Multiple Static IP-s

raigos · May 25, 2010, 7:49am

Hi, i need help. I have 13 Static IP-s and i would like to give all my MT-s one of them. I can make it work with one IP. My main network is 192.168.1.X then there is MT RB750 what gets 192.168.1.X and then from there goes IP-s to 10.10.1.X, 10.10.2.X and 10.10.3.X.

Now i would like to add 10.10.1.X static IP, i get it work with my own IP and NAT, but then is not possible to get into my main MT, i would like to give different IP so i can access my base MT and then another MT too.

base ip is 84.50.195.X
and another one i would like to give is 213.168.20.X and that should go 10.10.1.X

hope somebody understand what i need. I must tell also that im not feeling myself very confidence with MT routers.

Feklar · May 25, 2010, 2:05pm

Sorry, I really don’t understand what you are trying to do, could you try and explain it a bit more? A network diagram of what you are aiming for might help some too.

tricer · May 25, 2010, 6:54pm

it sounds like what you are trying to do is give each of your routers an external IP address so you can access them from the internet where every you are, is this correct?

If that is the case you need to do this to your core router for each of the remote routers that you what to assign a public IP too

http://wiki.mikrotik.com/wiki/NAT_Tutorial

Rich

raigos · May 25, 2010, 7:20pm

Ok, i’ll try to explain it a bit more. That is my drawing of network

Now i would like to give MT2 different static IP so i can access it from outside. I have 13 different IP-s and i would like to give them to certain MTs and PC-s. Don’t look those IP-s there what starts 208.74.128.X those are wrong.

Hope u understand now a little bit more.

I can forward all my IP-s to MT1, the next MT is behind KS Group1 and gets 10.10.1.239, now i would like to give that public IP so i can make port forwarding in that MT.

tricer · May 25, 2010, 11:36pm

It seems you want to do a 1:1 NAT using the 213.168.20.X as your public IP and 10.10.1.X as your private IPs

take a look at the links below

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

http://wiki.mikrotik.com/wiki/NAT_Tutorial

Rich

raigos · May 26, 2010, 6:29am

Hi, i have done like that tutorial, but i must tell, i can forward all my public IP-s to core router, but how i can forward from there that is what i cant figure out. Because from core router those IP-s goes 10.10.1.X, 10.10.2.X and 10.10.3.X. My core router gets 192.168.1.66.

Thx

SurferTim · May 26, 2010, 11:03am

Is this network a natted net? I am not sure I like that term. It really misrepresents what it is. To me, the name “routed net” makes more sense. The main question that would decide if it is or not is:
Are there any srcnat or masquerade rules on any router except the core router?
If the answer is yes, then you should consider removing the masquerades and route all ips. It looks as if your network design should allow that quite easily. Just change the ip addresses on MT1 and MT2 to 10.x.x.x/24 ips instead of the public assignments. Then forward the public ips to those private ips as per the docs and wiki.

Hint: Don’t route 10.x.x.x/24 blocks! Gets too time-consuming and confusing. Route the entire 10.x.x.x/16 block to each router.

ADD: The way I would set up that system is:
Assign Default router local ip 10.0.0.1/24
Assign MT1 wan 10.0.0.2/24
Assign MT2 wan 10.0.0.3/24

Assign MT1 localnet1 10.1.0.1/24
Assign MT1 localnet2 10.1.1.1/24

Assign MT2 localnet1 10.2.0.1/24
Assign MT2 localnet2 10.2.1.1/24
etc

Then route like this
/ip route
add dst-address=10.1.0.0/16 gateway=10.0.0.2
add dst-address=10.2.0.0/16 gateway=10.0.0.3

All localnet devices on MT1 get 10.1.x.x/24 addresses.
All localnet devices on MT2 get 10.2.x.x/24 addresses.

Here is the pattern; 10.x.y.z

x = router number
y = local interface number on that router

This makes finding a customer with bad intent very easy. If the offending ip is 10.2.1.36, then that client is on MT2 localnet2.

I almost forgot what I really wanted to say. Got carried away with the route thing. Insure the forwarding srcnat/dstnat rules are before any othr srcnat or masquerade in Default router.

Using the ip/netmasks above
Assign xx.xx.128.82 and xx.xx.128.83 to Default router wan with xx.xx.xx.81.

/ip firewall nat
add chain=srcnat action=src-nat src-address=10.0.0.2 to-addresses=x.x.128.82 place-before=0
add chain=dstnat action=dst-nat dst-address=xx.xx.128.82 to-addresses=10.0.0.2 place-before=0
add chain=srcnat action=src-nat src-address=10.0.0.3 to-addresses=x.x.128.83 place-before=0
add chain=dstnat action=dst-nat dst-address=xx.xx.128.83 to-addresses=10.0.0.3 place-before=0

if place-before doesn’t work, enter them and use “move” to put them at the top of the list.

Don’t use a masquerade here. The default nat below these should be

/ip firewall nat
add chain=srcnat action=src-nat to-addresses=xx.xx.128.81

.