I’ve an RB 1200 – v5.11. I have 12 Public IP and I want to use indifferently in each network card except the first one because I’ll connect my WAN link.
For example, in Eth1 I want to connect my internet link and in Eth2 connected to a server with one IP public. The basic configuration is:
Yes, my ISP give the mask 255.255.255.240. My public IPs (the first 3 digits I have change to put here, but the last digit it’s real) are 8.8.8.17, my gateway, until 8.8.8.30). My ISP pass all the traffic to all my public IP, nothing of private IP. They give me the internet link with a ethernet cable that is connected to a switch and in this switch I connect my public IPs servers. Now, I want to change this switch connecting the internet link to the Eth1 in the Mikrotik router and in Eth2, Eth3, etc. of the router configuring IP publics (then I can control the bandwith, can configure a DHCP in one lan, a HotSpot,etc.).
If I change the nat firewall rule for a ‘mascarade rule’ (chain=srcnat action=masquerade) I can connect to internet if I configure a local IP in my server (192.168.0.2)
So it sounds as if your ISP expects the x.x.x.x/28 subnet to be on that switch and that creates a problem if you then want to place a router between there and some of the devices assigned those public IPs. Is there a reason that you can’t use NAT?
If I use NAT, I need to use a LAN IP in my servers and I preffer to use the public IP. From what I read, the command ‘chain=srcnat action=src-nat’ helps to do what I need, what am I doing wrong? Thank you for you help.
A diagram showing what you have and the addresses/netmasks on interfaces would help.
You may be trying to allocated addresses within x.x.x.x/28 to more than one interface on the router which is problematic if the ISP is treating it as a /28.
What do you really want to achieve? is it to be able to reach all the interface on the 1200? because those other ip given to you by the isp is meant to be used on your network assuming you have to NAT. So having them on the switch may just be for accessibility which only one address can do and the rest on system/servers on your network. And if you are using them in place of LAN or on LAN, you just specify the gateway and all will work fine.
Ok, I’m attaching in the post a Diagram to better understand.
In resume, I have an internet connection I want to connect to my RB1200 and I want to use the other ethernets in RB1200 to connect servers with public IP. In the Diagram I attach it’s an example what I need:
Eth1: Connect my WAN connection
Eth2: Connect a server with a public IP
Eth3: Configure a DHCP server in this interface and make NAT to connect internet.
Eth4: Connect another server with a public IP
If I configure a NAT rule with masquerade (chain=srcnat action=masquerade), the Eth3 works fine. I want to configure Eth2 and Eth4 to use my pool of public IP (I don’t want a correspondence Eth2 with IP 8.8.8.18, I want to use each public IP I have in Eth2 or Eth4).
Nowadays I use a switch instead of RB1200, but I can’t control the bandwith of each public IP (for example, In my 10Mb internet link I want to restrict 2 Mb to Eth2, 3 Mb to Eth3 and 5Mb to Eth4).
The diagram does not show how the public IP range is being delivered to you. Is it:
A) Being routed to you via a link net - e.g. routed to 172.26.31.2
B) Simply presented on ISP connection which assumes that X.X.X.X/28 is available directly on the connection to the ISP
Remember - you can use a bridge/switch within a subnet but once you insert a router you have split the subnet and for true routing you would typically further sub-divide the subnet so that everybody’s view of the subnets are the same (i.e. is it a /24, /25, /26 etc.). Further splitting the subnet does tend to lose usable IPs.
You can play all sorts of tricks to work around such problems but in some ways NAT would be easier to implement and support.
OK - so the ISP expects the whole subnet to be directly visible in broadcast domain associated with their interface to you. That makes it very difficult to split some IPs out and place them on devices attached to other interfaces of the RouterOS device because you generally can’t split a subnet with a level 3 router like that.
I think you have 3 clean choices:
Use the Routerboard as a switch/bridge if that will still give you the controls you need and you have suitable security upstream.
Use NAT.
Get a different IP allocation and delivery mechanism - e.g. /30 a link network.
I don’t understand which is the exactly problem with my public IPs. I have worked with other ISPs and I use to have similar mask (like 255.255.255.240 or 255.255.255.248, depends the number os public IPs). What I need to ask to my ISP to work?
In the 1st option you suggested, how can I made this ‘switch-bridge’ configuration?
There isn’t really a problem with the IP range. What is problematic is the idea of placing (say) 8.8.8.18/28 and 8.8.8.19/28 on different interfaces of the same router and expecting the router to be able to route that.
ISPs can present IPs in a number of ways. e.g. they can just assume that the whole subnet is visible on the link from them - i.e. all relevant IPs will respond to ARP requests directly on the link network. Sometimes they might provide a public IP range say X.X.X.X/26 but have a seperate small Y.Y.Y.Y/30 link network. They then send all traffic for the X.X.X.X/26 subnet to your router on an IP number within the Y.Y.Y.Y/30 range.
Hello ReneF
Thank for this question.
I have the same question, i want to config a bridge for one server with public Ip in mikrotik RB2011.
I have 3 public Ip.
Can explain the procedure to config Mikrotik
