Help with network configuration

RouterOS Beginner Basics
1

Hi Guys,

Have a cloud router. I have ether1 as my main wan. I have two subnets attached. I wish to route single public ip addresses in the subnets to local addresses.

So you can see here:

add address=202.68.39.153/29 interface=bri-vlan51 network=202.68.39.152
add address=202.68.39.177/28 interface=bri-vlan50 network=202.68.39.176

those are the subnets.

So where I am stuck is creating a local address say 10.10.1.1/24 and routing one of the public ip addresses to that subnet and allowing traffic to come out from 10.10.1.1/24 (assuming 10.10.1.1 is default gateway).

It’s all being done on the one router. Vmware is directly connected to the bridges.

Does this make sense? It’s all working now, but the networks connected directly to the enternet ports contain a public IP address.

There’s probably a much better way of doing this.

Interfaces

/interface bridge
add l2mtu=1590 name=bri-vlan10
add l2mtu=1590 name=bri-vlan50
add name=bri-vlan51
/interface ethernet
set 0 auto-negotiation=no
set 6 name=ether7
set 7 name=ether8
set 8 name=ether9
set 9 name=ether10
set 10 name=ether11
set 11 name=ether12
set 12 auto-negotiation=no
set 13 auto-negotiation=no
set 14 auto-negotiation=no
set 15 auto-negotiation=no
/interface bonding
add link-monitoring=none name=QNAP slaves=ether9,ether12 transmit-hash-policy=layer-2-and-3
/interface bridge port
add bridge=bri-vlan51 interface=ether2
add bridge=bri-vlan50 interface=ether3
add bridge=bri-vlan50 interface=ether4
add bridge=bri-vlan10 interface=ether11
add bridge=bri-vlan10 interface=ether10
add bridge=bri-vlan50 interface=ether5
add bridge=bri-vlan50 interface=ether6
add bridge=bri-vlan50 interface=ether7
add bridge=bri-vlan50 interface=ether8
add bridge=bri-vlan10 interface=QNAP




/ip address
add address=202.20.1.102/30 interface=ether1 network=202.20.1.100
add address=202.68.39.153/29 interface=bri-vlan51 network=202.68.39.152
add address=202.68.39.177/28 interface=bri-vlan50 network=202.68.39.176
add address=192.168.0.0/24 interface=bri-vlan10 network=192.168.0.0




/interface bridge
add l2mtu=1590 name=bri-vlan10
add l2mtu=1590 name=bri-vlan50
add name=bri-vlan51
/interface bridge port
add bridge=bri-vlan51 interface=ether2
add bridge=bri-vlan50 interface=ether3
add bridge=bri-vlan50 interface=ether4
add bridge=bri-vlan10 interface=ether11
add bridge=bri-vlan10 interface=ether10
add bridge=bri-vlan50 interface=ether5
add bridge=bri-vlan50 interface=ether6
add bridge=bri-vlan50 interface=ether7
add bridge=bri-vlan50 interface=ether8
add bridge=bri-vlan10 interface=QNAP




/interface bridge port
add bridge=bri-vlan51 interface=ether2
add bridge=bri-vlan50 interface=ether3
add bridge=bri-vlan50 interface=ether4
add bridge=bri-vlan10 interface=ether11
add bridge=bri-vlan10 interface=ether10
add bridge=bri-vlan50 interface=ether5
add bridge=bri-vlan50 interface=ether6
add bridge=bri-vlan50 interface=ether7
add bridge=bri-vlan50 interface=ether8
add bridge=bri-vlan10 interface=QNAP
2

That would be a destination NAT.

/ip firewall nat
add chain=dstnat action=dst-nat dst-address=202.68.39.153 to-addresses=10.10.1.2

This would port forward all packets that were originally for 202.68.39.153 to 10.10.1.2

3

By default the router will route any networks that you define unless rules in the forward chain in /IP Filters stop it from doing so.

It sounds as if you want to do something which likely involves SRC/DST NAT and/or Masquerade but I couldn’t tell exactly what you want to achieve. Can you give more detail on your aims?

Output from /export compact would be good too - that will include the firewall settings.

4

Correct.

So the customer would be on something like 10.200.13.x

I would add an address 10.200.13.1/24 to the address list. I can ping that. But how can I get it on the same interface that public ips are going through (bri-vlan50 and 51) at the moment? Basically I’d want the 10.200.13.1 to be the private gateway for that customer. I’d have nat on this. I would forward the public ip addresses to this host.

Could you please explain what I’d need to do here?

My whole config doesn’t have any firewall rules apart from security on the router. Each device plugs in to the router directly at the moment with a public ip address and does firewalling directly from the device.

5

*bump