Still a newbie finding my way through my first MikroTik. I have an existing CCR1036 router for a small ISP. All customer premises routers are currently addressed with Private IP addresses in VLAN 101. There are a few customers now asking for public static IP addresses to be assigned to their premises routers. They have also asked we not do 1:1 NAT, but deliver a public IP to their router. We have a /26 block of public addresses (let’s call it 1.2.3.192/26) that I have configured as VLAN 102 on the router. I have confirmed our upstream fiber provider is correctly routing that block to the MikroTik. Currently no unsolicited inbound traffic is allowed to the VLAN 101 (Private IP) users. Their premises routers receive private IP addresses dynamically via DHCP address pool. Masquerade NAT is performed for all VLAN 101 connections.
For the public VLAN 102, all DHCP reservations will be manually configured as static, so the premises router always gets the same public IP. We wish to allow any unsolicited inbound traffic straight through the MikroTik to the customer premises router. Conversely, all outbound traffic from the public IP customers (VLAN 102) should pass straight to the internet.
With the masquerade NAT going on, I know that some configuration in the firewall rules is needed to accomplish this, but I am unsure how to configure it bypass the NAT configuration in each direction. Any guidance is much appreciated. Thank-you in advance.
Here is an edited portion of the configuration:
/interface bridge
add arp=proxy-arp comment=\
"Bridge for LACP ports for trunk link to switch" name=trunk1
/interface ethernet
set [ find default-name=ether1 ] comment=\
"Direct connect router management subnet"
set [ find default-name=ether2 ] comment="member of LACP bonding1"
set [ find default-name=ether3 ] comment="member of LACP bonding1" \
mac-address=xx:xx:xx:xx:xx:xx
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] comment="WAN circuit"
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface bonding
add comment="802.3ad LACP to Switch Trunk" mode=802.3ad name=bonding1 \
slaves=ether2,ether3
/interface vlan
add comment="Management VLAN" interface=bonding1 name=VLAN10 vlan-id=10
add comment="Users VLAN" interface=bonding1 name=VLAN101 vlan-id=101
add comment="Public IP VLAN" interface=bonding1 name=VLAN102 vlan-id=102
/interface list
add comment="WAN Interfaces" name=WAN
add comment="LAN Interfaces" name=LAN
/ip pool
add comment="DHCP range for VLAN 10" name="Management VLAN pool" ranges=\
172.16.1.51-172.16.1.254
add comment="DHCP range for VLAN 101" name="Users pool" ranges=\
172.16.2.10-172.16.2.254
add comment="DHCP range for Eth1 subnet" name="Ethernet1 pool" ranges=\
192.168.88.10-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool="Management VLAN pool" bootp-support=none \
disabled=no interface=VLAN10 lease-time=12h name="Management VLAN"
add add-arp=yes address-pool="Water Tower Users pool" bootp-support=none \
disabled=no interface=VLAN101 lease-time=12h name="Users VLAN"
add add-arp=yes address-pool="Ethernet1 pool" bootp-support=none disabled=no \
interface=ether1 lease-time=12h name=Ethernet1
add add-arp=yes bootp-support=none disabled=no interface=VLAN102 lease-time=\
12h name="Public IP VLAN"
/interface bridge port
add bridge=trunk1 interface=bonding1
/interface bridge vlan
add bridge=trunk1 tagged=bonding1 vlan-ids=10,101,102
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=sfp-sfpplus2 list=WAN
add interface=trunk1 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether1 list=LAN
/ip address
add address=192.168.88.1/24 comment=\
"defconf - direct access to router, but not routed to other subnets" \
interface=ether1 network=192.168.88.0
add address=1.2.3.2/30 comment="WAN Interface" interface=\
sfp-sfpplus1 network=1.2.3.0
add address=172.16.1.1/24 comment="Management VLAN" interface=VLAN10 network=\
172.16.1.0
add address=172.16.2.1/24 comment="Users VLAN" interface=VLAN101 network=172.16.2.0
add address=1.2.3.193/26 comment="Public IP VLAN" interface=VLAN102 network=1.2.3.192
/ip dhcp-server lease
add address=1.2.3.196 comment="Test Device-VLAN 102" mac-address=xx:xx:xx:xx:xx:xx\
server="Public IP VLAN"
/ip dhcp-server network
add address=172.16.1.0/24 comment="Management VLAN" dns-server=\
8.8.8.8,8.8.4.4 gateway=172.16.1.1 netmask=24
add address=172.16.2.0/24 comment="Users" dns-server=\
8.8.8.8,8.8.4.4 gateway=172.16.2.1 netmask=24
add address=1.2.3.192/26 comment="Public IP Users" dns-server=8.8.8.8,8.8.4.4\
gateway=1.2.3.193 netmask=26
add address=192.168.88.0/24 comment="Ethernet 1" dns-server=8.8.8.8,8.8.4.4\
gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=Bogons
add address=10.0.0.0/8 comment=RFC6890 list=Bogons
add address=100.64.0.0/10 comment=RFC6890 list=Bogons
add address=127.0.0.0/8 comment=RFC6890 list=Bogons
add address=169.254.0.0/16 comment=RFC6890 list=Bogons
add address=172.16.0.0/12 comment=RFC6890 list=Bogons
add address=192.0.0.0/24 comment=RFC6890 list=Bogons
add address=192.0.2.0/24 comment=RFC6890 list=Bogons
add address=192.168.0.0/16 comment=RFC6890 list=Bogons
add address=192.88.99.0/24 comment=RFC3068 list=Bogons
add address=198.18.0.0/15 comment=RFC6890 list=Bogons
add address=198.51.100.0/24 comment=RFC6890 list=Bogons
add address=203.0.113.0/24 comment=RFC6890 list=Bogons
add address=224.0.0.0/4 comment=RFC4601 list=Bogons
add address=240.0.0.0/4 comment=RFC6890 list=Bogons
add address=172.16.2.0/24 list=User_subnets
add address=192.168.88.2-192.168.88.254 list=Whitelisted_from_ETH1
add address=1.2.3.192/26 list=User_subnets
/ip firewall filter
add action=drop chain=forward comment="Forward-drop invalid packets" \
connection-state=invalid connection-type=""
add action=drop chain=forward comment=\
"Drop new connections from internet that are not DST-NATed" \
connection-nat-state=!dstnat connection-state=new in-interface=sfp-sfpplus1
add action=fasttrack-connection chain=forward comment=\
"Fast Track established / related packets" connection-state=established,related
add action=accept chain=forward comment="Forward-established / related packets"\
connection-state=established,related,untracked
add action=accept chain=forward comment=\
"Forward-Allow new user VLAN packet out to internet" connection-state=new \
out-interface=sfp-sfpplus1 src-address-list=User_subnets
add action=accept chain=forward comment=\
"Forward-Allow new VLAN 10 packet out to internet" connection-state=new \
out-interface=sfp-sfpplus1 src-address=172.16.1.0/24
add action=accept chain=forward comment=\
"Forward-Allow new ETH1 subnet packet out to internet" \
connection-state=new out-interface=sfp-sfpplus1 src-address=192.168.88.0/24
add action=accept chain=forward comment=\
"Forward-Allow traffic from VLAN 10 to VLAN 101" dst-address=\
172.16.2.0/24 src-address=172.16.1.0/24
add action=accept chain=forward comment=\
"Forward-Allow forwarded dstnat ports" connection-nat-state=dstnat
add action=drop chain=forward comment=\
"Forward-Block traffic from VLAN 101 to VLAN 10" dst-address=\
172.16.1.0/24 src-address=172.16.2.0/24
add action=drop chain=forward comment="Forward-Drop all other traffic"
add action=accept chain=input comment="Input-Allow inbound ping to router" \
limit=5,5:packet protocol=icmp
add action=drop chain=input comment="Input-Drop invalid packets" \
connection-state=invalid
add action=drop chain=input comment=\
"Input-Drop packets from internet with non-routable addresses (Bogons)" \
in-interface=sfp-sfpplus1 log=yes log-prefix="Inbound Bogon Drop" \
src-address-list=Bogons
add action=accept chain=input comment=\
"Input-Accept established / related packets" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"Input-Allow new router access from VLAN 10" connection-state=new \
in-interface=VLAN10
add action=accept chain=input comment=\
"Input-Allow new router access from ETH1" connection-state=new \
in-interface=ether1 src-address-list=Whitelisted_from_ETH1
add action=drop chain=input comment="Input-Drop all other packets"
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"Source NAT traffic destined to internet" out-interface=sfp-sfpplus1
/ip route
add comment="Gateway of Last Resort" distance=1 gateway=1.2.3.1