I’ve spent all day trying to get this to work, and still struggling, even though its a simple task.
What I want is to use a public IP from my routed subnet directly on a server inside my network (without NAT). Current setup is:
The ISP provides the following over the connection (IP’s changed):
Static IP: 1.1.1.1/30 with a default gateway of 1.1.1.2
Routed subnet: 2.2.2.1/28 (I want to use all 16 IP’s so not setting the IP on any of my interfaces). ISP routes all IPs to the static IP above so should be ok.
So I have:
ether5 - connection to ISP. Static IP set to 1.1.1.1/30
ether9 - my server - IP: 2.2.2.1, subnet: 255.255.255.255, gw: 1.1.1.1
and a nat bypass:
add action=accept chain=srcnat src-address=62.252.149.9
I can’t ping or get any connectivity from the server. This should be simple but it just isnt working
As a test, I assigned the 2.2.2.1 IP directly to the ether5 interface on the Mikrotik and I can ping it from an external site, so I know the routed subnet is reaching the router.
I had a look at that along with many other posts but it wasn’t clear of the final outcome and how it should be configured. Ideally I just want to map an IP from my routed subnet directly to a physical server plugged in to ether9 - no PPPoE in this case or NAT/IP tunnels. Is that possible?
And if you have server with 2.2.2.1/255.255.255.255 and gateway 1.1.1.1 connected to ether9, it will work. Well, if you don’t block it with firewall or something.
The torch tool shows a ping i am running to 2.1.1.1 (real ip 62.252.x.x in screenshot) from outside is being sent to ether9 and it appears it is responding but the ping fails, so, is it a firewall issue where traffic from ether9 cant go back out, like some nat or forward rule?
Using address=1.1.1.1/32 even though 1.1.1.1 is already on different interface should be ok. At least it was in previous RouterOS versions. I like this “recycling” to avoid having too many different addresses. But it’s not required, you can use any other address, just pick something unique, e.g. some 10.x.x.x (and then use it also as gateway on server)
/32 in network=2.2.2.1/32 was my mistake, sorry.
You don’t need proxy-arp. Try to change the address, as mentioned in 1).
So without adding some dummy ip to the ether9 interface and then using this ip as the gateway on the server nothing would be routed, correct?
I tried what you said but it still doesnt work without enabling proxy arp on ether9.
Once I get this working, can I still use input firewall rules to block traffic to my server rather than all traffic hitting (as its passing through without nat etc)?
One thing to mention, if it matters, is that ether5 (wan) and ether9 are in different switch groups, so maybe why arp is required to get across the switches?
If you didn’t change it, the two firewall rules from the first post allow everything from and to server. If that’s not what you want, use different rules and allow only some ports as needed.
Strangely, in my testing, I removed those rules completely and the server still have access behind the assigned public IP, so seems it lets everything through. Guess I need to drop all and then allow just what I need through…
Weird as I thought it wouldn’t work at all without the following:
