All Public IP, No NAT, and Simple Queues

freshmeat · March 8, 2022, 9:19pm

I’m trying to setup a router such that WAN comes in on port 1 and that ports 2-10 are for customers that will have unique bandwidth limitations setup for each individual port, and that there can not be any communication in between ports. Except for port 1 to get the internet.
I’ve done as much already, but with private IPs and using NAT. I’ve been struggling to find a way to make this work without NAT and private IPs, which is confusing to me because it seems like it shouldn’t be that hard to set up. But I do consider myself to be very much a novice when it comes to Mikrotiks, so I’m probably overlooking something or am completely unaware of some setting I need to make.
Each customer needs their own public IP so they can remote into their router/device.

Now for details and what I’ve done.
Hardware: RB3011 UiAS-RM
Let’s say I have the following block of public IPs of 11.0.0.0/28
Route/Gateway: 11.0.0.1
Useable Addresses: 11.0.0.2-11.0.0.14
Subnet: 255.255.255.240

I primarily use WinBox, but I’m not against using the terminal when and where I need to. The GUI is just faster and easier.

I’ve tried using Quick Set and configured the internet for static ip and set it up as such…
IP Addr: 11.0.0.2
Netmask: 255.255.255.240
Gateway: 11.0.0.1
DNS: 8.8.8.8
And then set the Local Network to be…
IP Addr: 11.0.0.3
Netmask: 255.255.255.240
Disable both DHCP and NAT

Router can ping 8.8.8.8 and google.com, so it seems to get the internet alright.
Connected a laptop configured as such…
IP Addr: 11.0.0.4
Netmask: 255.255.255.240
Gateway: 11.0.0.3
it does not get the internet and it is not able to ping the gateway, which confuses me because they’re both on the same subnet.

I’ve tried adding static routes (might be setting them up incorrectly) and changing the laptop’s gateway to 10.0.0.2 and 10.0.0.1, but still couldn’t get anything to work correctly.

I managed to get things to ‘kinda’ work when I set the Internet and Local Network’s IP Address to the same address. At times the laptop got the internet, and at times it didn’t. I’m sure the issue was that there were two MAC addresses (ether1 and bridge) trying to use the same IP address.

The only way I could get the laptop to get the internet without problems while using a public IP is when I switch the router to Bridge Mode, which from my understanding turns the router into a glorified managed switch.
The problem with this is that it doesn’t really utilize the firewall rules, which means no Simple Queues to limit bandwidth or ability to prevent communication between ports.
It seems like this can be resolved through the use of VLANs, but correct me if I’m wrong… It feels like I’ll need two public IP addresses per port or vlan, one for the device connecting to the port and one for the VLAN itself?

What am I doing wrong? Or how do I accomplish this goal?

sarky · March 9, 2022, 2:40pm

Trying to get my head around what you are doing!

You are setting up a public IP address on each port from 2 - 10 but port 1 is the Gateway to the internet .

How is port 2 set up as, does it have a DHCP Server setup to give local IP address to cluster of computers behind it ?

Thanks

Sarky

Znevna · March 9, 2022, 2:50pm

Yes, do proper routing.
Ask your network administrator.

freshmeat · March 9, 2022, 6:13pm

Port 1 is connected to the ISP’s Adtran, so it’s our path to the internet. I do not want to setup each port with a public IP (unless that’s the only way), the devices connecting to the ports will have public IPs.

The goal is to not have a DHCP Server running on my router. It’s up to those people’s routers to provide their cluster of computers any DHCP served IPs.

Wish I could, but unfortunately I’m all we’ve got. Thank you for your contribution though.

Znevna · March 9, 2022, 6:28pm

I won’t comment on why you’re going fishing without someone that has any fishing experience, that’s your business, but hey, if it works!? right? It’s a common practice in these forums, sadly.
I’ll make another contribution:
free forum search query https://forum.mikrotik.com/search.php?keywords=public+ip+routing&terms=all&author=&sc=1&sf=titleonly&sr=topics&sk=t&sd=d&st=0&ch=300&t=0&submit=Search
you can alter the search terms, see how others solved similar problems, learn subnetting maybe, idk.

Amm0 · March 9, 2022, 7:28pm

That’s likely the simplest approach, without a knowledge of IP subnetting. You could use can use the bridge firewall rules to block traffic on the bridge between the ports. And the simple queue per public IP address give to a client.

The only consideration is who is doing the DHCP for the public IP. If the upstream Adran isn’t giving DHCP, then you can add one to the Mikrotik bridge and assign a simple queue via the Mikrotik’s DHCP server per client.

Not vouching for this approach & still need consider how to block traffic. But my idea here is you can do this at layer-2 bridge firewall (e.g. MAC addresses). And, may make more logical sense if your dealing with just a few downstream home routers (that hopefully are doing NAT etc to the public you’re assigning them).

Certainly layer3 routing/subnetting might be a better long term plan, but maybe using the bridge firewall makes more sense to you right now.