NAT Help needed alongside Multiple Static IPs

RouterOS Beginner Basics
1

Hi Guys,
Apologies, if its a very direct approach however being self trained on Mikrotik and taking over a mess from predecessors’ doesn’t help.

I have a following situation.

Router: RB3011 UiAS-RM

I am in need to set this up.

It also has a local LAN for test i have created.
it is 192.168.77.0/24

ISP:
I have been given a 350Mbps line with 13 Static IPs
Allocation is 62.30.5.16/28
so I have 62.30.5.16 as Network
62.30.5.17 as GW
and 62.30.5.17 ---- 30 useable IPs while .31 as broadcast


I have configured above on WAN1 interface and added a static route to 62.30.5.17 and up and away on internet.

However, I need to configure NAT for multiple servers which will reside behind this router.

as an example

192.168.77.10 >>> 62.30.5.19 Mailserver as an example
192.168.77.11 >>> 62.30.5.20 IIS as an example

I have been trying to add as below

add chain=src-nat src-address=192.168.77.10 action=src-nat to-addresses=62.30.5.19
add chain=dst-nat dst-address=62.30.5.19 action=dst-nat to-addresses=192.168.77.10

i have also gone ahead and disabled general masquerade rule upon which gives me no internet at all
I am also unable to get NAT’ing working.

Ideally, I want all other traffic to use first useable IP and then rest to NAT as per my liking

Your valued time and suggestions to point me in the right directions will be highly appreciated.

thanks

2

I think you got everything working correctly, and missing only one small thing:
On the 62.30.5.16/28 network segment, the Gateway 62.30.5.17 wants to send a packet to your IIS (62.30.5.20) because it is directly connected and sends an ARP request to the L2 domain. No router got that IP assigned to, therefore the ARP request will timeout and the packet dropped.
To overcome this problem, you can configure the WAN interface to reply to all ARP requests on that segment with its mac address.
So, assuming ether1 is your WAN port:

/interface ethernet set ether1 arp=proxy-arp

Do not overuse the proxy arp feature, especially in L2 domains with more than 2 devices. You may encounter oddities.
Also move your masquerade rule to last.
If you can get it working, we can tweak the config a little more.

3

thanks for such a quick reply
to give you full picture, this is what I have done to 62.30.5.16/28 range

I have chucked it into

62.30.5.18/30 and named is WAN1 Router

then I have chucked the rest as below

62.30.5.19/28
62.30.5.20/28

to
62.30.5.30/28

and added them as addresses on WAN1.

Have I done this correctly ?

or shall I go back to just having 62.30.5.18/28 as only subnet on the WAN interface

with above settings, I have just done the test after enabling arp-proxy as per your suggestion.
I have also moved masquerade rule to the last
and have the following rules on top

add chain=src-nat src-address=192.168.77.10 action=src-nat to-addresses=62.30.5.19
add chain=dst-nat dst-address=62.30.5.19 action=dst-nat to-addresses=192.168.77.10


I am unable to browse on this computer.
please advise and thank you

4

Can you post your full configuration? (Hiding sensitive information)
Is 62.30.5.17 the provider device or the whole 62.30.5.16/28 is a routed network to your device?

5

Hi sorry for a late reply. I got it working after rebooting the router post proxy addition on wan interface.thanks.

Sent from my SUPER using Tapatalk

6

To help others .17 was providers device and has /28 on it.its in modem mode so passes all config to mikrotik which is configured to handle everything. I also have an fttc on wan2 to fail over to when wan1 is down.I am considering a load balancing setup in the future.if anyone is in same situation then let me know I will gladly help out.

Sent from my SUPER using Tapatalk