I have RB2011 connected through wan port to ONT , and users can access the internet using NAT , so can i allow users accessing internet without using NAT
If you have only one public IP address available, then only one device can communicate directly with internet (others can do it through the first one and NAT is the name of the game). If you have multiple public IP addresses available, then yes, as many devices can communicate with internet without NAT.
It’s probably a good idea to have a firewall between internet and your devices. But if you do introduce stateful firewall, then performing NAT by that box is almost free of charge as most tasks (connection tracking) are done already.
You can also touch your tongue on both battery terminals…
@Aymen1986 It seems you don’t understand the purpose of NAT or the difference between private and public ip addresses.
Watch this layman’s guide to NAT. How Network Address Translation Works by PieterExplainsTech (a 2012 video, but still one of the best layman’s explanation I am aware of).
i mean , i don’t want to use double NAT , I know the principle of NAT , but in my case there’re two NAT, the first one is the ONT (Router) and the second one is Mikrotik router
Three choices:
- Reconfigured ONT/router - e.g. directly connect Mikrotik to the ONT, or if ONT+router is integrated look for some “passthrough” mode
- Setup the Mikrotik as a bridge & just use the ISP’s router for NAT
- Use a NAT “netmap” to map your Miktrotik IP /24 range to the /24 subnet assigned by ISP’s ONT/router
could you help me doing the second and third choices , or give me som resources ?
NOTE : ONT WAN port has a dynamic public IP address not a Static.
Easy fix, remove the ancient rb2011 from the picture and allow your users to use the internet.
Or configure it as a switch if you need a fancy switch.
RB2011 is necessary to control the bandwidth,login, …
Already from the description, the initial question, and the image you have always had confused ideas.
Or maybe you have it clear and you confuse ours because you can’t explain yourself.
Give a detailed description of what the RB2011 does and also the characteristics of what the ONT can do instead of ellipsis…
Configure and use IPv6, then you get many addresses that you can use without NAT.
sorry, not all ISPs have someone who at least knows what IPv6 is…
I guess I'm lost. Is the ONT is giving a dynamic public IP? e.g. not 192.168.x.y, 10.x.y.z, etc
I was under the impression there was a "double NAT" and that's what I'm not hearing... So...
Yup that's needed here.
Otherwise, QuickSet would seem to handle this case (e.g. ether1 to ONT, ether2-5 LAN, with a dhcp client on ether1, dhcp server on bridge, masquerade NAT rule).
Yes, but do not eliminate the Double NAT 
Well, It's the ONT that's the mystery here. If the ONT is giving out a real public IP (even dynamically via DHCP), there would be no double NAT 
.
My thought is if ONT was handing out a private subnet, that you can use a netmap, instead of masquerade. Still be double NAT in a sense, but at least the Mikrotik LAN IP align with the ISP router's LAN.
But if the ISP is really giving out a private, non-public IP address, or is some "CGNAT". No config is going to remove the double NAT.
Ahhhh on the last case are Triple NAT!!!
probably the OP just wanted to know whether he/she can do bridge mode on the isp supplied ont box to the MT router, so that OP can have many MT features for his/her network - that is why the OP asked how to not doing double NAT.
happened occasionally because the subscribers think isp supplied modem/router/combo boxes aren’t feature rich, nor aren’t flexible for their needs.
now, the question to the OP - what/which ont did your isp lend you? how should forum members help you without knowing your ont box?
And that leads again here:
http://forum.mikrotik.com/t/how-to-remove-one-or-more-nat-layers-from-my-internal-network/167028/1
And.. what bandwidth control can you possibly make using the weak, old and slow CPU inside the RB2011? Putting each user on one of the 100Mbps interfaces? sure.. that’s one way to do bandwidth control…