We have a /29 publicly addressable IP range provided by our ISP and I’m looking for some advice on the best way to setup one of our servers. For most of them we’ve been able to assign private IP addresses to them and use src/dst NAT’ing to make it work with a the public IP address we have assigned to the WAN port. We have one server that is running some software that isn’t playing nicely behind NAT so we want to set it up to use a public IP address but keep it behind the firewall. We have a CRS125 device.
To give some background…
Our ISP provides a layer 2 handoff with a /29 subnet – let’s say x.y.z.0/29
Within this range x.y.z.0 is the network address and x.y.z.7 is the broadcast address.
The ISP has set x.y.z.1 as the address of the gateway for this /29 subnet which is the address of the equipment at their end.
The connection from the ISP is plugged into ether1 which has been removed from the standard default config bridge. We have configured the ether1 port with an address of x.y.z.2 and established a static route for 0.0.0.0/0 with a gateway of x.y.z.1.
The remainder of our network uses various 192.168.x.x private addresses with masquerading for workstations and src/dst NAT’ing for servers and all works perfectly.
For the server that needs to have a public IP address assigned to it rather than using src/dst NAT’ing, let’s say we are assigning an address of x.y.z.3. I’ve tried setting up a separate bridge between ether1 and another ethernet port where the server with the public IP address is connected. The server has an IP address of x.y.z.3, with a gateway of x.y.z.1. This does work, but in this scenario the server is communicating directly with the ISP gateway and isn’t protected behind our firewall. I did experiment with turning on the use IP Firewall feature for the bridge, but it appears to apply to all bridges and effectively slows everything down as well as putting an additional load on the CPU.
I’d be interested in the thoughts of the various guru’s out there on the “best practice” way to allow a server to live inside the network, use a public IP address (in our case x.y.z.3) but remain protected behind our firewall.
For your information, I’m new to RouterOS. Our ISP provided /30 public IP address for us but after we made a request for more public IP addresses for the use of our servers, we were provided with /29. We have One edge router and three client routers, all on different local networks. All the users are working fine regardless of their locations on the premises and all the users are able to reach the outside world.
My problem is how to configure these servers connected to the different client routers with the different public IP addresses from the /29.
This is one area I wish I knew more. I always thought for multiple public IPs, what I used to know in the zyxel world of 1:1 mapping (public IP to private IP), in the Mikrotik world was closest to something called netmap!
1:1 mapping
If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.
/ip firewall nat add chain=dstnat dst-address=11.11.11.0/24
action=netmap to-addresses=2.2.2.0/24
Same can be written using different address notation, that still have to match with the described network
/ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255
action=netmap to-addresses=2.2.2.0-2.2.2.255
It is a MUST that this server has a public IP ?
If so, I don’t think there is much possible, you will have to
request a new small subnet with your ISP and have it “routed” to your Mikrotik. On the router you create a new DMZ-LAN with public IP’s
“Split” your current /29 further, but hey, a /29 is already not large so.
I had a case too (not on Mikrotik but on a Palo Alto FW) where a device on the inside MUST have a public IP because for the solution (EoGRE tunnel = Ethernet-over-GRE) NAT was a big no-no.
We ended up splitting a /27 public subnet further down…and creating a specific “inside” LAN/DMZ with public IP’s.
Works great offcourse.
Run your internet into a dumb switch Take one output from that switch and run into the WAN port of your MT router and configured it with one of your /29 addresses - for example x.y.z.2. Connect your outside server to another port of that dumb switch and give it a different address in the /29 range - for example x.y.z.6. That will of course directly put your server on the internet, so make DAMN sure the firewalling in the server is good. This does give your server the desired public address, but it is not behind your MT firewall.
Just another option…