Hi Guys,
I currently have a Mikrotik running my network at the office, which I have inherited from the previous IT guy. Its an RB2011iL-RM, at the moment it is just plugged in to my modem and a switch which runs the rest of the network. No complaints, it seems to be doing a grand job!
However, I also have 2 other companies in the building. They have expressed interest in using my internet connection rather than having to wait for their own lines to be commissioned and activated. Both companies would like their own public IP which is no problem, I have a routed block which is unused, however each would like to use their own router.
My question is: How can I distribute the routed IP addresses to separate interfaces that they can use their own routers? Can NAT be disabled per interface so they are not double natting?
I’ve drawn a quick diagram which may help explain a little better:
Thanks in advance for any assistance!
First, make sure the neighbors’ interfaces on your router are not slave/master switch ports, and make sure they’re not associated with any bridges.
Then set arp=proxy-arp on the WAN interface and on each neighbor’s interface.
Lastly, create a /32 route for each IP that you want to give to the neighbor.
So if 123.123.100.101/32 goes to a neighbor on ether2:
/ip route add dst=123.123.100.101/32 gateway=ether2
Make sure your srcnat rule exempts the public range:
chain=srcnat
action=masquerade
out-interface=ether1-gateway
src-address=!123.123.100.96/28 (whatever your public IP range is - note the ! in this rule means “not”)
Each neighbor can now configure the IP address directly on their router, and ONLY that address.
They’d set your router’s public IP as their default GW.
One final thing - make sure the forward chain in your router lets them out on the Internet, but blocks them from going to your LAN except for any nat pinholes you might have in place - basically give their interfaces the same policy towards your network as you would give the Internet towards your own network. You probably want to leave the connection to their interfaces completely unfiltered as far as inbound from the Internet, though.