Perhaps this is a simple question, but still, I don’t hesitate to ask.
The introductory ones are as follows: I have an RB3011 router at the entrance, into which the optical provider provides a service (Internet) and several external IP addresses (a subnet of 5 addresses / 29 mask) into it in one interface (and channel, respectively), the network is routed on the provider’s side (their gateway), so I am connected to the outside world by one interface (in this case sfp1). I get this from the provider without VLAN, on a clean interface.
The goal is the following: I want to distribute these addresses on this router to downstream routers, on which NAT and everything else will already be configured (or not configured, this is not so important, I think), but with the condition that each address from the subnet issued by the provider will be assigned to a separate interface, i.e. so that even if a “hypothetical attacker” tries to configure a different address on downstream equipment, he will not succeed. Simply put, I want to act as a “mini ISP”. I perfectly understand the option when all ports are combined into a bridge (on RB3011) and it works without problems, but from any port of the “head” router I can take any address from this subnet from any port, but I would like to exclude this.
For clarity, I’ll write a fictitious version of the subnet:
subnet address 150.15.130.64 (mask /29, i.e. 255.255.255.248)
address range 150.15.130.66 - 150.15.140.70
gateway 150.15.130.65
As a result, I would like to get the RB3011 setup, in which a channel from the provider came to sfp1, and the addresses from the subnet were firmly fixed on the interfaces (ether1 - 150.15.130.66, ether2 - 150.15.130.67, ether3 - 150.15.130.68, etc., but I would leave one address on the “main” one for management, of course), and on the lower-level equipment the settings would be made as if a cable (channel) had arrived to them from the ISP.
One (expensive cpu) is to setup the 3011 as a pppoe server.
With username/password for each downstream router, each thus getting its assigned IP Address.
If the downstream routers are Mikrotiks, you could assign each of them a /32 from your assigned range.
(Perhaps all with a single upstream IP address in the Private IP Range)
Not sure if you can do this with DHCP, but manually assignment should work at least initially.
You can assign static ARP assignments for each downstream router and set ARP to reply only.
You could put all the real IP’s on a bridge on the 3011, and do dst and src nat to and from each of the downstream
routers.
One note:
Often in cases like this you get one main IP address from the ISP, as well as the /29.
(And the /29 are routed via the main IP address)
And the main IP address would be the WAN IP address on the 3011.
Thank you for reply. But this way is unacceptable for me, because i want to give admins on downstream routers full control without using other technologies.
Maybe i should see how to restrict this with firewall rules on each interface?
You can either use switch ACL rules, remembering to also permit broadcast IP addresses in addition each clients unicast IP address, or disable hardware offload and use /ip firewall filter rules after applying /interface bridge settings use-ip-firewall=yes. The CPU performance is likely to limit throughput.