I have a very simple setup that I can't get to work properly.

RB/433AH

Ether 2 = public network x.x.x.118/27
Network = x.x.x.96
Broadcast = x.x.x.127

Ether 3 = private network 192.168.0.254/24
Network = 192.168.0.0
Broadcast = 192.168.0.255

Default route Destination 0.0.0.0/0, Gateway x.x.x.97
NAT Chain srcnat, Source Address 192.168.0.0/24, Action masquerade
NAT additional entries created for HTTP, FTP, MAIL, and SSH - all work as expected, i.e., I can SSH into x.x.x.118 and connect to 192.168.0.160.

At this point IP address 118 works as expected. Everyone on the private LAN can set the Internet. Everyone on the outside can access the HTTP, FTP and mail servers via x.x.x.118. For that one IP address, life is good.

The ISP has assigned us six IP address out from the /27 pool. We have x.x.x.118 to x.x.x.123. IP addresses 119 - 123 are needed to access proprietary software running on the private network.

Using x.x.x.119 as the example.

I added x.x.x.119/32 to the address list and assigned it to ether2. At that point I could PING x.x.x.19.

I added two NAT rules:
Chain dstnat, Dst. Address x.x.x.119, Protocol 6(tcp), Dst. Port 22, Action dst-nat, To Addresses 192.168.0.160 (same as x.x.x.118 - for testing purposes only, requires .ssh adjustment on the host computer), To Ports 22.
Chain dstnat, Dst. Address x.x.x.119, Protocol 6(tcp), Dst. Port 80, Action dst-nat, To Addresses 192.168.0.163, To Ports 80.

Can ping, but SSH just hangs on x.x.x.119. Sometimes SSH to x.x.x.119 works, sometimes it doesn't. The same thing happens with port 80. Sometimes it works with x.x.x.119 and sometimes it doesn't.

IP address x.x.x.118 continues to work without any problems.

What do I need to do?

I think that would be x.x.x.119/27 to "/ip address", not /32.

Thank you. Before I posted, I tried x.x.x.119/27 with x.x.x.96 entered as the network address and x.x.x.127 entered as the broadcast address. Nothing worked, not even PING. When I tried 119/32 and let RouterOS fill in the network and broadcast addresses automatically, PING worked (and some of the other services worked - sometimes). Also, I had already entered x.x.x.118/27 with network and broadcast correctly configured, and I had set 0.0.0.0/0 to use x.x.x.97 as the gateway, so packets could come and go through the proper channels.

After making the post, I called the ISP and told them what was happening. They said that everything on their end was correctly configured but they finally agreed to have an engineer check settings on their end. However, when I followed your suggestion on 119/27 and 120/27, leaving 121/32, 122/32, and 123/32 as previously configured, everything worked, including PING, SSH, HTTP, and FTP. I'm guessing that the ISP had linked the MAC address of 119 to some other network card and "forgot" to upgrade the address to this RB/433AH board. That was one of the items that I had asked them to check.

(We've had issues with this ISP several times before including random IP static IP address re-assignments, unexplained "maintenance" items - their logs showed that our address block had received attention, but no record was kept of what the "attention" was - and woefully undertrained staff. We use them because they allow unlimited bandwidth and the nature of our business requires A LOT of bandwidth.)


Bottom line: Right now, for the moment at least x.x.x.119/27 with the network set to x.x.x.96 and the broadcast set to x.x.x.127 is working perfectly, as are all other public IPs from 118 to 123 (but my already gray hair has turned white and is beginning to fall out).

Just so you know...there are ISPs that do not understand why somebody would want to assign more than one IP per mac address, so they don't allow it. If you want more than one ip, you must use more than one interface.