Config Mikrotik with many public IP addresses in the LAN interface

Tomas09 · November 11, 2020, 9:38pm

Hi All,
I need your help. I have a problem with config MT as area router. From the ISP I have a range public ip addresses .128-.152. Every our customer has own public IP on his firewall. The area router is just for bandwith managment and monitoring traffic. Current router is configured as NAT 1:1.
WAN - public IP .128/24
LAN - public IP 129/27 (this interface is as the gateway for customers Public IP addresses), without DHCP

Every customers public IP addresses are in the /27 subnet

How I can config similiar MT? I assing one public IP to WAN bridge, second public IP to LAN Bridge. But my problem is with the masquerada. When I add to the LAN Bridge another router with public IP and subnet /27 I am able to ping internet, but when I check the public IP I see IP of the WAN Bridge.
When I disable the masquerade internet to the test router not working. I need when somebody ping to the .140 public IP goes directly to the end device.

I have looked here and read many topic about this teme but there is advice as assign devices in the LAN private IPs and use NAT 1:1. But I need that all devices in LAN have own public IP. No public tranlsate to the private. That all rules and configuration are in the end customers IT.

Does somebody any adivce or trick how to config this area router?

Thank you
Tomas

Sob · November 11, 2020, 9:49pm

If you don’t want masquerade to affect public addresses, then exclude them. Either add src-address=!x.x.x.128/27 to existing masquerade rule, or add another rule before masquerade rule:

/ip firewall nat
add chain=srcnat src-address=x.x.x.128/27 action=accept

Tomas09 · November 12, 2020, 8:23am

If you don’t want masquerade to affect public addresses, then exclude them. Either add src-address=!x.x.x.128/27 to existing masquerade rule, or add another rule before masquerade rule:
/ip firewall nat
add chain=srcnat src-address=x.x.x.128/27 action=accept

Thank you for quick reply. I don´t know if I have someting wrong in config but I added new rule before masquerade with my testing address .138 as you wrote (just singe IP not subnet). But after enable this rule the internet on the testing router .138 stop working. Where could be a problem, do I need add any route to the area (.129/27) or testing router?

/ip firewall nat
add action=accept chain=srcnat src-address=x.x.x.138
add action=masquerade chain=srcnat  out-interface=bridgeWAN

Sob · November 12, 2020, 1:22pm

Yes, you always need proper routes, but in this case it’s more how ISP routes /27 to you, than what you can do. That’s assuming that /27 is subnet routed to you. When you have x.x.x.128/24 on WAN and y.y.y.129/27 on LAN, x.x.x is different from y.y.y, right? Or not?

Tomas09 · November 12, 2020, 2:15pm

On the area router .128 I have route config like on picture. Only one static is to the GW of my ISP.

Sob · November 12, 2020, 2:46pm

I was asking about addresses.

Tomas09 · November 13, 2020, 6:40am

The addresses are same for example scope is 80.50.10.128 - 80.50.10.152 with /24 mask from ISP.

Sob · November 13, 2020, 4:38pm

So you have overlapping subnets on LAN and WAN? That would explain why it doesn’t work. If that’s the case, then possible solutions are:

a) Ask ISP to route a different /27 to you.
b) Connect clients with public addresses directly to ISP (add their port to bridgeWAN, give them /24 mask and same .241 gateway as used by router).
c) Keep everything as is, but enable proxy ARP on bridgeWAN interface.

Tomas09 · November 13, 2020, 8:25pm

Thank you, i will try solution C