How to setup RouterOS with 2 different subnets from ISP

RouterOS Beginner Basics
1

Dear friends,

I have changed my ISP and have a problem with configuring my RouterOS installation.

The previous ISP provided only one external (1) IP address - thus I used SRC NAT with MASQUERADE all was fine.

However my new ISP gave me one internal (1) IP address and a range of IP addresses that are public (e.g. one (1) 87.199.20.70/30 and then a range of IP addresses which are pingable from the Internet - e.g. 217.122.1.50/29).

I am baffled how to setup this type of connection where I have 2 different subnets and would be grateful for any and all tips :slight_smile:

Thank you very much in advance for all help

john

2

You have to add 87.199.20.70/30 at WAN interface & 217.122.1.49/29 at LAN interface. Your usable IP will be 217.122.1.50-217.122.1.54 & configuration will be :

/ip address
add address=87.199.20.70/30 disabled=no interface=ether1
add address=217.122.1.49/29 disabled=no interface=ether2 
/ip route
add  dst-address=0.0.0.0/0 gateway=87.199.20.69
3

Thanks a lot :wink: And then for my local addresses to have internet access (e.g. clients in the 192.168.1.1/24 subnet) I should assign 192.168.1.1 to ether3 and create a SRCNAT/MASQUERADE rule in firewall?

4

Yes, you can. This configuration will be same as your previous configuration with first ISP.

5

Command line will be :

/ip address
add address=192.168.1.1/24 disabled=no interface=ether3
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether1
6

Hmmmm.. unfortunately the proposed configuration doesen’t work :frowning:

What I don’t understand - how does adding an IP to LAN2 (add address=217.122.1.49/29 disabled=no interface=ether2) make a difference when it’s not physically connected to any other LAN ports or in a bridge?

7

The suggestion to put the /29 on LAN2 would mean that the IPs would be available directly on LAN2

ie a machine connected to LAN2 could be assigned an address in that range and not need any NAT.

If you want to use NAT instead then you would assign all IPs to the WAN interface, and then add specific srcnat rules to use them eg:

/ip address add address=217.122.1.49/29 disabled=no interface=ether1 
/ip address add address=217.122.1.50/29 disabled=no interface=ether1 
/ip address add address=217.122.1.51/29 disabled=no interface=ether1 

/ip firewall nat add action=src-nat chain=srcnat comment="192.168.1.10 goes out on .50" out-interface=ether1 src-address=192.168.1.10 to-addresses=217.122.1.50

/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade everything else" out-interface=ether1

Hope that helps

Nick.

8

I have a similar situation with a /28 that is currently on a Fortigate that I want to move to MikroTik. If I understand the above it maps the 217.122.1.50 public address to the 192.168.1.10 address on the outgoing side (from the 192.168…) and provides NAT and source masking. What would the incoming side look like?

TIA … JT

9

For inbound NAT you can use a dstnat rule eg:

/ip firewall nat add action=dst-nat chain=dstnat dst-address=217.122.1.50 to-addresses=192.168.1.10

This would NAT all traffic through, you could reduce this to just the ports you want by adding some ports eg

dst-port=80,8080

Note that NAT happens first and then IP → Firewall → Filter so you need to make sure the traffic is allowed in the forward chain using the internal address as the dst-address, eg:

/ip firewall filter add chain=forward dst-address=192.168.1.10 dst-port=80,8080 protocol=tcp

would allow port 80 and 8080