How do I setup router for 5 fixed IP

sclide · June 21, 2016, 8:59am

Hi guys,

I need some guidance here. My ISP has assigned me a PPPoE login with 5 static IP with /29 bitmask. The router I’m currently using is a RB750GL model. When it was installed, the modem was configured for only one static IP and currently in use. I have bind the addresses to a loopback. I’m having difficulty assigning the static IP addresses to 3 of my servers along with the required ports for forwarding to those servers as well.

Do I need to reconfigure the router from scratch or is there another method to go around this and make it work?
Is my method of doing it incorrect?

I really appreciate the help guys

pe1chl · June 21, 2016, 9:28am

Put the /29 on your LAN port as an extra address, with one address assigned to the router.
The other addresses will be automatically routed to your LAN.
Of course it could be that you need to adjust your firewall, depending on what your needs are.

sclide · June 22, 2016, 2:51pm

If I put the /29 on your LAN port, do I need to change the IPs the of the server accordingly?

ironman820 · June 22, 2016, 3:38pm

It depends on the current setup/your needs…

If you are running NAT between your servers and the “outside world,” you will need to put the public IPs on an external facing interface and then port forward the required ports directly to your servers. The best way is finding the individual ports your servers need and forwarding them:

/ip firewall nat
add chain=dstnat dst-address=x.x.x.x protocol=tcp dst-port=80 action=netmap to-address=y.y.y.y

but you could also forward the entire IP traffic straight to the server (very insecure and not recommended unless you have a strong firewall on the server):

/ip firewall nat
add chain=dstnat dst-address=x.x.x.x action=netmap to-address=y.y.y.y

In both examples x.x.x.x is your public IP, and y.y.y.y is a private (NAT) IP address.

If you want these servers to be directly on the outside, I normally bridge the “WAN” interface with the interface that faces the servers and then you can control the flow if necessary with firewall filters:

/int bridge
add name=outside
/int bridge port
add interface="ether1" bridge=outside #WAN
add interface=ether2 bridge=outside #Server1
add interface=ether3 bridge=outside #Server2
#etc...

#firewall if necessary and the servers don't have strong firewalls in place already:
#Tell bridges to use firewall
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes use-ip-firewall-for-pppoe=yes
/ip firewall filter
#Server 1 rules
add chain=forward dst-address=x.x.x.x protocol=tcp dst-port=80,443 action=accept
add chain=forward dst-address=x.x.x.x action=drop
#Server 2 rules
add chain=forward dst-address=x.x.x.y protocol=icmp action=accept
add chain=forward dst-address=x.x.x.y action=drop

These are generic examples and you would need to adjust ports/protocols as necessary, but you get the idea. If you need help getting ports forwarded to these servers, Google is your friend, I usually am able to find almost anything by searching for “$SERVICE port forward” on google or in the documentation for the software directly.

You may need to change these examples a little because I don’t use PPPoE or public IPs/routing on loopbacks.

ZeroByte · June 22, 2016, 7:15pm

Having the 5 additional /32 addresses routed to a loopback interface is fine if you’re using NAT w/ private IPs on the servers themselves.

It works because the dstnat rules will transform the dst-IP of the incoming packets to be the private IP addresses, and then forward the packets along.
If you do this, you also need to create corresponding srcnat rules so that the servers appear on the Internet with their proper public IP addresses whenever they originate their own outbound connections. (e.g. when a mail server sends out a message)

You can use the standard srcnat/dstnat rules, or else use the stateless counterparts: netmap
(I’d probably recommend netmap as it’s the closest to having the public IPs directly on the hosts themselves)

You can still firewall filter traffic to/from the servers with the router - rules in the forward chain will apply to the traffic you want to filter, and make sure to refer to the servers using their private IP addresses because the NAT happens before the filtering step.

Option B - as Iron man mentions, you can also just place the entire /29 directly on the LAN interface - this will work very well if you have a DMZ interface that is separate from your LAN, so you won’t need to use dual IP addressing, and your nat table can exist with only one rule:
chain=srcnat out-interface=pppoe1-out src-address=!x.x.x.x/29 (the public IP range) action=masquerade

In this scenario, your firewall filter rules in the forward chain should refer to the servers using their public IP addresses, and yes, you would configure the public IPs directly on them.

sclide · June 23, 2016, 2:46am

Thanks for the suggestion,guys.

I will try them one by one. As for the dmz approach that ZeroByte points out, I’ve checked the router and find there’s no DMZ interface for the router. Is there a similar rule or function similar to that?
Do I need to change the gateway for the router as well, since the /29 gives me a different network when I input the address in the router and cause the network not to have internet when I apply the changes?
For your information, I’m assigning different private IPs to the servers and would like to make it so that the servers appear on the Internet with their proper public IP addresses.

Example:

Given IP subnet masks from: 1.xx.yy.25/29
Server 1
Local IP:1.xx.yy.127
Public IP:1.xx.yy.26

Server 2
Local IP:1.xx.yy.128
Public IP:1.xx.yy.27

The current gateway is set to 1.xx.yy.25

Sorry if the questions sounds like what a beginner would ask. I’m unfamiliar with configuring mikrotik router for multiple static IPs.

ZeroByte · June 23, 2016, 9:20pm

There’s no DMZ interface because, strictly speaking, any interface can have any role you like, and DMZ is mostly a concept - a term used in the industry to indicate an untrusted network which may be reachable on certain select services from the world, but will have very restricted access to any internal network(s) at the site.

Okay - having said that, you can make anything into a DMZ by configuring policies that are “dmz-like” - and you can make comments/labels that name things as “dmz” for the sake of clarity.

For example, if you have 5 hosts connected to a certain 5 ports, you can bridge them together and name the bridge DMZ.
Then make forwarding rules which allow the DMZ hosts to go out to the Internet, but not in towards the LAN.
You could next make some rules which allow the specific services you want available to the public…
And a rule which allows lan->dmz on all ports (action=accept in-interface=lan out-interface=DMZ)
And finally, a rule which drops anything going out-interface=DMZ to protect the servers from access on ports that you don’t intend to be public.

As for the network number being different than the IP you type into the interface, that’s to be expected.
A network mask of /29 (i.e. 255.255.255.248) means a range of 8 IP addresses, of which 6 may be used by hosts.
So if the network block is 192.0.2.64/29, then the network address is 192.0.2.64 , addresses .65 - .70 are usable as hosts, and .71 is the broadcast address.

If you enter an IP address in ROS of 192.0.2.68/29, then the network for this is going to be 192.0.2.64
If you’d used 192.0.2.45/29, then the network for this is 192.0.2.40
This is because /29 means “8 hosts” - your valid network addresses for /29 are therefore going to count from .0 by increments of 8:
0, 8, 16, 24, 32, 40, 48, 56, 64, 72, 80, 88, 96, 104, 112, 120, 128, 136, 144, 152, 160, 168, 176, 184, 192, 200, 208, 216, 224, 232, 240, and 248
(32 possible /29 blocks per “class C”)

PPP(oE) has a nice feature that you don’t have to put the IP address of “your end” onto the PPP/PPPoE interface itself - it acts like a “wormhole” between two endpoints, so you can use the IP address of the DMZ interface as the “local” address. It’s probably being assigned by the ISP anyway as x.x.x.x/32 which won’t interfere with assigning the same address with /29 on the DMZ interface (I think).

sclide · June 24, 2016, 2:03am

Thank you for explanation. It’s very easy to understand and straight to the point.

I will try out the dmz approach and configure the dmz-like interface and the policies along with it.

Same with the other guys’ approach as well.

Will keep you guys posted.

Thanks for the help.

sclide · June 24, 2016, 6:10am

Hi guys,this is my configuration so far

/ip address
add address=1.9.116.25/24 disabled=no interface=ether3-slave-local network=\
    1.9.116.0
add address=192.168.1.8/24 disabled=yes interface=LAN3 network=192.168.1.0
add address=1.9.116.25/32 disabled=no interface=lo0 network=1.9.116.25
add address=1.9.116.26/32 disabled=no interface=lo0 network=1.9.116.26
add address=1.9.116.27/32 disabled=no interface=lo0 network=1.9.116.27
add address=1.9.116.28/32 disabled=no interface=lo0 network=1.9.116.28
add address=1.9.116.29/32 disabled=no interface=lo0 network=1.9.116.29
add address=1.9.116.25/29 disabled=no interface=ether5-slave-local network=\
    1.9.116.24
add address=1.9.116.24/32 disabled=yes interface=lo0 network=1.9.116.24
add address=1.9.116.25/29 disabled=yes interface=LAN3 network=1.9.116.24
/ip neighbor discovery
set ether1-gateway disabled=yes
set LAN disabled=no
set ether3-slave-local disabled=no
set LAN3 disabled=no
set ether5-slave-local disabled=no
set vlan1 disabled=yes
set WAN1 disabled=yes
set lo0 disabled=no
set vlan4 disabled=yes
/ip firewall nat
add action=src-nat chain=srcnat disabled=yes src-address=1.9.116.127 \
    to-addresses=1.9.116.26
add action=dst-nat chain=dstnat disabled=no dst-port=27017 in-interface=WAN1 \
    protocol=tcp to-addresses=1.9.116.175 to-ports=27017
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=WAN1 \
    protocol=tcp to-addresses=1.9.116.122 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-port=3838 in-interface=WAN1 \
    protocol=tcp to-addresses=1.9.116.199 to-ports=3838
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 in-interface=WAN1 \
    protocol=tcp to-addresses=1.9.116.128 to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-port=8090 in-interface=WAN1 \
    protocol=tcp to-addresses=1.9.116.128 to-ports=8090
add action=dst-nat chain=dstnat disabled=yes dst-port=8070 in-interface=WAN1 \
    protocol=tcp to-addresses=1.9.116.127 to-ports=8070
add action=dst-nat chain=dstnat disabled=yes dst-port=6969 in-interface=WAN1 \
    protocol=tcp to-addresses=1.9.116.127 to-ports=6969
add action=dst-nat chain=dstnat disabled=yes dst-port=27900 in-interface=WAN1 \
    protocol=tcp to-addresses=1.9.116.127 to-ports=27900
add action=dst-nat chain=dstnat disabled=yes dst-port=28900 in-interface=WAN1 \
    protocol=tcp to-addresses=1.9.116.127 to-ports=28900
add action=src-nat chain=srcnat disabled=yes src-address=1.9.116.128 \
    to-addresses=1.9.116.25
add action=dst-nat chain=dstnat disabled=yes dst-address=1.9.116.25 \
    to-addresses=1.9.116.128
add action=dst-nat chain=dstnat disabled=yes dst-address=1.9.116.26 \
    to-addresses=1.9.116.127
add action=netmap chain=dstnat disabled=yes dst-address=1.9.116.26 dst-port=\
    8070 protocol=tcp to-addresses=1.9.116.127
add action=dst-nat chain=dstnat disabled=yes dst-address=1.9.116.26 \
    to-addresses=1.9.116.127
add action=src-nat chain=srcnat disabled=yes src-address=1.9.116.127 \
    to-addresses=1.9.116.26

Now I’m stuck at getting the Public IPs assigned to the servers. Is there anything I miss or did incorrect? Or did I miss some steps needed to be done?

ZeroByte · June 24, 2016, 5:14pm

First of all - I think you should be using /29 and not /24 on your ethernet interface… .25 is the first usable host address of the .24/29 range and you’ve mentioned “5 hosts” several times, which corresponds to /29. /24 → 256 host addresses (254 usable). When you change this, be sure to erase the value in “network” so that the router will re-compute this.

As for how to put the host addresses on the interface…

TL;DR version: The Router will automatically learn what hosts on the network are using the IP addresses, so don’t put them on the router’s interface. (that will break things)

Full Explanation:
You don’t assign the IPs to the router’s interface. You configure them on the servers themselves.

When you put an IP address 1.9.116.25/29 onto an interface, here is what happens:
The router understands this to mean that the IP network 1.9.116.24/29 is attached to that interface-
Therefore any packet whose destination address is 1.9.116.24 - 1.9.116.31 should be delivered to this interface.
It is an ethernet interface - thus broadcast multi-access, so the router will need to know what the MAC address of the destination IP address is…
… so it will send an ARP request to learn what device is using the destination IP.
Suppose the destination IP is 1.9.116.28
The router will ask “Who has 1.9.116.28?”
The device with that IP address will respond “I do!” (and its MAC address will now be seen by the router - e.g. 10:20:30:40:50:60 )
The router will add the MAC address 10:20:30:40:50:60 to the ARP table, mapping it to 1.9.116.28
Now the router will transmit the packet onto the LAN with the hosts’s destination IP and MAC address in the headers of the packet.
The host will receive the packet, and process it accordingly.

So - you don’t have to (and in fact MUST NOT) apply the addresses to the interface itself. If you do this, you’re telling the router that IT is using those IP addresses for itself.
If you were to put 1.9.116.28/32 onto that same interface, then the router would not ARP for the MAC address of 1.9.116.28 - it would consider this packet as being directed at the router itself, and thus pass the packet up the stack for local processing (telnet service, http service, winbox service, etc).

As for the hosts themselves, configure their IP addresses as static IP address configuration, enter the desired IP address for the host, set the subnet mask to 255.255.255.248 and set the default gateway to 1.9.116.25 (the Mikrotik’s IP address). Don’t forget to configure the DNS server addresses in the hosts as well.

Good luck!

sclide · June 27, 2016, 9:39am

Hi guys,

I’ve changed the address from /24 to /29. And I have also changed the IP for the servers as well.

The problem is after I change the IP, the internet connection for the server is lost,leaving only the local connection.

This also applies when I change only the address from /24 to /29 as well.

When I disable the loopback, I have internet connection back but when I check my my ip using whatismyipaddress.com, it shows the ip as 1.9.116.25.

Does this mean i did wrong somewhere?

ZeroByte · June 27, 2016, 1:33pm

You need to tell your NAT rule not to match traffic from your public range.
In the srcnat/masquerade rule, add the criteria “src-address=!1.9.116.24/29”
And you should not have had a loopback interface if using an actual DMZ interface, so it’s no surprise that things didn’t work while it was enabled. Sounds like you’ve almost got it right.

sclide · June 28, 2016, 4:04am

Finally it works!!! Many Thanks, Zerobyte.

Many Thanks for the guidance.

I would like to ask one more question.

For the port forwarding part, I can just port forward to the Server IP?

ZeroByte · June 28, 2016, 4:15pm

Yes - but do consider that if the source host and destination host are on the same network, you’ll also need a hairpin NAT rule - but if this isn’t an issue, then don’t worry about it.

sclide · June 28, 2016, 5:26pm

Ok. Thanks