I now configured my RouterOS with the IP 90.143.100.83 on the ether2 interface, set the default gateway and added some Firewall rules and NAT rules to allow traffic from the internal LAN to the Internet. So far so good.
I now got stuck in adding my other public IP addresses to interface ether1 and make them accessable for services via a destination NAT.
Also, I’m thinking about how to tell the RouterOS that two different subnets are connected and how the routing tables need to look like that everything works.
Would somebody please be so nice and help me with that?
Default gateway (ISP Router IP) is from your /29 range, I’d expect that all addresses from this range need to be reachable on ether1, so either be assigned directly to ether1, or you’d need proxy ARP, if you added them elsewhere. If you have 90.143.100.83 on ether2 (which according to your description is LAN) and it works, you should probably post your current config, because it looks a little suspicious.
Assuming 165.23.131.80/28 is normal routed subnet, you don’t need anything special. Packets to any address from this /28 will be sent to your router. You don’t need to alter routing or anything. Just assign selected address from this /28 to ether1 or some loopback interface (you can use empty bridge as loopback in RouterOS) and you have it. In fact, you don’t even need to assign it anywhere and you can still use it for src/dst NAT.
thanks for your reply.
To avoid any confusing, the subnets /29 and /28 are both on my external interface, ether1.
You are right, the /29 net works smoothly, out of the box by adding those addresses to ether1 interface.
With the /28 subnet I have several issues. When I try to add those addresses to a bridge interface, nothing happens, I don’t even see traffic hitting in, when I ping the address for example, under the IP->Firewall-> Connections tab. I also tried enabling Proxy-Arp, no effect.
Looks like I’m missing something…
But right now I don’t see it.
(On my old Router, which was a Juniper, I just needed to add all those /28-addresses to the external interface and they were available)
That’s another possibility, /28 on WAN together with /29 where ISP’s router would also have one of 165.23.131.x. If that was the case, you should be able to simply add 165.23.131.x/28 to WAN. You probably shouldn’t need to do anything with gateways and routing, because both 90.143.100.81 and 165.23.131.x are most likely the same machine (with same MAC address, so it wouldn’t matter from which IP address your router gets it).
Both subnets, /29 and /28 have to use the same gateway 90.143.100.8.
I can currently only access the /29 subnet. I bound some /28 net IPs to the interface ether1 but I’m unable to access them.
Any further ideas?
It doesn’t make much sense to me why would /28 have to be on ether1 then. It can be either routed subnet and then it can be anywhere, or connected subnet and then it would have to be on ether1. But what’s the point of connected subnet it their router is not part of it?
In any case, putting /28 addresses on ether1 should just work for both scenarios. One default gateway is enough. If you use an address from /28 as source, it has the only (and right) way to go.
That is exactly why I wonder so much.
In my case, my ISP gave that /29 subnet first. After we ran out of public IPs, we asked for a bigger public address space and they just added that /28 subnet to their gateway router.
In the current setup (with Juniper equipment) we just bound addresses of the /28 subnet to the external interface and we were good to go.
Now as we are going to replace that box by a RouterOS system, I suppose it would just have to work similar. But it does not.
On the local system (RouterOS CLI), I can ping all bound IPs without issues.
From an external system, located on the internet, I can just ping the IP address of the /29 subnet, the second IP in the /28 space will just receive timeouts.
I can also notice, that pings to the IP of the /28 net won’t even show up in the connections tab, which I guess means there is a routing issue.
Where 165.23.131.x is an address assigned to router and a.b.c.d is address of some machine somewhere else on internet, which you have under control. It you use Tools->Torch on ether1, you must see packets from 165.23.131.x to a.b.c.d leaving the router. This is to make sure that you don’t have problems with outgoing NAT or something. And if you run packet sniffer on remote machine, you should see same packets coming there and reply packets being sent back. Ideally, you should see those arriving to your router. Try it, it’s easy and perhaps you’ll discover something interesting.
Or you can also post your current config here and let us see if there could be some mistake there.