Datacenter>VLAN L3>MT Router>static IP server

Remco · April 15, 2014, 9:19pm

After reading the forum for a few hours (well, ten to be exact) I found several posts about VLAN’s. I couldn’t find one matching my problem, so I decided to start a new topic. I hope you guys can help me out! This field clearly isn’t my expertise.

I would like to use the Mikrotik RB2011 router (rOS 6.11) in a datacenter. From this datacenter I get two UTP cables, with on one cable:

802.1Q VLAN tag 13
Datacenter IPv4 192.168.108.37/30
My IPv4 192.168.108.38/30

This one goes into eth1

And on the other, which is redundant, if the first gets down, the second takes over:

802.1Q VLAN tag 23
Datacenter IPv4 192.168.208.37/30
My IPv4 192.168.208.38/30

And this one goes into eth2

It’s layer 3, I’m told.

I also get usable IP space, like a.a.a.128/27

I’ve one server on eth3 with a static IP, 192.168.1.201. I want a port from the outside, a.a.a.130:221, forwarded to 192.168.1.201:22, so I can use ssh from the

outside to this server.

Do I’ve to create a vlan for each datacenter cable? Or can I use a static IP, for example 192.168.108.40 for the first cable? How do I route from public Ip space to

the server?

I don’t expect you guys to work everything out for me, but a pointer where to start would be very welcome.

Thank you!

CelticComms · April 16, 2014, 11:36am

You need to place a VLAN sub-interface on each of Ether 1 & Ether 2 and add the IP/masks you described to those VLAN sub-interfaces. You will also need an address/mask in the 192.168.1.0/24 range for Ether 3 - plus one or more NAT rules to do the translation.

That would be sufficient for routing to work. If you want any firewall features those would be extra.

Remco · April 16, 2014, 9:29pm

Thank you for your reply! Much appreciated!

I follow you…somewhat. I still don’t understand what to do with the public IP range (a.a.a.128/27). Do I assign this to both eth1 and eth2 as well?

CelticComms · April 17, 2014, 10:44am

You need to check with the provider. If they are routing the public IP /27 to you then you have a lot of flexibility in how you use it.

e.g. - if you want to keep a private IP on your server you can do so then add one or more of the public IPs to a bridge interface on the RouterBoard and simply NAT traffic to/from the server.

Remco · April 18, 2014, 7:34pm

Thank you, again. I’ll check with my provider next week, to see what they come up with. What puzzles me is why each uplink is a VLAN when they route the public IP’s to me anyway. Guess it’s time to open a book.

CelticComms · April 18, 2014, 7:44pm

Most likely the VLANs are to isolate these independent links within a switched distribution infrastructure that the location is using. Each of those subnets is probably being fed via different routers to give some redundancy.

Once you have the two VLAN interfaces established & working you can easily check the routing on the /27 using trace route from the outside.