Bridging WAN interfaces

martinp · September 18, 2012, 5:39pm

Hello,

I’m trying to pass traffic between two WAN interfaces using RB751G-2HnD running RouterOS 5.20.

This is my current configuration:

Port 1 and 5 on my Mikrotik are each connected to bridged ports on my ISPs router. A public routable IP address is assigned to port 1 via DHCP.
Port 2 is my LAN (10.0.0.0/24). Traffic is NATed between port 1 and 2. Port 2 is a “master port” and a part of bridge-local
Port 3 is unused
Port 4 and 5 are part of the same bridge (bridge1).
A server is connected to port 4, which receives a public routable IP address.
All public IPs that are assigned are in the same subnet (/24)

Currently traffic from my LAN destined for my server gets sent out on port 1 and then comes in on port 5, and goes back out on port 4.
This is a problem because the ports on my ISPs router are only 100 Mbit, so bandwidth between my LAN and my server is limited to 100 Mbit.

Is it possible for traffic originating from my LAN (port 2) to pass directly to my server on port 4 using the public IP address?

cbrown · September 19, 2012, 6:21pm

If you put the server in your lan then NAT the public IP to it would help but you will have to setup Hairpin NAT.

http://wiki.mikrotik.com/wiki/Hairpin_NAT

martinp · September 19, 2012, 6:29pm

I tried making port 1 a part of bridge1 (along with port 4 and 5), but the traffic between bridge1 and bridge-local (my LAN) then gets limited by the CPU to around 20MB/s.

I’ll look into hairpin NAT. Thanks.

NetworkPro · October 9, 2012, 6:22pm

Yes.

RouterOS provides best NAT compared to anything else out there even 20 times the price.

RouterOS can NAT a connection back out the interface it came in, masking the source to be the router’s IP address.

Example:
/ip firwall nat
add chain=dstnat action=dst-nat in-interface=WAN src-address=
protocol=tcp dst-port=5001 to-addresses=<to any IP we have route/ping to (*)> to-ports=5001

/ip firewall nat
add chain=srcnat action=src-nat protocol=tcp dst-address=<the (*) IP we are sending the connection to> dst-port=5001
to-addresses=<our WAN address so that the connection will be as it’s coming from us>
Did you make use of a NAT rule such as this second one - the srcnat one ?

martinp · October 10, 2012, 3:43pm

I didn’t get as far as the NAT rules. I must use DHCP to assign the two IP addresses to each port, and adding a DHCP client to port 5 causes routing conflicts as both IPs are in the same subnet. The default gateway becomes reachable through both ports.

The same thing happened even when add-default-route=no was set on the DHCP client.
Any suggestions?