Block Of IP Addresses

RouterOS General
1

I have a block of 5 Static IP Address from My ISP.
I want to Configure the router to forward each IP address to a different internal local IP Address
I purchased a BR750GR-3 because I was advised that it could do this.
I am a compete novice to this router and don’t even know where to look or what to configure.
I have configured many different types of single IP home routers.

I do know how to configure the router for a single IP Static IP Address.
And I know how to configure the local gateway address, DNS, mask, …

I have looked the NAT forwarding but haven’t resolved how to do it yet.
But I have not found a way to assign multiple addresses to ether1.

Any help you would give is appreciated.

2

Yay! Welcome to MikroTik. If you have 5 public IPs you’ll want to assign 1 of them to the WAN interface (ether1). You then can create NAT rules to map the other 4 IPs to devices on your LAN. You can do this with a more generic 1:1 relationship or you can do it statefully for specific services. An example might be a web-server on port 80 only. You have to apply a firewall rule in the forward chain as well.

Lastly, you’ll need to turn proxy-arp on for your WAN (ether1) interface or for me, my preferred solution is to add each IP address to the WAN (ether1) with the /ip address command. This than also triggers RouterOS to reply to ARPs for that IP without having proxy ARP turned on which is generally considered a no-no from a security standpoint.

3

Follow this guide for one-to-one NAT:
https://wiki.mikrotik.com/wiki/How_to_link_Public_addresses_to_Local_ones

4

So this is my config
but it doesn’t work
the packet sniffer shows that the requests were received and forwarded, i think
but the server never received the packet
what did I do wrong?

thanks,
Doug


[admin@doughale.info] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.7.210/24 192.168.7.0 ether2-master
1 -.-.-.210/28 -.-.-.208 ether1
2 -.-.-.211/28 -.-.-.208 ether1
3 -.-.-.212/28 -.-.-.208 ether1
4 -.-.-.213/28 -.-.-.208 ether1

[admin@doughale.info] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1
1 chain=srcnat action=src-nat to-addresses=-.-.-.210 src-address=192.168.7.200
2 chain=srcnat action=src-nat to-addresses=-.-.-.211 src-address=192.168.7.201
3 chain=srcnat action=src-nat to-addresses=-.-.-.212 src-address=192.168.7.202
4 chain=srcnat action=src-nat to-addresses=-.-.-.213 src-address=192.168.7.203
5 chain=srcnat action=src-nat to-addresses=-.-.-.214 src-address=192.168.7.204
6 chain=dstnat action=dst-nat to-addresses=192.168.7.200 dst-address=-.-.-.210
7 chain=dstnat action=dst-nat to-addresses=192.168.7.201 dst-address=-.-.-.211
8 chain=dstnat action=dst-nat to-addresses=192.168.7.202 dst-address=-.-.-.212
9 chain=dstnat action=dst-nat to-addresses=192.168.7.203 dst-address=-.-.-.213
10 chain=dstnat action=dst-nat to-addresses=192.168.7.204 dst-address=-.-.-.214

here is a trace
Time (s) Interface Direction Src. Address Src. Port Dst. Address Dst. Port Protocol IP Protocol Size
59.146 ether2-master tx --.—.—.165 63505 192.168.7.204 80 2048 (ip) 6 (tcp) 52
59.146 ether1 rx --.—.—.165 63505 --.—.—.214 80 2048 (ip) 6 (tcp) 52
62.153 ether2-master tx --.—.—.165 63505 192.168.7.204 80 2048 (ip) 6 (tcp) 52
62.153 ether1 rx --.—.—.165 63505 --.—.—.214 80 2048 (ip) 6 (tcp) 52
64.345 ether2-master tx --.—.—.165 63506 192.168.7.204 80 2048 (ip) 6 (tcp) 52
64.345 ether1 rx --.—.—.165 63506 --.—.—.214 80 2048 (ip) 6 (tcp) 52
66.999 ether2-master tx --.—.—.165 63507 192.168.7.204 80 2048 (ip) 6 (tcp) 52
66.999 ether1 rx --.—.—.165 63507 --.—.—.214 80 2048 (ip) 6 (tcp) 52
67.357 ether2-master tx --.—.—.165 63506 192.168.7.204 80 2048 (ip) 6 (tcp) 52
67.357 ether1 rx --.—.—.165 63506 --.—.—.214 80 2048 (ip) 6 (tcp) 52
68.154 ether2-master tx --.—.—.165 63505 192.168.7.204 80 2048 (ip) 6 (tcp) 52
68.154 ether1 rx --.—.—.165 63505 --.—.—.214 80 2048 (ip) 6 (tcp) 52
69.465 ether2-master tx --.—.—.165 63508 192.168.7.204 80 2048 (ip) 6 (tcp) 52
69.465 ether1 rx --.—.—.165 63508 --.—.—.214 80 2048 (ip) 6 (tcp) 52
69.998 ether2-master tx --.—.—.165 63507 192.168.7.204 80 2048 (ip) 6 (tcp) 52
69.998 ether1 rx --.—.—.165 63507 --.—.—.214 80 2048 (ip) 6 (tcp) 52
70.936 ether2-master tx --.—.—.165 63509 192.168.7.204 80 2048 (ip) 6 (tcp) 52
70.936 ether1 rx --.—.—.165 63509 --.—.—.214 80 2048 (ip) 6 (tcp) 52
72.140 ether2-master tx --.—.—.165 63510 192.168.7.204 80 2048 (ip) 6 (tcp) 52
72.140 ether1 rx --.—.—.165 63510 --.—.—.214 80 2048 (ip) 6 (tcp) 52
72.467 ether2-master tx --.—.—.165 63508 192.168.7.204 80 2048 (ip) 6 (tcp) 52
72.467 ether1 rx --.—.—.165 63508 --.—.—.214 80 2048 (ip) 6 (tcp) 52
73.358 ether2-master tx --.—.—.165 63506 192.168.7.204 80 2048 (ip) 6 (tcp) 52
73.358 ether1 rx --.—.—.165 63506 --.—.—.214 80 2048 (ip) 6 (tcp) 52
73.936 ether2-master tx --.—.—.165 63509 192.168.7.204 80 2048 (ip) 6 (tcp) 52
73.936 ether1 rx --.—.—.165 63509 --.—.—.214 80 2048 (ip) 6 (tcp) 52
75.139 ether2-master tx --.—.—.165 63510 192.168.7.204 80 2048 (ip) 6 (tcp) 52
75.139 ether1 rx --.—.—.165 63510 --.—.—.214 80 2048 (ip) 6 (tcp) 52
75.999 ether2-master tx --.—.—.165 63507 192.168.7.204 80 2048 (ip) 6 (tcp) 52
75.999 ether1 rx --.—.—.165 63507 --.—.—.214 80 2048 (ip) 6 (tcp) 52
78.468 ether2-master tx --.—.—.165 63508 192.168.7.204 80 2048 (ip) 6 (tcp) 52
78.468 ether1 rx --.—.—.165 63508 --.—.—.214 80 2048 (ip) 6 (tcp) 52
79.937 ether2-master tx --.—.—.165 63509 192.168.7.204 80 2048 (ip) 6 (tcp) 52
79.937 ether1 rx --.—.—.165 63509 --.—.—.214 80 2048 (ip) 6 (tcp) 52
81.140 ether2-master tx --.—.—.165 63510 192.168.7.204 80 2048 (ip) 6 (tcp) 52
81.140 ether1 rx --.—.—.165 63510 --.—.—.214 80 2048 (ip) 6 (tcp) 52

5

There is usually no need to do NAT for this.
I presume you get a /29 block from your provider. You can just put this on the LAN interface and everything will be routed,

6

no, it’s not a /29
it’s the last 2 of a /30 plus the first 3 of the next /30

You can just put this on the LAN interface and everything will be routed,
how do I do this?

7

Normally when you get “5 IP addresses” from an ISP you actually get a /29 where there is 1 router address.
In that case you can just put the /29 (and the router address) on an internal interface, and have your systems on the network using the external address.
With a random collection of addresses it is not so straightforward. Then, maybe the NAT kludge is best.