How to Utilize IP Addresses from Single ISP as Multiple WAN

RouterOS General
3

For the scenario where the router will sit in front of every devices that will "use" those 1.10.100.115-1.10.100.126 addresses (for instance servers or VMs), because the router needs to do firewall filtering duty for example, there is a way to do that involves no NAT:

  • In /ip address the address entry associated with ether1 should be address=1.10.100.114/32 network=1.10.100.113, instead of address=1.10.100.114/28 network=1.10.100.112.

  • In /ip route the static default route is still dst-address=0.0.0.0/0 gateway=1.10.100.113.

  • Add 12 published=yes ARP entries on ether1 for the addresses 1.10.100.115-1.10.100.126:

    /ip arp
add address=1.10.100.115 interface=ether1 published=yes
add address=1.10.100.116 interface=ether1 published=yes
add address=1.10.100.117 interface=ether1 published=yes
# ...
add address=1.10.100.125 interface=ether1 published=yes
add address=1.10.100.126 interface=ether1 published=yes

  • On the bridge or VLAN or ethernet interface where the servers / VMs with public IP addresses will reside, configure the /ip address entry. Let's assume the interface is called servers:

    /ip address
add address=1.10.100.114/28 interface=servers network=1.10.100.112

    Note that here we give the router the address 1.10.100.114 too, although the router already has the same address on ether1, that's not a problem.

  • Add static published ARP entry for 1.10.100.113 on this servers interface:

    /ip arp
add address=1.10.100.113 interface=servers published=yes

    Note the interface here, it's servers not ether1!

  • Now we can either manually assign static addresses for hosts connected to the servers interface, with addresses in the range 1.10.100.115-1.10.100.126, default gateway should be set to 1.10.100.114.

  • Or alternatively we can just setup DHCP server on the servers interface with the correct information:

    /ip pool
add name=dhcp-servers ranges=1.10.100.115-1.10.100.126

/ip dhcp-server network
add address=1.10.100.112/28 dns-server=1.10.100.114 gateway=1.10.100.114

/ip dhcp-server
add address-pool=dhcp-servers interface=servers name=dhcp-servers

    And of course, it's preferable to add static leases on this DHCP server because we don't want the devices' addresses to jump around!

  • In case we have a masquerade rule on out-interface=ether1 that perform SRCNAT going to the WAN, then we need to modify this rule to exclude the devices that already have the public IP addresses from being NAT-ed. The rule will modified to be something like:

    /ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=!1.10.100.112/28

  • Adjust the firewall filter table with rules that explicitly allowed incoming traffic to the addresses and ports of the devices in servers if needed.

After doing this, we'll have hosts/servers/VMs in attached to the servers interface with true public IP addresses. They will be able to go out to the internet with their own public IP addresses as source addresses, and no NAT will be performed.

If the filter rules are correct, they wil be also be able to directly accept incoming connections from the outside, to the allowed ports and services hosted on them, using their own public IP addresses as destination. No DSTNAT is involved.

Here is my test config to confirm the above is working as intended:

Screenshot

image
image648×662 22.3 KB

Here ether3 is the WAN interface, ether2 is the servers interface, and the address range is 172.20.80.0/28 instead of 1.10.100.112/28.

1 Like
How to routing public IP to a router behind another