Hi! Im building a brand new WISP network and dont have much public IP availables to deliver to my customers.
I have a /30 connection between my ISP and my MT Router, (10.0.0.1/30MT - 10.0.0.2/30ISP Router). They route me /29 public block of IP to my ether1 interface (10.0.0.1). That gives to me 8 available public IP.
But i have more than 8 customers, i want to have the posibility of adding each of 8 Public IP to some virtual interfaces on my MT Router for later MASQUERADE the customers private IPs within those public IPs.
So lets say first available public IP on the /29 delivered to my Router is 200.X.X.1, and i have 2 customers connected to LAN interface (ether2). Customers private IPs are 192.168.88.101/24 and 192.168.88.102/24. (Both customers will share the same public IP)
How could i accomplish to NAT/MASQUERADE the 192.168.88.101/24 and 192.168.88.102/24 to that public IP considering that my outside interface IP is not in that block but a different /30?
Should i create a bridge interface for each available public IP? →
To which interface you assing 200.x.x.1, does not really matter. You can use WAN interface (but it may possibly interfere with masquerade rules, if you have some), or dedicated bridge interface as a loopback (you can put all addresses to one; but remember that it won’t get actually used as outgoing interface), or it would even work for outgoing connections without actually having the 200.x.x.1 on router at all (but you probably want to have it there).
I Want to use action=src-nat (instead of masquerade)
2.a) out-interface=ether1 (depends if I’m not using other NAT/masquerade rules)
2.b) out-interface=Bridge1 (but i Want to make sure if address are added and routed to the Mikrotik router?)
It does not really matter too much what is. Note that out-interface= in srcnat rule is not related to this at all, I just put it there, because you probably want to NAT only outgoing traffic to internet. But even that may not be necessarily true.
For example, lets say that customer with internal address 192.168.88.101 runs web server visible to outside on 200.x.x.1. And another customer with 192.168.88.222, who would normally use 200.x.x.2 as outgoing address, would access it. If both internal addresses are in same subnet, you could either use default hairpin NAT and make the connection look like it comes from router’s internal address. Or you could drop out-interface= condition, let the srcnat rule catch it and make it look to webserver like it comes from 200.x.x.2. If it does not make sense, don’t worry about it.
Again, this “loopback” interface is there only to hold addresses, you can’t use it as in-interface or out-interface anywhere.
And another option, if you had some demanding customer who would require a public address directly on their equipment, you can just take any of remaining addresses and route it directly anywhere in your network.
Hi Sob! Ok NAT is working as it should for internal clients (i didn’t specify the out-interface in the firewall rule).
But from the Mikrotik Router i can only reach/ping Public IPs if i set as Source Address the Loopback’s created. And can’t for example upgrade my Router packages because it says couldn’t resolve upgrade.mikrotik.com.
What should i set on the IP>Dns for Mikrotik to solve address using my available public IPs?
Since now what i have is
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.2
