The title of my topic is a little blurry, but I will try to explain what I want to do with my poor english level.
So, I have a RB4011 router with a PPPoE FTTH link.
My provider provides me a public /29 subnet, which is routed via the public IP of the FTTH.
What I want to do is have two LAN interfaces natted using a different IP address of the subnet for each one.
I can do this using two more routers, but I don’t know how to do it with a single one.
I thought to use Metarouter functionnality, but it’s not supported on any available and powerful enough hardware…
Nice so you have six IPs you can use.
lets say one for the router and normal LAN networks
and 5 others you can map one to one to devices.
I suppose you can map a public IP to a subnet but that is more complicated from my meager understanding and will probably involve mangling and marking traffic.
Hopefully someone with experience will chime in… I dont have any LOL
Instead of using a single action=masquerade rule to do the NAT, use multiple action=src-nat rules with individual to-addresses, and let each of them match on a particular src-address. The src-address may be an individual address or a whole subnet, depending on whether your LAN interfaces are bridged together and a single subnet is attached to the bridge interface (so you need a per host NAT rule), or whether you have the LAN interfaces as separate IP interfaces with separate subnets (so all hosts in the same subnet can be src-nated to the same public IP).
Thanks Sindy, I think I understand what you say, but, I need an interface to assign the public subnet right ?
So, my WAN interface will receive the IP address of the FTTH by DHCP.
Both my LAN interfaces will have a private IP address (let say 192.168.1.254 and 192.168.2.254).
But my subnet ? It’s supposed to be assigned to a “LAN” interface, since it’s routed, so I don’t understand what to do with it
No, you don’t. The ISP router is sending packets for these additional public addresses to your router because your other public IP has been configured as a gateway for these additional ones on it - just like when your own router sends a packet to 8.8.8.8 via the ISP’s one acting as a gateway.
And your router knows what to do with these packets, because when it has forwarded an initial packet of connection initiated from LAN side to the internet, it has done a src-nat operation, replacing the original source address by one of those additional public addresses. Since then a row in the connection tracking table of its firewall exists, on which the response packets coming will match and get “un-src-nated” to the original address of the LAN client before being routed further. Or you may add a dst-nat rule if you want to have those LAN hosts accessible from the internet under those additional public addresses - again, the packet to one of those additional public addresses will encounter this rule first, get dst-nated, and then forwarded to the private address.
As explained above, don’t assign that public “subnet” anywhere, just use IP addresses from it as to-addresses in action=src-nat rules and as dst-address in action=dst-nat rules. This will also mean that you won’t need to waste the first and last address for “network” and “broadcast” and you’ll be able to use all 8 addresses instead of just 6.
So if you assign 192.168.1.254/24 to one LAN interface, and 192.168.2.254/24 to the other one, probably with a DHCP server on each, you can use just two rules: chain=srcnat src-address=192.168.1.0/24 action=src-nat to-addresses=additional.public.ip.X
chain=srcnat src-address=192.168.2.0/24 action=src-nat to-addresses=additional.public.ip.Y
placed before (above) the default action=masquerade one, and you’ll be good to go. Whatever you connect to LAN 1 (192.168.1.0/24) will be src-nated to additional.public.ip.X, and whatever you connect to LAN2 (192.168.2.0/24) will be src-nated to additional.public.ip.Y.
Once you check that this works, you can implement finer rules, dst-nat etc.
It’s actually good idea to make the router aware of the routed subnet, other than just using some addresses or ports with src/dstnat. If a subnet is routed to you, and you don’t assign addresses anywhere, and a packet comes for some unused one, your router will have no idea that it’s your address, so it will send it back to ISP, and ISP will send it back to you, … and routers will play ping-ping until packet’s TTL expires.
Good starting point, as a anti-ping-pong measure, is unreachable route for whole routed subnet:
And if you want used addresses seem alive, to be e.g. able to ping them, even when you don’t dstnat whole address (all ports) to some internal device, then assign them to router. It doesn’t really matter where, but popular choice is some loopback interface (which RouterOS doesn’t have, so empty bridge can be used instead):
It depends on what you want. I like to have used addresses pingable, so they need to be either assigned to some device, or dstnatted as whole (or at least icmp) to another. But it’s possible to live without that.
