IP and route configuration for /28

fcoulloudon · January 12, 2024, 11:27am

Good day everyone!

I’m sorry if this question is an obvious one but I’m a little bit confused on how to configure my router (CCR2004-16G-2S+) with a /28.

I have been given this information by my ISP:
(of course I changed some information not to share my actual IPs)

IP: 180.2.220.48/28
Useable IP: 180.2.220.50 to 180.2.220.62
Gateway: 180.2.220.49
Mask: 255.255.255.240
DNS：202.96.134.100/202.96.134.101

I have a single ethernet cable coming from what they call their NTU as I want to route all traffic to/from my servers through my router.

I wanted to assigned the IP 180.2.220.50 to my router and the rest of the IPs to machines connected to my router.

I first assigned the IP 180.2.220.50/32 with network 180.2.220.49 to my interface connected to their NTU.

I then created a bridge (called “WAN”) with IP address 180.2.220.48/28 (network 180.2.220.48).
That bridge includes all my ethernet ports for my servers as well as the interface connected to their NTU (with IP 180.2.220.50).

I then configured every connected machine to my router using either DHCP or manual configuration within the 180.2.220.51-180.2.220.62 range.
For my servers, I used this default route 0.0.0.0/0 with gateway 180.2.220.50.

It works but I have the feeling it’s not properly configured as some response time are very high.

Routes that are dynamically generated on my router look like this:
0.0.0.0/0 with gateway 180.2.220.49 (manually entered)
180.2.220.48/28 with gateway %WAN
180.2.220.49/28 with gateway %WAN

I made a small drawing to explain the physical connection.
Could anyone give me some feedback if I’m doing anything wrong?
Should I use one of my IPs (180.2.220.51-180.2.220.62 range) for the bridge or using 180.2.220.48/28 is appropriate?

This is a small drawing of my physical setup.

Thank you!

tdw · January 13, 2024, 7:44pm

The standard way to set this up would be to assign 180.2.220.50/28 to your WAN bridge with a default route to 180.2.220.49. The servers would be assigned addresses of 180.2.220.51/28 (likewise .52, .53, etc. for additional servers) again with a default route to 180.2.220.49.

If you wish to firewall or rate-limit traffic this is one of the cases where /interface bridge settings use-ip-firewall=yes should be used.

abbio90 · January 14, 2024, 12:00am

from the Mikrotik router you can rotate the other IPs towards the servers, take a look at this discussion
http://forum.mikrotik.com/t/pool-public-29/154811/1

kevinds · January 16, 2024, 10:53am

The way the datacentre is setup, you don’t need the router.

Set the Mikrotik up as a transparent firewall.

It would make more sense, especially for a datacentre to route the /28 to a single IP assigned to your router.

rextended · January 16, 2024, 11:09am

You need to clarify the basic ideas…

If the servers must each have their own PUBLIC IP, without increasing latency, you would have done better by putting a switch there and configuring each machine with its own IP 180.2.220.[50..62], subnet /28 (255.255.255.240) gateway 180.2.220.49, etc.

If the MikroTik device is to act as a firewall, with the same configuration specified in the previous point also for router, you must create the necessary firewalling rules.

I don’t seem to see the need for the device to act as a ROUTER/NAT…

fcoulloudon · January 23, 2024, 9:57am

@tdw This is what I ended up doing. Thank you!

I’m still struggling to have the firewall working. I did change /interface bridge settings use-ip-firewall=yes but the traffic is not filtered by the Firewall. I’m continuing to investigate!

fcoulloudon · January 23, 2024, 9:58am

Thank you! How would you do that? Can you point me to some documentation?
Now using tdw comment and some external help, everything is working quite nicely…

fcoulloudon · January 23, 2024, 10:08am

Should I change allow-fast-path to “no” or remove the Fast Forward option in the bridge to be able to filter the traffic with the Router firewall?

Thank you again!

kevinds · January 23, 2024, 11:36am

Which part? But if it is working for you, great.

kevinds · January 23, 2024, 12:06pm

My transparent firewall, ether6 up-link, ether7 down-link.

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether7
add bridge=bridge1 ingress-filtering=no interface=ether6
/interface bridge settings
set use-ip-firewall=yes

/ip firewall raw
add action=drop chain=prerouting src-address-list=Address-List

fcoulloudon · January 23, 2024, 4:13pm

I’m struggling to have traffic filtered by the router.

Enabling
use-ip-firewall to yes
and
use-ip-firewall-for-vlan to yes still does not allow me to filter traffic.

Any idea why?
Forward traffic is going through the firewall but as soon as I enter destination IP, it’s not going through the firewall rule…

rextended · January 23, 2024, 4:19pm

You must disable hardware offload on each port on the bridge.

fcoulloudon · January 24, 2024, 8:10pm

Thank you!

Great help from the community, everything is now working as expected.

I understand that for most of you it's your main job (network) but for me it's a one time setup where I need/want to understand what is happening and although I did spend a good amount of time reading/getting trained, sometimes a small help like this makes a big difference!

Thank you again.