Different VLANS with different PUB IPs

elvo3d · February 14, 2020, 7:53am

Hey everyone. I’m trying to set up my CCR1072. All was good until i tried to set up the following scenario.

I have a bunch of VLANs and i want to configure them so that differen VLANS “go outside” with differen public IPs.

I configured my VLAN, that goes to the ouside like this - 1.2.3.4/26 - let’s call it VLAN 123
So, what i want is to vlan1, vlan2, vlan3 go outside with an address 1.2.3.4 - This is working
Now i have added an vlan 4 and i want it to go outside with an adress 1.2.3.5 - i know i own this IP and it is not used.
I configured the NAT like this :
add action=src-nat chain=srcnat comment=OUT_WITH_DIFFEREN_IP_TEST
out-interface=sfp-sfpplus1 src-address=192.168.0.1 (vlan4)
to-addresses=1.2.3.5
I dragged this rule to the top, but still it ignores it, so i tried to change the out-interface to my publick vlan (VLAN123), but when i do that nothing works, i can see packets in the NAT rule, but internet is no where to see

So what am i doing wrong?

mkx · February 14, 2020, 9:36am

Hard to tell as you didn’t post full config of your device.

Anyway, I’ll guess: do you have the second WAN IP address set on router’s WAN interface?

elvo3d · February 14, 2020, 12:02pm

On my WAN interface i have my pub IP with the mask /26 only. And the other IP i intend to use is in the range on this mask. Do i still need to add the other IP address to my external interface. (I have all my public IPs going trough the same VLAN from the main switch)

I would like to keep all other vlan to keep going trough my default IP.

Till now it was managed only by - add action=masquerade chain=srcnat out-interface=
WAN

I hope i make some sense.

mkx · February 14, 2020, 4:12pm

There are two ways upstream router can send you packets for additional IP addresses: either they’re routed via your router’s primary IP address (usually in this case additional IP addresses are in different subnet zhan primary address) or they are all sent the same way (all IP addresses are in same subnet, upstream router’s address is in the same subnet as well).

As you have a subnet on your WAN interface, it’s likely the second case. So the upstream router needs MAC address for additional IP addresses … and it gets it from your router if your router knows IP belongs to it. No, NAT config doesn’t make IP addressbelong to router, setting it to router’s interface does.

k6ccc · February 15, 2020, 12:14am

Until my ISP changed things around on me, I was doing exactly what you want to do. On my DSL, I had eight static IP addresses. All were in the same subnet. Here are a couple code segments that should help.
First create the addresses on both the DSL and each LAN (two of which had a physical port and two were on a VLAN trunk).

/ip address
add address=66.51.204.111/24 interface=E1-p10_DSL_Internet network=66.51.204.0
add address=66.51.204.112/24 interface=E1-p10_DSL_Internet network=66.51.204.0
add address=66.51.204.113/24 interface=E1-p10_DSL_Internet network=66.51.204.0
add address=66.51.204.114/24 interface=E1-p10_DSL_Internet network=66.51.204.0
add address=192.168.201.252/24 interface=E2-p12_201 network=192.168.201.0
add address=192.168.202.252/24 interface=VLAN_202 network=192.168.202.0
add address=192.168.203.252/24 interface=E3-p14_203 network=192.168.203.0
add address=192.168.204.250/24 interface=VLAN_204 network=192.168.204.0

Then the outbound NAT rules.

/ip firewall nat
add action=src-nat chain=srcnat comment="Outgoing NAT from .201 LAN" \
    disabled=yes out-interface=E1-p10_DSL_Internet src-address=\
    192.168.201.0/24 to-addresses=66.51.204.111
add action=src-nat chain=srcnat comment="Outgoing NAT from .202 LAN" \
    disabled=yes out-interface=E1-p10_DSL_Internet src-address=\
    192.168.202.0/24 to-addresses=66.51.204.112
add action=src-nat chain=srcnat comment="Outgoing NAT from .203 LAN" \
    disabled=yes out-interface=E1-p10_DSL_Internet src-address=\
    192.168.203.0/24 to-addresses=66.51.204.113
add action=src-nat chain=srcnat comment="Outgoing NAT from .204 LAN" \
    disabled=yes out-interface=E1-p10_DSL_Internet src-address=\
    192.168.204.0/24 to-addresses=66.51.204.114

Yes, the NAT rules are all disabled. Remember that I said I WAS doing what you are wanting to do. When my ISP changed things up on me, I disabled these rules, not deleted them. I did delete the IP addresses on the DSL, so I had to “re-create” them for this example.