Mikrotik Local IP on Fiber and public IP Pool from ISP Configuration for Local Lan Internet

mansoor · August 15, 2018, 1:56pm

I got a new internet connection on fiber from ISP with public IP Address Pool. The ISP provided some local IP’s and and some public IP Addresses to be configured on Router. I am using Mikrotik for too many years but cannot come across such situation. My router is CCR-1036-12G-4S-EM.

Please note that ISP asked me to use fiber supported switch and configure 172.32.64.74/30 on SFP fiber module interface of switch and then use an ethernet cable and plugged into ethernet port of switch and other end into your mikrotik router and configure mikrotik router with NAT for accessing internet. ISP provided public IP address 203.124.47.249/28 as public interface. I did and everything went well.

Now the reason for my post is I don not want to use extra fiber switch. I want to use only Mikrotik router for performing all above. For the purpose I asked ISP to provide configurations for my CCR-1036-12G-4S-EM router and they provided me following settings. They refused to provide further support due to their limitations of working with Mikrotik Router.

Here are IP addresses detail provided by ISP:

ip address add address= 172.32.64.74/30 interface=sfp1 (This will be the point to point interface)
ip address add address= 203.124.47.249/28 interface=ether1 (This will be the public IP pool interface)
ip route add gateway=172.32.64.73 (this will be the default route)

Now what I did in Mikrotik Router?

As instructed by ISP I assigned 172.32.64.74/30 on my SFP1 port (Fiber port). Then I assigned 203.124.47.249/28 to ether1 port. Then I added 172.32.64.73 as my default route for 0.0.0.0/0.

I connected my laptop on ether1 of Mikrotik and assigned IP Address from pool 203.124.47.250/28 with gateway 203.124.47.249 and dns 8.8.8.8 and internet started working in my laptop.

Now next step I started configuring my Mikrotik Router for Local LAN users as usual:

After above configuration I configured setup for local Lan on ether12 with dhcp for local users with IP address 192.168.78.1/24. and made Firewall NAT to ether1 where I assigned 203.124.47.249/28 IP address. Then I un-plugged my laptop cable from ether1 and plugged into ether12 and my laptop got IP from dhcp server 192.168.78.2.

Now the problem is:

After above configuration internet is not working in my laptop. I must be doing something wrong with routing or nat or might be missing something. I am totally new to this situation. Network Diagram is attached. Please help with configuration.

bramwittendorp · August 15, 2018, 5:47pm

Your NAT-rule does the following:

It will NAT(Masquerade) everything leaving your router on ether1. You should do this however for the SFP1 interface.

Since you have some Public IP-space, I’d use the following method:

Add a src-nat rule similar to the following:

/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.78.0/24 to-addresses=203.124.47.251 out-interface=sfp1

This rule will preform a source NAT on all traffic from the 192.168.78.0/24 to the public IP 203.124.47.251 (in my example, could be any usable IP from your block) leaving your router on interface sfp1.

This method is better, because a masquerade rule with sfp1 would be like a catch-all rule, and also masquerade traffic that shouldn’t be masqueraded.

mansoor · August 16, 2018, 4:58am

Thanks bramwittendorp. It worked like a charm.