How can I NAT/Masq 4 Public IPs (dynamic) to 4 Private IPs (static)?

RouterOS General
1

I am new to Mikrotik. I have done some NAT/Masq work in the past, but it has been on Linux servers not overly complex. I have also done a fair bit of firewall work. I am having no luck getting my Mikrotik device configured.

Here is what I have:

  • Mikrotik RB3011UIAS-RM RouterBOARD
  • 4 dynamic public IPs assigned from the ISP. These IPs may not necessarily be in the same network block or subnet.
  • Each one is assigned to one of four interfaces on my Mikrotik router (eth1-4).
    • This is working properly.
  • 4 servers/devices on my exposed private network (192.168.0.0/24).
  • Each server is connected to one of four interfaces on my Mikrotik router (eth6-9).
    • Each server’s IP is statically assigned
  • A protected private network (192.168.1.0/24) for end user clients and wireless devices. The traffic for this network is passed to the Internet via NAT/Masq by one of the 4 devices on the exposed private network. (Currently, this device has one of the public IPs from the ISP until I can get the Mikrotik router working)
  • Interface eth10 on the Mikrotik router has an IP assigned (static) from the protected private network.
  • This will be used only to manage the Mikrotik router from the protected private network. It will allow no Internet traffic in or out.
    Interface eth5 on the Mikrotik router is disabled.

Here is what I need:

  • Each of the public IPs assigned from the ISP should NAT/Masq traffic to one of the 4 servers/devices on the Exposed Private Network (192.168.0.0/24). Public IPs below are only examples.
    • This will be a 1-to-1 relationship.
    • Each server/device on the Exposed Private Network should be able to reach the other servers/devices using their respective Public IPs.
    • Server A: 192.168.0.2 (eth6)
      • Should receive and send Internet traffic through eth1, Public IP: 1.1.1.1.
      • Should only accept NEW INCOMING internet traffic on ports 8080 and 8022.
      • All other INCOMING Internet traffic should only be allowed if established or related.
      • All OUTGOING traffic to the Internet should be allowed.
    • Server B: 192.168.0.3 (eth7)
      • Should receive and send Internet traffic through eth2, Public IP: 2.2.2.2.
      • Should accept and receive ALL INCOMING and OUTGOING internet traffic on all ports.
  • Restrictions on traffic will be controlled later as needed through Firewall rules (filters).
    • Server C: 192.168.0.5 (eth7)
      • Should receive and send Internet traffic through eth3, Public IP: 3.3.3.3.
      • Should accept and receive ALL INCOMING and OUTGOING internet traffic on all ports.
  • Restrictions on traffic will be controlled later as needed through Firewall rules (filters).
    • Server B: 192.168.0.6 (eth7)
      • Should receive and send Internet traffic through eth4, Public IP: 3.4.4.4.
      • Should accept and receive ALL INCOMING and OUTGOING internet traffic on all ports.
  • Restrictions on traffic will be controlled later as needed through Firewall rules (filters).
  • eth10: 192.168.1.8
    • Should accept ALL traffic from Protected Private Network (192.168.1.0/24).
    • Should NOT accept any traffic from the Internet.
    • Should NOT pass any traffic from the Protected Private Network to the Internet.
  • If possible, I would like eth1 to also accept traffic on some port to remotely manage the Mikrotik router itself. This router is installed at a remote location, so this would make it easier for future maintenance/troubleshooting.

I have tried with no success to get this to work. I have read and watch countless tutorials on NAT and Masquerading specific to Mikrotik devices, but nothing seems to get the job done.

My thoughts:

  • The Public IPs being dynamic may be complicating the issue. I understand that masquerading is supposed to deal with dynamic IPs, so I must just be doing something wrong.
  • I thought/hoped I’d be able to take care of the NAT/Masq functions at the interface level, without concern for the IPs, but it doesn’t seem to be the case.
    • I am not opposed to defining the Public IPs in rules statically. I know I can use scripts to identify when the IPs change and update rules, and I am comfortable doing that if it makes all this easier. (Scripting is my specialty)
  • I don’t have an IP to use as a gateway to bridge the gap between the server IPs on the Exposed Private Network and the Public IPs assigned to eth1-4 on the Mikrotik router. I assumed NAT/Masq would take care of this, but I think that may be a poor assumption.
  • Perhaps I need to assign IPs to eth6-9 on the Mikrotik router to use as gateway addresses for the servers?
  • I am not locked into the Exposed Private Network being restricted to one subnet. I could use 4 subnets:
  • 192.168.102.0/24
    • 192.168.103.0/24
    • 192.168.105.0/24
    • 192.168.106.0/24.

Assuming I am starting with a blank configuration on my Mikrotik router, I would really appreciate if someone could provide the steps I would need to configure this.

Many thanks in advance!

I have attached an illustration to hopefully help show what I need.
Mikrotik_Network_Configuration.png