You could try this setup instead (which I think will allow fastpath forwarding for more performance - assuming that only ether1 and ether2 are bridged)
remove ether2 from the WAN bridge. (and remove ether1 as well if it’s the only port in the bridge - move all WAN configurations directly onto ether1)
Set arp=proxy-arp on both the WAN and ether2 interfaces.
Add IP address=10.10.10.2/32 network=10.10.10.61 to interface ether2
Then do an IP firewall filter in the forward chain instead.
(whatever WAN IP the Mikrotik is using for itself on the current WAN bridge, use that as the /32 address above)
If you’re masquerading from LAN to WAN, then you may need to add another masquerade rule out-interface=ether2 (unless you want the server to see the actual private IP addresses of your LAN so that logs can show which internal user has accessed the server, for instance)
26-Apr 07.37.49.jpg
Previously no ip address in WAN bridge.
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp
/ip address
add address=10.0.10.2/24 interface=ether1 network=10.0.10.0
add address=10.0.10.2 interface=ether2 network=10.0.10.61
/ip firewall filter
add chain=forward dst-address=10.0.10.61 dst-port=22 protocol=tcp
add chain=forward dst-address=10.0.10.61 dst-port=80 protocol=tcp
add action=drop chain=forward dst-address=10.0.10.61
This works but need 3 ip
QUESTIONS
SInce you mention a new ip address 10.0.10.2 there, that mean I need minimum 3 public ip there.
How if I only have 2 ip addresses like ethernet transparent bridge
I am trying to remove permanently this dhcp client below using “/ip dhcp-client remove 0” but keep coming back after some time. How to fix that
FYI, I am using Unetlab 1.0.8
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
I’m not sure about the dhcp client re-appearing.
(anyone ever heard of this?)
As for why it works - the use IP firewall=yes will kick a packet up to the filter chain for comparisons there - I guess I need to get more used to that concept myself. That seems a good solution.
The reason WWW host can’t ping to Internet is that the filter chain doesn’t allow it. You need to add a rule that permits established,related connection state. Your current rules allow only SSH and WWW on TCP to reach the host. If you don’t allow established,related, then ICMP replies are going to get discarded.
Returning DHCP client is feature of CHR. Probably useful in most cases, but sometimes quite annoying. If you remove it, it comes back. If you disable it, new one is added.
Heh - and you can’t firewall it off either because dhcp client binds a raw socket to the interface.
“I want an IP, and by George, SOMEONE’s going to tell me one!”
To be fair, it seems to be smart and does not appear if there’s static IP address configured. So as long as you are not trying to make IPv6-only router… which is exactly what I wanted to test.