A have an RB2011iL with one uplink port. I would like to solve the following scenario:
Bridge-local
port 1: uplink
port 2: server 1 (ESXi server with multiple vps)
port 3: server 2
I have three public ips at the moment. One belongs to port 1 one belongs to a VPS inside ESXi and the third one belongs to server 2.
The goal is forwarding ports using port 1’s public ip address to some VPS servers inside server 1.
Now port 1,2,3 belongs to same bridge and of course the NAT-ing does not work.
One possible solution is set public ips to port1 and putting port2,3 to another bridge.
But if I do that I would have to change my servers’ public ip to private.
So I’m looking for some smarter way to achieve this.
in normal there are two very often used ways to realize this scenario.
Setting up the public IP addresses at the MikroTik RB2100 and forwarding
them to the internal IP adresses and ports from the servers like this.
public IP Address:Port —> private Address:Port This is an more secure way to realize this.
Setting up the public IP addresses on the servers directly
and only open at the RB2011 the used ports to offers the services. This is a more insecure way as the other method
For scenario 2 it would be better in my eyes if you create a DMZ and
behind the RB2011 a Squid http proxy could be installed that is translating
the IP addresses to the servers so they have not direct contact to the internet.
Create two VLAN interfaces, one on the bridge-local and one on ether2 (the port connected to the ESX host).
Bridge these two vlan interfaces into a new bridge and assign a private IP address to this bridge.
Configure the desired virtual system inside the ESX host to be on the same VLAN as earlier defined and put that guest system in the same private IP segment as the bridge and use the bridge IP as the gateway.
Finally create a nat masquerading rule.