MT EXSi Public IP setup

Laki · August 4, 2014, 7:17am

Hi,
I have problem setting up Public IP to servers.
Diagram: Internet → Mikrotik → Switch → users, servers, EXSi’s

I want to use one IP from ./29 like public ip for Port forward to 3-4 servers if it is possible or I need to use 1 Public IP for 1 Server in LAN ?

My Network setup
IP setup:
Internet IP : x.x.151.34 = WAN port
LAN IP : 172.16.0.0/20 = LAN port
and I got from ISP set of public IP’s x.x.139.56/29 where is .56 = network, .57 = gateway and .58-62 my set of public IP’s.

I add to my WAN port on MT Internet and ./29 set of IP’s

/ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                
 0   172.16.0.1/20      172.16.0.0      LAN                                                      
 1   ;;; WAN Internet IP
     x.x.151.34/32  x.x.151.33  WAN                                                      
 2 X 172.16.6.1/24      172.16.6.0      ESXi #3                                                  
 3   ;;; WAN Public IPs
     x.x.139.57/29  x.x.139.56  WAN                                                      
 4   x.x.139.60/29  x.x.139.56  WAN                                          
 5   x.x.139.58/29  x.x.139.56  WAN

Firewall Filter rule

/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=log dst-address=x.x.139.60 log-prefix="" 

 1 X chain=input action=log protocol=icmp dst-address=x.x.151.34 log-prefix="" 

 2   ;;; WINBOX LAN
     chain=input action=accept protocol=tcp in-interface=LAN dst-port=8291 

 3   ;;; WINBOX WAN
     chain=input action=accept protocol=tcp dst-address=x.x.151.34 in-interface=WAN 
     dst-port=8291 

 4   ;;; Remote sa x.x.139.60
     chain=input action=accept protocol=tcp dst-address=x.x.139.60 in-interface=WAN 
     dst-port=5666 

 5   ;;; ESXi #2 - IIS Web
     chain=forward action=accept protocol=tcp dst-address=172.16.0.32 dst-port=80 

 6   ;;; ESXi #2 - IIS Remote
     chain=forward action=accept protocol=tcp dst-address=172.16.0.32 dst-port=3389 

 7   ;;; ESXi #3 - IIS Remote
     chain=forward action=accept protocol=tcp dst-address=172.16.6.59 dst-port=3389 

 8 X ;;; FTP  port 20
     chain=input action=accept protocol=tcp dst-address=x.x.151.34 dst-port=20 

 9 X ;;; Allow FTP Control Port
     chain=customer action=accept protocol=tcp dst-address=172.16.0.71 dst-port=21 

10 X ;;; Allow FTP Transfer Port
     chain=forward action=accept protocol=tcp dst-address=172.16.0.59 in-interface=WAN 
     dst-port=21233 

11 X ;;; Allow limited Passive FTP port range
     chain=forward action=accept protocol=tcp dst-address=172.16.0.59 in-interface=WAN 
     dst-port=10500-10510

NAT rule

ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; NAT za lokalnu mrezu
     chain=srcnat action=masquerade src-address=172.16.0.0/20 out-interface=WAN 

 1   ;;; NAT za lokalnu mrezu
     chain=srcnat action=src-nat to-addresses=x.x.151.34 src-address=172.16.0.0/20 
     out-interface=WAN 

 2 X ;;; NAT za lokalnu mrezu
     chain=srcnat action=masquerade src-address=172.16.0.0/20 dst-address=0.0.0.0/0 

 3   ;;; 1 TO 1 NAT
     chain=dstnat action=dst-nat to-addresses=172.16.0.59 to-ports=6112-6119 protocol=tcp 
     dst-address=x.x.151.34 in-interface=WAN dst-port=6112-6119 

 4   ;;; 1 TO 1 NAT
     chain=dstnat action=dst-nat to-addresses=172.16.0.59 to-ports=6112-6119 protocol=udp 
     dst-address=x.x.151.34 in-interface=WAN dst-port=6112-6119 

 5   ;;; EXSi #2 - IIS Web
     chain=dstnat action=dst-nat to-addresses=172.16.0.32 to-ports=80 protocol=tcp 
     dst-address=x.x.151.34 dst-port=5668 

 6   ;;; EXSi #2 - IIS Remote Access
     chain=dstnat action=dst-nat to-addresses=172.16.0.32 to-ports=3389 protocol=tcp 
     dst-address=x.x.151.34 in-interface=WAN dst-port=5669 

 7   ;;; EXSi #3 - Redirect RDP PORT  TCP 3389 to.6.59
     chain=dstnat action=dst-nat to-addresses=172.16.6.59 to-ports=3389 protocol=tcp 
     dst-address=x.x.139.60 dst-address-type=local in-interface=WAN dst-port=5666

But ping to ./29 or RDC is not working, probably i mess up something.
How to make this to work ???

Thanks

Laki · August 5, 2014, 7:26am

Anyone ?

cdiedrich · August 6, 2014, 7:59am

What is your NAT rule #1 for?
You can easily delete this rule as it will never match - the masquerading rule #0 will always catch the traffic.
You need appropriate src-nat rules matching your dst-nat rules since you have more than one public IP address - the servers will have no idea where to answer to and all replies will be caught by your masquerading rule (which always uses the lowest IP address).
Put these created src-nat rules on top of your NAT list.
-Chris