So I have Mikrotik hAP AC. I have one WAN cable in port 1. I have 2 external IP adresses. I need first IP for distribution of the internet via HDCP (I did that). And I need second IP directly for particular device (server), so I want to make one single port on router to behave as simple switch (no DHCP, etc.), just connection between WAN and device (server). How would I do that?
P.S. Yes, I searched through this forum, but I could not solve my particular problem.
with ROS 6.41+, you’ll need to configure a bridge, with wan & server port in that bridge.
I am not sure if bridge is required, but you may want to use netmap?
From my understanding the first two rules below establish the one to one mapping.
The following rules are more common for both Masquerade and Port Forwarding.
/ip firewall nat add chain=dstnat dst-address= action=netmap to-addresses=
/ip firewall nat add chain=srcnat src-address= action=netmap to-addresses=
(assumes 10.5.8.200/32 is your public IP and the Server you have on 192.168.0.109)
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat to-addresses=10.5.8.200
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat to-addresses=192.168.0.109
If you have an authorized list of external WANIPs to your server then you should create a firewall address list…
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat
source-address-list=“AllowedAccess” to-addresses=192.168.0.109
I tried to make second bridge for port+wan(ether1), but an error occurred “ether1 is already in another bridge”, which is wan+all the other ports.
Nice idea, but is there a way to make it simply act like physical connection between wan cable and single port, so I would set static ip on server itself?
It is always difficult to do this for a single IP.
Normally you would get a /29 which consists of 8 IPs, you lose 2 of them for network and broadcast address, 1 for the router and the remaining 5 can be assigned to servers.
When you have only a single IP you cannot setup the network like that.
However, when you do not mind that you lose access to a couple addresses around the IP you got, you can put a /30 or /29 network on the inside interface of your router in such a way that the server gets the extra IP you received and the router gets an adjacent IP in the same network.
E.g. you received ip 1.2.3.4
then you can e.g. put address 1.2.3.3/29 on your internal network and configure 1.2.3.4/29 in your server with default gateway 1.2.3.3
List your config, it will be easier to advise something: /export hide-sensitive compact. Also specify how you get the ip’s assigned/allocated.
It seems as thought the OP got assigned two IPs from the provider, one for the router and one extra…
It would be nice to know if they told him if they were both static etc…
Agree config would help.
The question I have for one to one, would he need to create a separate DHCP network
Lets say bridge was using 192.168.1.1 for the main LAn
Would he have to create 192.168.10.1.1 for example and assign server to 192.168.10.2???
Sorry for keeping you wating…
That’s right, I have 2 static IP from provider. Let’s say IP_1: 1.2.3.4\24 (1.2.3.1), IP_2: 1.2.4.5\24 (1.2.3.1). So the second ip has different subnet, but same gateway.
Mikrotik hAP AC, cable from the wall in ether1, quick set home AP, local 192.168.10.1, DHCP 192.168.10.10-254. Server should connect directly to external internet (IP_2), and to be easily accessed from outside by this address.
/ip firewall nat add chain=dstnat dst-address= action=netmap to-addresses=
/ip firewall nat add chain=srcnat src-address= action=netmap to-addresses=
didn’t work
You don’t need NAT!
You should just put that address on a separate port where you have connected the server.
First take it out of the bridge and then put the address on the port.
Maybe you need to adjust your existing Masquerade rule so it is only active for your other LAN and not for this port.
You should just put that address on a separate port where you have connected the server.
First take it out of the bridge and then put the address on the port.
Both static IP have same gateway subnet, but different address subnet.
Let’s say IP_1: 1.2.3.4\24 (1.2.3.1), IP_2: 1.2.4.5\24 (1.2.3.1)
When I try to put address on the port, I cannot put gateway with different (from address) subnet. Mikrotik change it back, so it would match the address. RoutrOS 6.40.4
Update your RouterOS! The current version is 6.43.8
But that likely won’t solve your problem…
“it is always possible to design things that are difficult or impossible to implement”.
Maybe you will need NAT after all. Or try to get a more reasonable address from your ISP.
The big question is: do you want to protect the server with firewall or not. If not, go with suggestion by @sebastia in post #2.
If yes, then go with NAT, but slightly more sophisticated. I don’t think you need to assign the second IP address to some interface, the following might be enough:
/ip firewall nat
add action=src-nat chain=srcnat src-address=<Private IP> to-addresses=<Public IP> out-interface=WAN
add action=dst-nat chain=dstnat dst-address=<Public IP> to-addresses=<Private IP> in-interface=WAN protocol=<proto> port=<port no.>
... # other dst-nat actions
/ip firewall filter
# the default rule below should already take care of all dst-natted connections
# so no need to add a new one unless you changed it somehow
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
If you stick to netmap, then you need to open up “holes” in firewall with appropriate rules (the filter rule in the code snippet above effectively prevents all incoming connections also for netmap-ed IP address because it affects all ingress traffic over WAN interface regardless dst-address.
Concur MKX, otherwise why even use a router,… trying to put CISCO out of business?? Of course the OP wants a friggen firewall otherwise the OP would post his/her information on the Goodyear Blimp for all to see.
Concur also, if using netmap which seems to be the prescribed wiki way to do this, one would have to create the necessary firewall rules.