Mikrotik setup for /24 public ip network

Hi,

I am an beginner in mikrotik products and i need your help.
In this case i have one Mikrotik CCR1009-8G-1S-1S+
My internet service provider have provided me 1 public ip (9x.xx.xx.xx) for uplink and another 256 public ip’s (86.xxx.xx.xx/24) for clients

Mikrotik ports are populated like that:

1. SFP+, ether4,ether5 are in same BRIDGE. (this is the network side) each computer have 8x.xx.xx.xx public ip from mikrotik with dhcp.
2. SFP and ether6 are in same BRIDGE2. (this is the WAN) - SFP port have 9x.xx.xx.xx

Settings are next:
/ip firewall filter
add chain=forward

/ip firewall nat
add chain=srcnat comment=“test” out-interface=bridge2-WAN (action is ACCEPT, i don’t know why in export is not print that)

At this time this setup is work, clients from network have they public ip and appear to use it on internet, but i want to know how can i setup correctly this router.

I want to setup this mikrotik as gateway for network, one port to be for uplink 9x.xx.xx.xx ip, and 3 ports in bridge to serve the network for clients with public ip’s. One of port from bridge to be 8x.xx.xx.1 as gateway for clients.

I know i have an bad english but hope you understand what i want to do in this setup.

Thanks !

And what’s the question? It sounds like you already configured it as you want it.

I don’t know if this is the right setup for firewall. When i start an traceroute from an looking glass telia,cogent etc to 8x.xx.xx.xx public ip client, gateway 8x.xx.xx.1 is not appear before client ip,

traceroute to 86.xx.xx.100 (8x.xx.xx.100), 30 hops max, 60 byte packets
1 gi0-0-0-19.6.agr11.vie01.atlas.cogentco.com (130.117.254.97) 0.864 ms 0.937 ms
2 te0-6-0-15.ccr21.vie01.atlas.cogentco.com (154.54.56.117) 0.877 ms 1.030 ms
3 ae2.cr0-vie2.ip4.gtt.net (141.136.101.237) 0.325 ms 0.300 ms
4 xe-4-1-2.cr1-fra6.ip4.gtt.net (141.136.111.21) 13.468 ms xe-0-1-3.cr1-fra6.ip4.gtt.net (141.136.105.65) 13.407 ms
5 rom-telecom.ip4.gtt.net (77.67.64.58) 14.531 ms 14.537 ms
6 * *
7 * *
8 * *
9 bucuresti.nxdata.cr01.next-gen.ro (81.22.150.1) 43.262 ms 41.697 ms
10 94-53-12-62.next-gen.ro (94.53.12.62) 44.789 ms 45.112 ms
11 94-53-12-6.next-gen.ro (94.53.12.6) 45.423 ms 44.741 ms
12 94-53-12-146.next-gen.ro (94.53.12.146) 42.216 ms 42.802 ms
13 94-xx-xx-xx.next-gen.ro (94-xx-xx-xx) 43.433 ms 43.427 ms (here is the ISP gateway for me)
14 86.xx.xx.100 (86.xx.xx.100) 42.806 ms 42.816 ms ( this is client public ip)

why .1 gateway is not appear ? I think the setup is incorect or incomplete.

The “missing” 8x.xx.xx.1 gateway is ok. When you trace from internet, router will reply with address from WAN interface.

I see, ok but another problem is when i try to traceroute from an client to another and they are in same network:
8x.xx.xx.100 to 8x.xx.xx.250

PING:
PING 8x.xx.xx.250 (8x.xx.xx.250) 56(84) bytes of data.
64 bytes from 8x.xx.xx.250: icmp_seq=1 ttl=63 time=1.68 ms
64 bytes from 8x.xx.xx.250: icmp_seq=2 ttl=63 time=1.43 ms
64 bytes from 8x.xx.xx.250: icmp_seq=3 ttl=63 time=1.45 ms

Traceroute:

traceroute to 8x.xx.xx.250 (86.xx.xx.250), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *^
…

The reason i thik is not setup ok is because i want to redirect one address-list to 8x.xx.xx.100:8085 where i have web informations abount clients account, when i redirect an client from address-list to 8x.xx.xx.100:8085 the page is staying in waiting and complete with page can’t be reached, but if i manualy type in browser 8x.xx.xx.100:8085 from clients added to address-list the page is reached and informations are displayed.

firewall rule for redirect is:

/ip firewall nat
add action=dst-nat chain=dstnat comment=SUSPENDAT disabled=yes protocol=tcp src-address-list=suspendati \
    to-addresses=8x.xx.xx.100 to-ports=8085

the internet is cutted out but redirect is not reached.
The problem is solved when i redirect to an external address, if i change 8x.xx.xx.100 to-ports=8085 with an external server like 9x.xx.xx.38 to-ports=8085 the informations appear.
So this is the reason i was thinked the setup in mikrotik is not maked correctly.

I hope you understand what I meant to say.
Thanks

I don’t know why traceroute doesn’t work. If you have whole /24 on internal interface and clients have also /24, then they will communicate directly and it won’t through router at all.

Redirection is another problem. You’re looking for hairpin NAT. It’s usually used with private addresses, but it’s the same principle here. Client 8x.xx.xx.X tries to connect to external a.b.c.d and you redirect it to 8x.xx.xx.100. When 8x.xx.xx.100 sees 8x.xx.xx.X, which is is same subnet, it tries to reply directly, but 8x.xx.xx.X does know anything about 8x.xx.xx.100, it expects reply from a.b.c.d.

I see and i think i know what is happening, sorry i missed to tell this part.

Bridge1 where /24 clients are connected have VLAN tag 100. (members at this bridge are: SFP+, ether4,ether5)
8x.xx.xx.100 is an LINUX server with apache,mysql and is connected wired to ether4 and don’t have VLAN 100 declared (ether4 is member to bridge1 and bridge1 have vlan 100 tag. ehter4 have setup 8x.xx.xx.1 address (gateway).
Sfp+ port are connected with fiber to an bridge router (vlan 100), from this bridge router clients are connected with L3 routers, WAN dhcp obtain 8x.xx.xx.xx from mikrotik, but this time in WAN VLAN 100 is declared.

So, 8x.xx.xx.100 don’t have vlan100 declared and 8x.xx.xx.250 have vlan 100 tag in wan. Is possible this is the problem ?

here you have am diagram about network:

One thing, when you bridge something, member interfaces no longer work as individual interfaces for IP traffic. If for example ether4 is part of bridge1, it’s useless to put 8x.x.x.1 on ether4. It will work, but it will behave as if the address was assigned to bridge1, so you should just move it there.

The part with VLAN, which I’m not sure if I understand correctly, sounds possibly wrong. From the diagram it looks like members of bridge1 should be ether4, ether5, vlan100 interface defined on SFP+, but not SFP+ interface itself. Is it like this?

no, vlan100 is defined on bridge1, i need to define this vlan to sfp+ itself ?

Hairpin nat and proxy redirect is not an solution for me because on web server where i redirect the traffic i need the ip form client to identify him, then i offer him some account information. I i use hairpin nat or proxy the ip will be from proxy for all my clients.

It is possible to use an private ip 192.xx.xx.xx to web server and redirect the clients to him ? considering they are not in same subnet they can communicate only through router.

Thank you for your answers !

Yes, remove SFP+ from bridge1, move VLAN 100 interface from bridge1 to SFP+, and finally add VLAN 100 interface to bridge. This way you’ll have the whole 8x.x.x.0/24 together and they will be able to see each other.

To avoid using hairpin NAT, you can surely use another address. You can just put a single address somewhere on Linux server, add route to it and redirect there:

/ip route
add distance=1 dst-address=192.168.x.x/32 gateway=8x.xx.xx.100
/ip firewall nat
add action=dst-nat chain=dstnat protocol=tcp src-address-list=suspendati \
    to-addresses=192.168.x.x to-ports=8085

for vlan i understood like that.
SFP+ → VLAN100
VLAN100 → Bridge 1
now ether4,ether5 and vlan100 are members to bridge1.
i have done that and no internet connection anymore on sfp+, i don’t understand way.

for second solution i have set on linux interface eth0:2 192.168.40.20/32
on mk i set:

/ip route
add distance=1 dst-address=192.168.40.20/32 gateway=8x.xx.xx.100
/ip firewall nat
add action=dst-nat chain=dstnat protocol=tcp src-address-list=suspendati \
    to-addresses=192.168.40.20 to-ports=8085

If i add ip route in mk. 8x.xx.xx.xx class have ping to 192.168.40.20/32
Still not redirect to 192.168.40.20:8085 … but if i open manualy 192.168.40.20:8085 is work.

You probably have some other config that I don’t know about, and if it depends on your original bridge, then it can of course break when you change it. Try to provide more details. Sharing current config could be good way (I just hope it’s not another with thousands of lines):

/export hide-sensitive

Hi. This is the setup. Most of lines are disabled. At his moment have deleted the vlan100 in mikrotik.

[admin@MikroTik] >> /export hide-sensitive        
# feb/05/2017 20:45:38 by RouterOS 6.34rc21
# software id = T1KK-VCV9
#
/interface bridge
add name=bridge2-WAN
add name=bridge_client
/interface ethernet
set [ find default-name=ether5 ] name=ether5-SQUID
set [ find default-name=ether6 ] name=ether6-SERVER-NET
set [ find default-name=ether7 ] name=ether7-CLIENT
set [ find default-name=sfp1 ] name=sfp1-WAN
/ip pool
add name=dhcp_pool2 ranges=8x.xx.xx.2-8x.xx.xx.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool2 bootp-support=dynamic disabled=no interface=\
    bridge_client name=dhcp1
add add-arp=yes address-pool=dhcp_pool2 interface=bridge_client name=dhcp2 relay=8x.xx.xx.1
/interface bridge port
add bridge=bridge2-WAN interface=sfp1-WAN
add bridge=bridge2-WAN interface=ether6-SERVER-NET
add bridge=bridge_client interface=sfp-sfpplus1
add bridge=bridge_client interface=ether7-CLIENT
add bridge=bridge_client interface=ether4
add bridge=bridge_client interface=ether5-SQUID
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether1 network=\
    192.168.88.0
add address=9x.xx.xx.34/30 interface=sfp1-WAN network=9x.xx.xx.32
add address=192.168.50.254/24 interface=ether5-SQUID network=192.168.50.0
add address=8x.xx.xx.1/24 interface=ether4 network=8x.xx.xx.0
add address=9x.xx.xx.34/30 disabled=yes interface=bridge2-WAN network=9x.xx.xx.32
/ip dhcp-server lease
add address=8x.xx.xx.250 mac-address=7C:A2:3E:AB:9D:E1 server=dhcp1
add address=8x.xx.xx.249 mac-address=04:BD:70:A0:1B:E9 server=dhcp1
add address=8x.xx.xx.248 mac-address=24:4C:07:CD:48:5B server=dhcp1

......... here are 100 DHCP address and mac, i deleted them to be less lines

add address=8x.xx.xx.100 comment="serverf" mac-address=B8:AC:6F:30:30:F5 server=dhcp1
add address=8x.xx.xx.101 comment=KALPO mac-address=A0:F3:C1:45:05:DF server=dhcp1
add address=8x.xx.xx.116 client-id=1:90:2b:34:5a:f8:95 comment=andreea_t mac-address=\
    90:2B:34:5A:F8:95 server=dhcp1
/ip dhcp-server network
add address=8x.xx.xx.0/24 dns-server=8x.xx.xx.1,8.8.8.8 gateway=8x.xx.xx.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=216.228.121.209 disabled=yes list=cache-url
add address=91.189.94.40 disabled=yes list=cache-url
add address=195.95.178.20 disabled=yes list=cache-url
add address=92.122.51.66 disabled=yes list=cache-url
add address=92.122.51.59 disabled=yes list=cache-url
add address=92.87.156.4 disabled=yes list=cache-url
add address=54.239.192.80 disabled=yes list=cache-url
add address=8x.xx.xx.250 disabled=yes list=suspendati
/ip firewall filter
add chain=forward
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add chain=input comment="Allow Established connections" connection-state=established \
    disabled=yes
add chain=input comment="Allow ICMP" disabled=yes protocol=icmp
add chain=forward comment="redirect cu proxy" disabled=yes dst-port=53 protocol=udp \
    src-address-list=suspendati
add chain=forward comment="redirect cu proxy" disabled=yes dst-address-list=suspendati \
    protocol=udp src-port=53
add action=drop chain=forward comment="redirect cu proxy" disabled=yes src-address-list=\
    suspendati
add action=drop chain=forward comment=SUSPENDATI disabled=yes src-address-list=suspendati
add action=drop chain=forward disabled=yes dst-address-list=cache-url
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes dst-port=80 new-routing-mark=HTTP \
    protocol=tcp
add action=mark-routing chain=prerouting comment="SQUID HTTPS" disabled=yes dst-port=443 \
    new-routing-mark=HTTPS protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes protocol=tcp src-address-list=suspendati \
    to-addresses=192.168.40.20 to-ports=8085
add chain=srcnat comment="alocare internet WAN catre LAN" out-interface=bridge2-WAN
add action=dst-nat chain=dstnat comment=SUSPENDAT disabled=yes protocol=tcp \
    src-address-list=suspendati to-addresses=8x.xx.xx.100 to-ports=8085
add action=redirect chain=dstnat comment="redirect cu proxy" disabled=yes protocol=tcp \
    src-address-list=suspendati to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-port=23 in-interface=bridge2-WAN protocol=\
    tcp to-addresses=192.168.100.100 to-ports=23
add chain=srcnat comment="SQUID HTTPS" disabled=yes dst-port=443 protocol=tcp
add action=src-nat chain=srcnat disabled=yes src-address-list=suspendati to-addresses=\
    8x.xx.xx.100
/ip proxy
set port=9000
/ip route
add distance=1 gateway=192.168.50.50 routing-mark=HTTP
add comment="SQUID HTTPS" distance=1 gateway=192.168.50.50 routing-mark=HTTPS
add distance=1 gateway=9x.xx.xx.33
add disabled=yes distance=1 dst-address=192.168.40.20/32 gateway=8x.xx.xx.100
/ip service
set telnet disabled=yes

First, few non-critical observations:

1. For IP, all bridged interfaces behave as one, so all IP addresses should be directly on bridge, not on individual interfaces. It does not help you in any way, it only makes things confusing. E.g. when you have 192.168.50.254/24 on ether5-SQUID, it’s in fact available on all interfaces of the same bridge.

2. Second DHCP server (name=dhcp2) makes no sense.

Then there are your firewall rules:

/ip firewall filter
add chain=forward

Allows everything. I assume it’s temporary, because otherwise all following are useless.

add chain=forward comment=“redirect cu proxy” disabled=yes dst-port=53 protocol=udp src-address-list=suspendati
add chain=forward comment=“redirect cu proxy” disabled=yes dst-address-list=suspendati protocol=udp src-port=53

Blocks DNS for “suspendati” list addresses. Probably ok. DNS can also use TCP, but UDP is main one, so they’ll notice for sure. Second rule is not really needed. When you block the question, there can be no answer.

add action=drop chain=forward comment=“redirect cu proxy” disabled=yes src-address-list=suspendati
add action=drop chain=forward comment=SUSPENDATI disabled=yes src-address-list=suspendati

Blocks traffic from “suspendati” list addresses. Both rules are the same, you probably wanted one to use dst-address-list=suspendati. But remember that even dstnatted ports go through forward chain, so you must allow access to 192.168.40.20 before this.

/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes protocol=tcp src-address-list=suspendati to-addresses=192.168.40.20 to-ports=8085

It’s most likely useless to dstnat all tcp ports. If that port 8085 runs webserver, it will only show useful info when original destination port is 80.

add chain=srcnat comment=“alocare internet WAN catre LAN” out-interface=bridge2-WAN

Skips srcnat for outgoing traffic via bridge2-WAN. Doesn’t seem to be required by anything.

add action=src-nat chain=srcnat disabled=yes src-address-list=suspendati to-addresses=8x.xx.xx.100

Nonsense.

Regarding your VLAN config, if you previously had only this:

/interface vlan
add interface=bridge_client name=vlan100 vlan-id=100

Then your VLAN did not have any address on router and if clients were in VLAN 100, they were isolated from router. What I wrote would be correct, remove sfp-sfpplus1 from bridge and then:

/interface vlan
add interface=sfp-sfpplus1 name=vlan100 vlan-id=100
/interface bridge port
add bridge=bridge_client interface=vlan100

And move 8x.xx.xx.1/24 from ether4 to bridge_client. That will give you same subnet untagged on ether4, ether5-SQUID and ether7-CLIENT, and tagged on sfp-sfpplus1. All 8x.xx.xx.x devices will be able to communicate with each other (ping will work).

One thing I don’t understand is why you’d need VLAN at all, if you don’t have anything else on sfp-sfpplus1. The other router could deal with that. Also there’s address 192.168.100.100 in one dstnat rule, is it just leftover, or did you filter some stuff from export (other than DHCP leases)?