etc... to the WAN port and forward that to the NAT side, which I believe I can do with the info as follows:
add interface=WAN address=50.123.19.194/26
add interface=WAN address=50.123.19.195/26, etc, etc.
Then
add chain=srcnat out-interface=WAN src-address=192.168.0.10 action=src-nat to-address=50.123.19.194
add chain=srcnat out-interface=WAN src-address=192.168.0.11 action=src-nat to-address=50.123.19.195
add chain=srcnat out-interface=WAN src-address=192.168.0.0/24 action=src-nat to-address=50.123.19.193
add chain=dstnat in-interface=WAN dst-address=50.123.19.194 action=dst-nat to-address=192.168.0.10
add chain=dstnat in-interface=WAN dst-address=50.123.19.195 action=dst-nat to-address=192.168.0.11
And so on... and I'd set port numbers if I just wanted to forward a single port, etc.
I'm mainly confused how to setup the route to the ISP from the router. Am I right above? ISP gives ip 50.123.18.205 and subnet 255.255.255.252, but its on another network, so I'm concerned it wont route? Sorry for my ignorance.
Re: Re: Multi-public IP to NAT forwarding
You have an entire 26bit long subnet routed to you by your isp. You just need to assign your client address (50.123.18.206/30) to your WAN iface and 50.123.19.193/26 to your LAN interface and simply add default 0/0 route to your ISP gateway .205
Then you can assign any IP of your given 26bit subnet (excluding the gateway of course) to internal network devices. No NAT needed.
I'm not sure, but I think you'll have to dedicate entire separate router just for that.. This kind of router is called "Edge router", I think?
Then you can assign any IP of your given 26bit subnet (excluding the gateway of course) to internal network devices. No NAT needed.
I'm not sure, but I think you'll have to dedicate entire separate router just for that.. This kind of router is called "Edge router", I think?
Re: Multi-public IP to NAT forwarding
Thanks for the input taduikis.
That is definitely different than I thought it would be. I have to install this tomorrow, so I'm hoping someone can shed a little more light on this, but my client wants NAT internally for firewall purposes and that is how the machines are all configured right now, so I'd really like to keep it that way.
Anyone else?
That is definitely different than I thought it would be. I have to install this tomorrow, so I'm hoping someone can shed a little more light on this, but my client wants NAT internally for firewall purposes and that is how the machines are all configured right now, so I'd really like to keep it that way.
Anyone else?
Re: Multi-public IP to NAT forwarding
I think you are on the right path. If you want public IP-s to be assigned to local IP-s behind NAT
then you need to use netmap which is the same as the rules you have specified. Only that netmap
rules should be above the nat rule. and so on
or you can try to assign two local interfaces, in one of them connect the devices that would need
the public IP-s and on the other the devices which need to be nated. Then create bridge between
the WAN interface and local interface of Public IP-s. After that try to assign the public IP-s to the
devices. I vaguely remember such a setup.
then you need to use netmap which is the same as the rules you have specified. Only that netmap
rules should be above the nat rule.
Code: Select all
/ip address
add address=50.123.19.194/26 interface=WAN
add address=50.123.19.195/26 interface=WAN
/ip firewall nat
add cahin=dstnat dst-address=50.123.19.194 action=netmap to-address=192.168.0.10
add chain=srcnat src-address=192.168.0.10 action=netmap to-address=50.123.19.194
add chain=srcnat action=masqueradeor you can try to assign two local interfaces, in one of them connect the devices that would need
the public IP-s and on the other the devices which need to be nated. Then create bridge between
the WAN interface and local interface of Public IP-s. After that try to assign the public IP-s to the
devices. I vaguely remember such a setup.
Re: Multi-public IP to NAT forwarding
Thanks guys for the help. I'm almost there. My last question is, can I just forward ports to the nated addresses? and what about this configuration....
Basically, I'd like the to make it so that some computers can come from their respective IP's and others can just go out the default IP... above 1.1.1.10 and so on are my public.
Code: Select all
/ip address
add interface=LAN address=192.168.0.1/24
add interface=WAN address=1.1.1.2/24
add interface=WAN address=1.1.1.10/24
add interface=WAN address=1.1.1.11/24
/ip firewall nat
add chain=srcnat out-interface=WAN src-address=192.168.0.10 action=src-nat to-address=1.1.1.10
add chain=srcnat out-interface=WAN src-address=192.168.0.11 action=src-nat to-address=1.1.1.11
add chain=srcnat out-interface=WAN src-address=192.168.0.0/24 action=src-nat to-address=1.1.1.2
add chain=dstnat in-interface=WAN dst-address=1.1.1.10 action=dst-nat to-address=192.168.0.10Re: Multi-public IP to NAT forwarding
Alright guys, I got it all working great. Thanks for all the help in making this work. I did have one last question.
I noticed that MASQ was at the bottom of the nat list... it did not seem to work unless that was the case. When it's at the top, I was unable to get onto the internet if I recall correctly.
My home mikrotik has MASQ at the top... can anyone explain why this works different in each case?
I've chosen to go the route of SCRNAT and DSTNAT rather than NETMAP that you mentioned above. That also is a question I had, what the difference is. But I think one is just forwarding all the port in one command, and the other is forwarding port by port = poor mans firewall? I guess I could setup firewall rules that would block traffic when in NETMAP mode, is that correct? Sorry for all the dumb questions. But very excited that I'm half understanding some of this stuff.... I hope.
I noticed that MASQ was at the bottom of the nat list... it did not seem to work unless that was the case. When it's at the top, I was unable to get onto the internet if I recall correctly.
My home mikrotik has MASQ at the top... can anyone explain why this works different in each case?
I've chosen to go the route of SCRNAT and DSTNAT rather than NETMAP that you mentioned above. That also is a question I had, what the difference is. But I think one is just forwarding all the port in one command, and the other is forwarding port by port = poor mans firewall? I guess I could setup firewall rules that would block traffic when in NETMAP mode, is that correct? Sorry for all the dumb questions. But very excited that I'm half understanding some of this stuff.... I hope.
Re: Multi-public IP to NAT forwarding
in manual you can read about chains: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
and how packets are processed in chain. If some rule caches packet and processes it (for example accepts it) it is passed further as you can see in http://wiki.mikrotik.com/wiki/Packet_Flow
in nat - this order is very important as with different order different rules and therefore different actions will be applied to the packets passing through.
and how packets are processed in chain. If some rule caches packet and processes it (for example accepts it) it is passed further as you can see in http://wiki.mikrotik.com/wiki/Packet_Flow
in nat - this order is very important as with different order different rules and therefore different actions will be applied to the packets passing through.
Re: Multi-public IP to NAT forwarding
Thanks janisk.
I've got one more problem now, and its in production, so hopefully I can get a quick reply from you guys... I'd happily pay for it of course.
So the current problem is that users inside cannot access the mail server by going mail.domain.com because it's an outside address I guess. They can get to 192.168.1.13 (the mail server) but not by domain.com or external IP (50.225.27.198 eg.)
Any ideas?
I've got one more problem now, and its in production, so hopefully I can get a quick reply from you guys... I'd happily pay for it of course.
So the current problem is that users inside cannot access the mail server by going mail.domain.com because it's an outside address I guess. They can get to 192.168.1.13 (the mail server) but not by domain.com or external IP (50.225.27.198 eg.)
Any ideas?
Re: Multi-public IP to NAT forwarding
Hi
Im trying to accomplish the same thing on my MT 750g router but i dont know where my public IP should be assigned. By the way my Network config:
IP Address from ISP: 69.165.169.165
Network: 206.248.154.121
Interface: pppoe-out1
I got from ISP subnet: 69.165.169.165/29 6 usable IPs.
Question:
- Do i assign the public IPs to pppoe-out1 inerface or to eth1?
Thanks
Im trying to accomplish the same thing on my MT 750g router but i dont know where my public IP should be assigned. By the way my Network config:
IP Address from ISP: 69.165.169.165
Network: 206.248.154.121
Interface: pppoe-out1
I got from ISP subnet: 69.165.169.165/29 6 usable IPs.
Question:
- Do i assign the public IPs to pppoe-out1 inerface or to eth1?
Thanks
Who is online
Users browsing this forum: No registered users and 73 guests