IP Public behind my Mikrotik

cfunes · May 9, 2006, 8:14pm

Dear:

It wanted to know if they can give a small introduction me to the subject of as putting an IP it publishes behind my router Mikrotik. I have pool of IP’s that was assigned to a Router Cisco. Thence I arrive at my Router Mikrotik via wireless. My Eth0 de Mikrotik has an IP of this pool. I wanted to know as I can put one segund IP Public behind Eth0. This input IP of my WLAN towards Internet.

thanks

PD: Excuses me by bad English

valens · May 9, 2006, 9:33pm

There are several ways to do that:

You can try to split your IP blocks to several smaller subnet, and do routing for the second subnet you put behind the router.
You can use dst-nat to translate request to certain IP Address to one of local IP Address. You can still host, for example webserver, using this configuration.
You can set two of your router as bridge interface, and another one as gateway for local network. You connect one of the bridge interface to internet, and the other bridge interface to the server.

GJS · May 10, 2006, 2:25am

And also you can use proxy-ARP. Do a search here and you should get plenty of explanations.

jhydzik · May 10, 2006, 3:59am

It Sounds like your looking to do what I do?

To get this right you have a pool of Public IP's From a CISCO Router?
And you Mikrotik is Getting one of these IP's, but u are wanting to give some customers or computers more of these public ip's so that they get there own IP? if thats so, What we do is we have are MT PUBLIC interface use 12.46.88.2 for it main IP address for Masquerading all of the private address on are network IE 10.0.0.x; ALSO we have some Customers IE 10.0.0.7 that want a public ip because they run a server or telnet type stuff. so what we have done is just add there public ip 12.46.88.3 or whatever u have in your PUBLIC POOL to the WAN/PUBLIC INTERFACE then we use srcnat & dstnat RULES to forword all incoming and outgoing connectos to and from there public ip to there private IP. SEE BELOW, Wich was taken from the HOW TO SITE How to Link Public Addresses to the Local Ones?:

ALSO see the link to the page:
http://www.mikrotik.com/Documentation/HowTo.html#How_dstnat

Let us assume two addresses (10.0.0.216 and 10.0.0.217) are assigned to the router. In this example we will 'full NAT' the internal address 192.168.0.4 to the external 10.0.0.216 one while keeping 10.0.0.217 for the router itself as well as for masquerading the internal network.

To add 10.0.0.216/24 and 10.0.0.217/24 addresses to the router's Public interface and 192.168.0.254/24 to the router's Local interface:

[admin@MikroTik] ip address> add address=10.0.0.216/24 interface=Public
[admin@MikroTik] ip address> add address=10.0.0.217/24 interface=Public
[admin@MikroTik] ip address> add address=192.168.0.254/24 interface=Local
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 10.0.0.216/24 10.0.0.0 10.0.0.255 Public
1 10.0.0.217/24 10.0.0.0 10.0.0.255 Public
2 192.168.0.254/24 192.168.0.0 192.168.0.255 Local
[admin@MikroTik] ip address>

While adding the default route to the router you should be aware of having two addresses. You should specify the address that the router will be using while talking to the outer networks:
[admin@MikroTik] ip route> add gateway=10.0.0.1 preferred-source=10.0.0.217
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp

DST-ADDRESS G GATEWAY DISTANCE INTERFACE

0 S 0.0.0.0/0 r 10.0.0.1 1 Public
1 DC 10.0.0.0/24 r 0.0.0.0 0 Public
2 DC 192.168.0.0/24 r 0.0.0.0 0 Local
[admin@MikroTik] ip route> print

Add DST-NAT rule allowing access to the internal server from external networks:
[admin@MikroTik] ip firewall dst-nat> add dst-address=10.0.0.216/32 action=nat
... to-dst-address=192.168.0.4
[admin@MikroTik] ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 src-address=0.0.0.0/0:0-65535 in-interface=all
dst-address=10.0.0.216/32:0-65535 protocol=all icmp-options=any:any
flow="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
limit-time=0s action=nat to-dst-address=192.168.0.4 to-dst-port=0-65535

[admin@MikroTik] ip firewall dst-nat>

To add SRC-NAT rules allowing the internal server to talk to the outer networks having its source address translated to 10.0.0.216, while translating other internal hosts' source addresses to 10.0.0.217:
[admin@MikroTik] ip firewall src-nat> add src-address=192.168.0.4/32
... action=nat to-src-address=10.0.0.216
[admin@MikroTik] ip firewall src-nat> add src-address=192.168.0.0/24
... action=nat to-src-address=10.0.0.217
[admin@MikroTik] ip firewall src-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 src-address=192.168.0.4/32:0-65535 dst-address=0.0.0.0/0:0-65535
out-interface=all protocol=all icmp-options=any:any flow=""
limit-count=0 limit-burst=0 limit-time=0s action=nat
to-src-address=10.0.0.216 to-src-port=0-65535

1 src-address=192.168.0.0/24:0-65535 dst-address=0.0.0.0/0:0-65535
out-interface=all protocol=all icmp-options=any:any flow=""
limit-count=0 limit-burst=0 limit-time=0s action=nat
to-src-address=10.0.0.217 to-src-port=0-65535

[admin@MikroTik] ip firewall src-nat>

I Hope that this is what you were/are looking for.

Joe Hydzik
Wide Open Wireless
Elmira, NY

fatonk · May 10, 2006, 8:10am

What I do in these cases is as follows:

let assume that you have a 192.168.2.0/29 Public IP block, and also a WAN IP 10.1.1.25 (public interface) assigned by your provider. You can ask your provider to route the public subnet via your WAN IP 10.1.1.25, and than in this case you can configure your local interface with aliasses, like this:

WAN IP: 10.1.1.25/24 (public interface) facing your ISP
LAN IP1: 172.16.1.1 (local interface) facing your Local Network
LAN IP2: 192.168.2.1/29 (local interface) facing your Local Network
GW: 10.1.1.1

In this case you can srcnat 172.16.1.0/24 sabnet to your WAN IP, and the Public subnet you can use either for clients nor servers.

regards.

Faton

cfunes · May 11, 2006, 9:07pm

Hi,

thanks for all the answers. I am trying to do step by step of the document, but according to the document, (suggested by jhydzik) I must have a folder IP firewall dst-nat> and single I have IP firewall nat >. This has to do with the version of software of my Mikrotik or Nivel de Licencia?

thanks.

maximan · May 14, 2006, 7:43pm

ip firewall nat >

is for 2.9 version

ip firewall dst-nat >

if for 2.8 version

Maximiliano Dobladez
Mikrotik Certified
Intercity SRL
Rio Cuarto-Argentina

cfunes · May 15, 2006, 3:11am

Hi all,

tks maximiliano, I am going to try it within this folder.

sarenos · May 23, 2006, 2:07pm

And what about using PPPoE?

I have a pool of public Ip’s and I want to offer that pool for my customers.

If I’m using PPPoE? how can I do that ? have I to bridge any interfaces? anybody has done that ?