ISP routed bridge + traditional NAT setup.

RouterOS Beginner Basics
1

Although i’ve using RouterOS for many years, it is only at easy simple traditional NAT setups and some basic WLAN stuffs.

I’ve upgraded my optical ISP connection to 10Gbe and i’ve ordered some additional IP’s from my ISP, its getting more complicated, and somehow i’m getting stuck at making a configuration.

My current hardware setup:
Hardware CCR2004-1G-12S+2XS, running 7.16.
4x Mikrotik 10g SFP+ modules in port 1, 3,4 and 5
ISP XGPON is connected to port 1
unRAID server at port 3, pfsense hosts at 4 and 5.

My ISP: (IP addresses are anonymized)
Primary WAN IP 90.90.90.90
Additional WAN IP’s: 80.80.80.8/29

According to my ISP, the 80.80.80.8/29 block is routed to my primary ip at 90.90.90.90. So, from the 90 ipaddress, i have to handle the routing by my own.

What i’m trying to achieve is:

I have 3 hosts, 2 of them are pfsense firewalls, and 1 unRAID server. The unRAID server cannot be fully exposed to the internet, only a few portforwards for some of its dockers.
The pfsense firewalls need a dedicated WAN IP from the 80.xxx range.

What i’m trying to achieve.
The unRAID server, whenever its in 90.90.90.90 or in any IP on the WAN 80.80.80.8/29 range, needs to be behind a NAT of the RouterOS,so i can create individual portforwards and not exposing the insecure WEB UI and SMB ports.
The 2 pfsense firewalls, gets dedicated WAN IP from the 80.80.80.8/29, needs to be fully exposed to internet

Im trying to find some examples of this rather unique (?) setups, but failed to find one.
Anyone could help me pushing into the right direction?

2

You’re lucky that the addresses are being routed to you because you can manage them however you desire:

For the pfsense firewalls you can add public IPs directly on the ports facing them.

For the unraid server you can add a route with dst-address=public IP and gateway=natted subnet as well as add the public IP to a loopback interface:

/ip route
add dst-address=80.80.80.x gateway="natted_subnet_gateway"

/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether3 to-addresses=80.80.80.x

/ip address
add address=80.80.80.x interface=lo
3

I’d create a bridge on the 80.80.80.8/29 range. Give the bridge an address, say 80.80.80.9. Add the firewall ports to that bridge. Each firewall gets an address picked from 80.80.80.10 to .14, and a gateway of 80.80.80.9.

At the Mikrotik WAN/Internet interface you need to exclude 80.80.80.8/29 fron NAT.

You could use a VLAN instead of a bridge if you’re more familiar, or if there’s a likelihood you’ll ever want to trunk multiple VLANs to the firewall on the same interface.