How to route 3 networks to 3 Static IPs using 1 WAN

RouterOS Beginner Basics
1

Hello,
The basic set up is this. Three separate networks, each of these will be plugged into a separate port. We have 5 static IPs from our ISP using the same gateway. Each of these three network will use one of the static IPs going out the same WAN port. (I was going to use a cheap managed switch to VLAN the 3 networks, but it seems like an unnecessary step)

Right now, I am using an older home router with DDWRT on it just to get one network set up, since that way I will be able to set up the others easily enough. The router I am using is the Mikrotik Routerboard.

So far I set up the address list with one of the IPs 10.10.10.30/24 and the network of the DDWRT 192.168.3.1
I set up the gateway with 0.0.0.0/0 10.10.10.1
Right now, I have the NAT set up with srcnat - src address 192.168.1.1 - out interface WAN - action srcnat to address 10.10.10.30

The DDWRT I set up with a static WAN IP of 192.168.3.2 and the gateway of 192.168.3.1
I do have DHCP on with an internal network of 192.168.1.1

The whole point is that these networks need to be kept totally separate, which I don’t think will be a problem. I am guessing it’s a simple routing issue, but it’s been entirely too long since I took networking classes. Thank you for any help that you can send my way.

Basic firewall setup (going off wiki post)
2

A diagram would really help!!

Let me get it straight.
One ethernet cable from fiber modem(ont) will go into ether1 of the mikrotik.
You have a block of 5 IPs to work with, all have the same gateway IP.
You need to have three of the public IPs be directly associated with 3 networks.
Each network will be associated with an etherport.
So something like,
Lets say gateway common gateway IP is 10.10.10.1
ether1-WAN
ether2-Network2 uses public IP 10.10.10.2 with LAN structure of 192.168.2.0/24
ether3-Network3 uses public IP 10.10.10.3 with LAN structure of 192.168.3.0/24
ether4-Network4 uses public IP 10.10.10.4 with LAN structure of 192.168.4.0/24
ether5-LAN1_adminLAN (private LAN behind the router) associated with 10.10.10.5 with LAN structure of 192.168.1.0/24

/IP route 0.0.0.0/0 gatewayip=10.10.10.1 routing-mark=network2 pref-src=10.10.10.2 distance=1
/IP route 0.0.0.0/0 gatewayip=10.10.10.1 routing mark=network3 pref-src=10.10.10.3 distance=1
/IP route 0.0.0.0/0 gatewayip=10.10.10.1 routing-mark=network4 pref-src=10.10.10.4 distance=1
/IP route 0.0.0.0/0 gatewayip=10.10.10.1 pre-src=10.10.10.5 distance=1

/ip firewall mange
add chain=prerouting action=mark-connection new-connection-mark=cm_network2 in-interface=LAN src-address=192.168.2.0/24 passthrough=yes
add chain=prerouting action=mark-route connection-mark=cm_network2 new-routing-mark=network2 passthrough=no

add chain=prerouting action=mark-connection new-connection-mark=cm_network3 in-interface=LAN src-address=192.168.3.0/24 passthrough=yes
add chain=prerouting action=mark-route connection-mark=cm_network3 new-routing-mark=network3 passthrough=no

add chain=prerouting action=mark-connection new-connection-mark=cm_network4 in-interface=LAN src-address=192.168.4.0/24 passthrough=yes
add chain=prerouting action=mark-route connection-mark=cm_network4 new-routing-mark=network4 passthrough=no

The above networks should not be accessible to each other at layer 2 (not bridged).
However the mikrotik could route between them so you would have to make block rules or NOT depending upon FW concept.

Mine would be no need for FW rules… as drop all is the default, if not explicitly allowed its dropped!
/ip firewall filter {forward chain}

  • accept connected established untracked
  • drop invalid
  • allow in-inferface-list=LAN out-interface-list=WAN
  • allow adminaccess to all networks (if you need this)
  • log=yes prefix="Initially monitor all traffic being dropped here to see if adjustments need to be made)
  • drop all else.

/ip firewall NAT (all outgoing traffic needs to be translated on the way back)
add chain=srcnat out-interface=WAN action=srcnat to-addresses=10.10.10.2
add chain=srcnat out-interface=WAN action=srcnat to-addresses=10.10.10.3
add chain=srcnat out-interface=WAN action=srcnat to-addresses=10.10.10.4
add chain=srcnat out-interface=WAN action=srcnat to-addresses=10.10.10.5

Will also need the appropriate entries in winbox but I will be frank with I am real shaky at how to deal with multiple WAN IPs???
For example where I am most nervous is how to fill out
/ip addresses and IP DCHP Client

Also what will /interface list look like.
WAN- ether1
LAN - network2 ether2
LAN - network3 ether3
LAN -network4 ether4
LAN-LAN1_adminLAN ether5

also need
/ip pool
/ip dhcp server
/ip dhcp network

3

Thank you, this is a very helpful start. I’ve been reading and such the past day or so and I figured the main issue is the firewall Mangle and NAT.
Your layout is correct by the way, and let me clear up just a couple of small things. Each network will have it’s own router, so there shouldn’t be a need to set up any DHCP on the Mikrotik. I just need to get in the few routes ( as far as I’m aware ).

As for the firewall, the only thing I will need to work out is that 2 of the networks will need some sort of access from the outside since they are monitored and setup by other companies. At the moment, I don’t know what they will need open to access their devices, but I am hopeful that putting in a firewall rule won’t be too hard.

I started putting in some of the info you suggested. On the firewall mangle, it is saying that mark routing is only available on output and prerouting chains.

EDIT: I was reading up on mangle some more, and specifically marking. I see that marking is a bit resource heavy and I’m kinda worried it will slow things down a bit. One of the networks is going to be for a lot of people (this is for guests in a motel) so I would hate for something like marking to slow it down.
Not sure if I said before, but I do have a simple managed switch (its a TP link sg108e) that I could use to VLAN the networks if that would be better. Then I suppose it would just be a matter for the Mikrotik router to direct each VLAN to its own static WAN IP.

4

Thanks yes, you are right, it should be prerouting (fixed above).

5

Last thing. On your NATs, I dropped the In Interface, and it seems to be working. So its just add chain=srcnat action=srcnat to-addresses=10.10.10.2

If that is OK with the rest of what you have set up there.

6

Quite right, I have fixed and replaced it with out-interface=WAN. You may not need it but I dont think it would hurt.

7

As I’ve been playing with the router this week, looking over the firewall info, I’ve noticed that I don’t think the setup I am wanting is working using the information above.

I am having to use the sorta default masquerade NAT with the Wan out interface. If I disable that, then I have no route to the internet it seems. While that is enabled, I do have internet of course and I have two different devices on two different ports, but both of them just use the default masq NAT and the first WAN IP address. I also don’t see any packets going through the Mangle, so I don’t think that is even being used.

There is still the Dynamic router that uses the WAN gateway and the first WAN IP address. I don’t know if that’s part of the issue or not.

I haven’t done anything with the firewall rules yet. I want to get the routing set up correctly first if I can before I move on to firewall rules.

8

Can you post your config?

9

I did change the static IP address of course, but it should still accurately reflect what I have going on right now.

Also, just a FYI, I only put in the two mangle rules at the moment because I am only using two ports ( 3 and 5 ). When I get these two working as they should, I will put in the other two.

/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_FrontDesk poe-out=off
set [ find default-name=ether3 ] name=ether3_Office poe-out=off
set [ find default-name=ether4 ] name=ether4_Guest poe-out=off
set [ find default-name=ether5 ] name=ether5_admin poe-out=off
/interface list
add name=LAN
add name=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.3.2
add name=dhcp_pool2 ranges=192.168.1.6-192.168.1.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether3_Office lease-time=2d \
    name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=ether5_admin lease-time=2h10m \
    name=dhcp2
/ip firewall connection tracking
set enabled=yes
/interface list member
add interface=ether1_WAN list=WAN
add interface=ether2_FrontDesk list=LAN
add interface=ether3_Office list=LAN
add interface=ether4_Guest list=LAN
add interface=ether5_admin list=LAN
/ip address
add address=10.10.10.33/24 interface=ether1_WAN network=10.10.10.0
add address=10.10.10.34/24 interface=ether1_WAN network=10.10.10.0
add address=192.168.3.1/24 interface=ether3_Office network=192.168.3.0
add address=192.168.1.1/24 interface=ether5_admin network=192.168.1.0
add address=10.10.10.35/24 interface=ether1_WAN network=10.10.10.0
add address=192.168.2.1/24 interface=ether2_FrontDesk network=192.168.2.0
add address=192.168.4.1 interface=ether4_Guest network=192.168.4.1
add address=10.10.10.36/24 interface=ether1_WAN network=10.10.10.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.3.0/24 dns-server=63.135.176.1,63.135.176.2,8.8.8.8 \
    gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=63.135.176.1,63.135.176.2,8.8.8.8
/ip firewall mangle
add action=mark-connection chain=forward in-interface=ether5_admin \
    new-connection-mark=ex_admin passthrough=yes src-address=192.168.1.1
add action=mark-routing chain=prerouting connection-mark=ex_admin \
    new-routing-mark=admin passthrough=no
add action=mark-connection chain=forward in-interface=ether3_Office \
    new-connection-mark=ex_office passthrough=yes src-address=192.168.3.1
add action=mark-routing chain=prerouting connection-mark=ex_office \
    new-routing-mark=office passthrough=no src-address=192.168.3.1
/ip firewall nat
add action=src-nat chain=srcnat comment="Admin NAT for .33" out-interface=\
    ether1_WAN routing-mark="" src-address=192.168.1.1 src-address-list="" \
    to-addresses=10.10.10.33
add action=src-nat chain=srcnat comment="Office NAT for .34" out-interface=\
    ether1_WAN routing-mark=office to-addresses=10.10.10.34
add action=src-nat chain=srcnat comment="Front Desk NAT for .35" out-interface=\
    ether1_WAN src-address=192.168.2.1 to-addresses=10.10.10.35
add action=src-nat chain=srcnat comment="Guest NAT for .36" out-interface=\
    ether1_WAN src-address=192.168.4.1 to-addresses=10.10.10.36
add action=masquerade chain=srcnat out-interface=ether1_WAN
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 dst-address=10.10.10.0/32 gateway=10.10.10.1 pref-src=\
    10.10.10.33 routing-mark=admin
add distance=1 gateway=10.10.10.1 pref-src=10.10.10.34 routing-mark=office
add distance=1 gateway=10.10.10.1 pref-src=10.10.10.35 routing-mark=\
    frontdesk
add distance=1 gateway=10.10.10.1 pref-src=10.10.10.36 routing-mark=\
    guestwifi
add distance=1 gateway=10.10.10.1 pref-src=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
10

Looking through the config… the parts that stand out for me…
In general confusing allocation of wanips to lans.
Ether5- admin lan is given 10.10.10.33 (vice .35 cleaner or more obvious)
Ether3- office lan is given 10.10.10.34 (vice .33) cleaner or more obvious)

  1. /ip firewall connection tracking??? never seen this on any of my configs so not sure what it does??

  2. Not sure why for ether3 office subnet ip address you state DNS servers but not for ether5 subnet ip address???

  3. /IP routes,
    a. change the admin one to look like the rest using the 10 routing…
    add distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.1 pre-src=10.10.10.33 routing-mark=admin ******

b. I have no idea what you wanted to achieve with the last one one but preferred source is not for the LANIP entry 192,168,1,1…
thus remove it! (you have covered off the route for the admin network with routing-mark admin)

c. so the question what is missing in IP ROUTES?
answer not sure yet…

  1. If you have fixed WANIP addresses one is supposed to use action source nat from my limited understanding thus require…
    Do not mix mangling up with NAT!!

/ip firewall nat
add chain=src-nat out-interface=ether1 source-address=192.168.1.1/24 action=src-nat to-addresses=10.10.10.33
add chain=src-nat out-interface=ether1 source-address=192.168.3.1/24 action=src-nat to-addresses=10.10.10.34

(you could use source address list instead for example 192.168.1.6-192.168.1.100 if you wanted to narrow it down to DHCP pool but for myself sometimes I use static IPs outside the pool but still want them to be natted). In the office subnet there seems to be only one IP so it could be 192.168.3.2 , but I cannot make those decisions for you. :slight_smile:

  1. In general, Don/t populate the config with a bunch of routes or rules for non-existant network yet… or at least add them but disable them all (grey them out).

    \
  2. Mangling fun…
    question I have is when do you use passthrough =yes and when do you use passthrough=no. Always confuses me.
    Also Not at home but I though the chain was usually prerouting?

/ip firewall mangle
add chain=prerouting in-interface=ether5 action=connection-mark new-connection-mark=ex_admin passthrough= ???
add chain=prerouting connection-mark=ex_admin action=routing-mark new-routing-mark=admin passthrough= ???

add chain=prerouting in-interface=ether3 action=connection-mark new-connection-mark=ex_office passthrough= ???
add chain=prerouting connection-mark=ex_office action=routing-mark new-routing-mark=office passthrough= ???

So the three questions I have for gurus is
a. use of passthrough
b. confirm I don’t need to identify “in interface” or source or anything in second line (route mark line) because I am identifying traffic by connection marking…
c. Is there any value in stating No-Mark on the first line??? (in other words traffic without any mark coming in on interface3 or 5)??

11

a use passthrough when you want to perform additional actions on the connection / packet, i.e. In your example, you marked the connection, but you also want to mark routing on that same connection, so with connection mark you say passthrough = yes, packet will then go to next rule that matches condition, the mark routing will then be applied. Now you do not want any further action on the connection / packet, so you specify passthrough = no

b when using prerouting in and out interface paraders will typically be used to control direction, i.e. If you want to control from outside inwards, you wil use wan interface as in interface, etc.

c typically it will be a good idea, but again, depends on what you want to do. Using your examples above, I would have used connection-mark=no-mark, why? Cause I do not want to mark a connection already marked, also more efficient as the rule will only look at packet that does not have any marks

12

Much thanks CZFAN

Thus…

/ip firewall mangle
add chain=prerouting in-interface=ether5 connection-mark=no-mark action=connection-mark new-connection-mark=ex_admin passthrough=yes
add chain=prerouting in-interface=ether5 connection-mark=ex_admin action=routing-mark new-routing-mark=admin passthrough=no

add chain=prerouting in-interface=ether3 connection-mark=no-mark action=connection-mark new-connection-mark=ex_office passthrough=yes
add chain=prerouting in-interface=ether3 connection-mark=ex_office action=routing-mark new-routing-mark=office passthrough=no

13

OK, that seems to work for the routing marks. I can see the packets going through on the mangle screen.

One thing I don’t understand, and it may still be a config issue, but why do I still need to have the NAT rule add action=masquerade chain=srcnat out-interface=ether1_WAN ?

If I don’t have this enabled, there is no internet access. I do see packets going through the other NATs I have set up for the two networks. I guess if the masquerade is doing the return traffic or something, that should be fine. I just want to make sure there is no crossover between the networks.

Thanks again for all your help. Hopefully this thread can help someone else who is having trouble assigning static IPs to specific ports or networks.

14

Can you post your latest config…
I will have a look to see what I can find…

15

Ya know…I exported the config and as I was looking through it I noticed that the NAT rule I am currently using didn’t have the routing mark. Once I put that in, I disabled the masquerade, and all is good. Simple little oversight I guess.

I also just used the firewall rules Squeeze posted. That seems to be working out.

Thanks once again. I hope that this is all set up and good now, but if I do have something come up, I know where to come.

16

Say what??
Routing marks in NAT rule???
That makes no sense to me.

Marks are created in Mangling and used in IP routes.
NAT is a different type of fish and is independent of source of traffic!!

  • source nat is simply stating traffic going out WANX will get its private IP translated to the public IP of WANX so that return traffic will be routed to the proper private IP.
  • {for multiple fixed wanips going out same interface - one uses the src-nat action and to dress function to state which public IP}
    add chain=srcnat out-interface=ether1 action=src-nat to-addresses=publicIPassigned1/3
    add chain=srcnat out-interface=ether1 action=src-nat to-addresses=publicIPassigned2/3
    add chain=srcnat out-interface=ether1 action=src-nat to-addresses=publicIPassigned3/3

There is no marks involved…
In IP routes is where you state the routing of marked traffic!!!

Please show me the config cause it dont make sense to me…