How to assign a public IP to a server, without NAT?

valters · January 25, 2013, 3:39pm

Hello. This is the situation.

I have a fiber connection, with 5 public ips and a Mikrotik rb1200

One of them is being used for my local network. Port 2 is where the LINK is connected to. Ports ether1,ether3,ether4 and ether5, works like a switch with a DHCP server running on them and a ip range of 192.168.55.0/24. For all of them i use just one public IP.
Let’s say it is 200.190.xxx.122

I added a server running apache, to the ether6, and I want to assign a public IP to it (Lets imagine the public ip 200.190.xxx.123), but without using NAT. I already got it working by redirecting the requests using NAT. But I want another way.

The private range of ips assigned to ether 6 is 10.1.1.0/24 and the server private IP is 10.1.1.9

On another forum, someone recomended this:

Assign the public IP to the server as a loopback IP (not associated with any interface)

Configure the router to route traffic to that public IP to the server’s internal IP. (Just add one static route.)

Make sure the router is configured to pass the outbound traffic unmolested. (Don’t assume all traffic from the internal network has an internal source IP. Or just add a rule to route traffic from the internal LAN with that particular source IP.)

Well. I was able to assign the public IP that I want to use as a loopback ip. Than if i type it on the browser on the computer running apache, the page opens.

What I don’t know is how to do the other stuff, that is Configure the router to route traffic to that public IP to the server’s internal IP. and “Make sure the router is configured to pass the outbound traffic unmolested”, and the person who answerd that didnt answer anymore.

Could anyone help?
I’m completly beginner in Mikrotik, so, please, write clearly where I configure, like " ip > routes", etc.
thanks.

jgellis · February 25, 2013, 8:59pm

First off, if I understand correctly what you are reporting someone else told you to do already, it was poor advice.

Since you only receive the 5 addresses that are within a /29 from your ISP rather than having the entire /29 block routed to your MT, assign the public IP 200.190.xxx.123 directly to the ether interface of the web server
Bridge ether2 to ether6.

/interface bridge
add name="bridge-public"
/interface bridge port
add bridge="bridge-public" interface=ether2
add bridge="bridge-public" interface=ether6

You will want to protect your web server. If you will not be securing your web server using iptables in the web server, enable the firewall in the MT for bridges and accept inbound connections on port 80 and/or 443 (plus any other you deem required) traffic and then drop everything else that is not needed. You shouldn’t need to block outbound traffic from the web server..

/interface bridge settings set use-ip-firewall=yes
/ip firewall filter
add chain=forward in-bridge-port=ether2 out-bridge-port=ether6 protocol=tcp dst-port=80,443 action=accept
add chain=forward in-bridge-port=ether2 out-bridge-port=ether6 action=drop

No MT routing is required. You’ll want to remove the NAT and 10.1.1.0/24 configuration you previously applied to ether6.

CelticComms · February 25, 2013, 10:14pm

The method described using the loopback address is sometimes used but it it is router/host OS dependent and can be difficult to debug if it is not working so I am usually reluctant to even suggest it.

It sounds as if the private link net version was suggested in which case the routing entry on the routerboard would to the server’s public address in the form A.B.C.D/32 with the gateway set to the server’s private LAN address. This of course assumes that you have created a private subnet between the router and server and that they both have valid private IPs on that subnet.

The one other problem however is that your ISP most likely expects all of those public IPs to be ARPable on the WAN network segment so you would most likely have to run proxy-arp on your WAN interface.

red6 · December 5, 2013, 5:12pm

I am a Mikrotik newbie…

I am trying to achieve the same results as per the title of this thread but on a new RB2011 integrated box.

I have 1:1 NAT working for an Asterisk host. But I also need to deploy an Asterisk host directly on a public IP.

I have bridged my wan port ether1 to a dedicated ethernet port (ether2) and assigned an ip in my useable /29 range from my ISP to the Asterisk host.

My lan is on ether3. (ether4 and ether5 are slaves to ether3)

The host can reach the internet with PING’s to google for instance so it would seem that i have the gateway set up correctly on the host.

Also, I can “ping” or “traceroute -I” to the host from the outside but I cannot get an ssh or http session setup to the host.

Here is some of my config that is probably very important info for debugging…

I have a pppoe static address and gateway and my modem is in bridged modem. Then I have 100.100.100.216/29 given to me by my ISP for what I call my ‘real’ internet usage.
To me it seems that the PPPoE is really just used for authentication because the ISP is a reseller and is forced to use PPPoE for their DSL installations.

ether1 is the wan connection to the DSL bridged modem
pppoe-out1 is the logical wan connection (if “logical” if the correct term?)
ether3-lan-private-master is my lan port (ether 4 and ether 5 are slaves)
ether6 thru ether 10 and the optical interface are disable for now

/ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS               NETWORK                 INTERFACE                                                                                        
 0   192.168.88.1/24      192.168.88.0             ether3-lan-private-master                                                                        
 1 D 200.200.200.70/32  200.20.150.100          pppoe-out1                                                                                       
 2   100.100.100.217/29 100.100.100.100.216   ether1-wan


These are just the local lan hosts on ether3:
/ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published 
 #   ADDRESS           MAC-ADDRESS        INTERFACE                                                                                         
 0 D 192.168.88.239  00:0B:XX:XX:65:6B  ether3-lan-private-master                                                                         
 1 D 192.168.88.240  BC:AE:XX:XX:F2:65  ether3-lan-private-master                                                                         
 2 D 192.168.88.241  14:DA:XX:XX:B4:BA  ether3-lan-private-master                                                                         
 3 D 192.168.88.248  BC:5F:XX:XX:94:B7  ether3-lan-private-master                                                                         
 4 D 192.168.88.246  3E:D6:XX:XX:93:56  ether3-lan-private-master                                                                         
 5 D 192.168.88.237  C8:A0:XX:XX:D7:9D  ether3-lan-private-master

My interface table:
 /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE         MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  RS ether1-wan                        ether       1500  1598       4074 D4:CA:6D:X7:7X:8A
 1  RS ether2-lan-public                 ether       1500  1598       4074 D4:CA:6D:X7:7X:8B
 2  R   ether3-lan-private-maste      ether       1500  1598       4074 D4:CA:6D:X7:7X:8C
 3   S  ether4                               ether       1500  1598       4074 D4:CA:6D:X7:7X:8D
 4   S  ether5                               ether       1500  1598       4074 D4:CA:6D:X7:7X:8E
 5  X   ether6-master-local             ether       1500  1598       2028 D4:CA:6D:X7:7X:8F
 6  XS ether7-slave-local                ether       1500  1598       2028 D4:CA:6D:X7:7X:90
 7  XS ether8-slave-local                ether       1500  1598       2028 D4:CA:6D:X7:7X:91
 8  XS ether9-slave-local                ether       1500  1598       2028 D4:CA:6D:X7:7X:92
 9  XS ether10-slave-local              ether       1500  1598       2028 D4:CA:6D:X7:7X:93
10  X  sfp1-gateway                      ether       1500  1598       4074 D4:CA:6D:X7:7X:89
11  X  wlan1                                 wlan        1500  2290              D4:CA:6D:X7:7X:94
12  R  bridge-wan                          bridge      1500  1598              D4:CA:6D:X7:7X:8A
13  R  pppoe-out1                          pppoe-out   1480

My so called wan bridge:
/interface bridge> print
Flags: X - disabled, R - running 
 0  R name="bridge-wan" mtu=1500 l2mtu=1598 arp=enabled mac-address=D4:CA:6D:X7:7X:8A protocol-mode=none priority=0x8000 auto-mac=yes 
      admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

My wan bridge port members:
/interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                                           BRIDGE                                           PRIORITY  PATH-COST    HORIZON
 0    ether1-wan                                          bridge-wan                                           0x80         10       none
 1    ether2-lan-public                                   bridge-wan                                           0x80         10       none

Are the Firewall NAT and FILTER table important?
Here is a portion of the forward chain that I thought was required as per this thread...

add chain=forward comment="Open up bridge port ether-public-lan" connection-state=new in-bridge-port=ether1-wan out-bridge-port=\
    ether2-lan-public
add chain=forward comment="Open up bridge port ether-public-lan" connection-state=established in-bridge-port=ether1-wan \
    out-bridge-port=ether2-lan-public
add chain=forward comment="Open up bridge port ether-public-lan" connection-state=related in-bridge-port=ether1-wan out-bridge-port
    ether2-lan-public

I must be missing something obvious and fundamental. And what is curious is that ICMP is working.

Help would be greatly appreciated.

CelticComms · December 6, 2013, 4:44pm

If you are using a bridge you should place the router’s IP address/mask on the bridge rather than one of the bridge port interfaces so move the /29 settings to the bridge then report back.

red6 · December 6, 2013, 6:02pm

I followed your recommendation by changing the address table entry :
100.100.100.217/29 100.100.100.100.216 ether1-wan
to:
100.100.100.217/29 100.100.100.100.216 bridge-wan

Two issues:

I can still ping from the 100.100.100.220 (asterisk box) host to the outside but DNS is not working and TCP connections to google.ca don’t work. TCP connections to the google ip show SYN-SENT state when i run a netstat on the 220 host.
When I traceroute to 100.100.100.220 from the outside, the route shows that my ISP is choosing the pppoe gateway address instead of the ‘proper’ gateway to my 100.100.100.216/29 network.

I wonder if I need separate individual address entries for each IP (ie 100.100.100.217/32, 100.100.100.218/32, 100.100.100.219/32, 100.100.100.220/32 etc)?

CelticComms · December 6, 2013, 8:43pm

Please contact me at the address below with details so I can see how they have routed the /29.