Need help with several public IPs and multiple LANs

0wl · February 9, 2025, 8:48am

Hey guys (and gals),

Please help me set up multiple public static IPs with several subnets. I’m trying to salvage this config with your help, as the Servers subnet has some rules and MAC reservations I would like to keep. I tried to make 192.168.100.0/24 use the second or third static IP I have with no success, it uses x.x.x.230 and, because of that cloudflare rule I set up, half of website don’t work . I want to keep a cloudflare rule as I have a reverse proxy at 10.0.20.5 and multiple services behind it.

I realize it’s pretty convoluted, so how would you set this up from scratch ? I’ve pasted the config bellow, hopefully I cleaned all sensitive info. Thank you for your time !

# 2025-02-09 10:27:26 by RouterOS 7.16.1

# software id = **ELIDED**

#

# model = RB750Gr3

# serial number = XXXXXXXXX

/interface ethernet

set [ find default-name=ether1 ] disabled=yes mtu=1492 name=ether1-WAN-Home

set [ find default-name=ether2 ] mtu=1492 name=ether2-WAN-Business

set [ find default-name=ether3 ] arp=proxy-arp mtu=1492 name=ether3-LAN-Home

set [ find default-name=ether4 ] arp=proxy-arp mtu=1492 name=ether4-LAN-Servers

set [ find default-name=ether5 ] disabled=yes mtu=1492

/interface pppoe-client

add add-default-route=yes default-route-distance=5 interface=ether1-WAN-Home max-mru=1492 max-mtu=1492 name=WAN1-Home user=XXXXXXXXX

/interface wireguard

add listen-port=xxxx mtu=1420 name=wireguard1

/interface list

add name=LAN

add comment="all WANs" name=WAN

/ip ipsec proposal

set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=3h

/ip pool

add comment="Home Network" name=dhcp_pool0 ranges=192.168.100.10-192.168.100.100

add comment="Servers Network" name=dhcp_pool1 ranges=10.0.20.10-10.0.20.200

/ip dhcp-server

add address-pool=dhcp_pool0 interface=ether3-LAN-Home lease-time=1d name=LAN-Home-DHCP

add address-pool=dhcp_pool1 interface=ether4-LAN-Servers lease-time=1d name=LAN-Servers-DHCP

/routing table

add disabled=no fib name=wan2

/ip neighbor discovery-settings

set discover-interface-list=LAN

/ipv6 settings

set disable-ipv6=yes

/interface l2tp-server server

set enabled=yes use-ipsec=required

/interface list member

add interface=ether3-LAN-Home list=LAN

add interface=ether4-LAN-Servers list=LAN

add interface=ether5 list=LAN

add interface=WAN1-Home list=WAN

add interface=ether2-WAN-Business list=WAN

add interface=wireguard1 list=LAN

/interface wireguard peers

add allowed-address=10.0.70.2/32 client-keepalive=10s endpoint-port=13377 interface=wireguard1 name=client1-wg persistent-keepalive=10s private-key="xxx" public-key="xxx"

add allowed-address=10.0.70.3/32 endpoint-port=13377 interface=wireguard1 name=client2-wg persistent-keepalive=10m private-key="xxx" public-key="xxx"

/ip address

add address=192.168.100.1/24 comment=Home interface=ether3-LAN-Home network=192.168.100.0

add address=10.0.20.1/24 comment=Servers interface=ether4-LAN-Servers network=10.0.20.0

add address=x.x.213.230/26 interface=ether2-WAN-Business network=x.x.213.192

add address=x.x.213.231/26 interface=ether2-WAN-Business network=x.x.213.192

add address=x.y.83.211/23 interface=ether2-WAN-Business network=x.y.82.0

add address=192.168.1.5 interface=ether2-WAN-Business network=192.168.1.5

add address=10.0.70.1/24 comment="Wireguard VPN" interface=wireguard1 network=10.0.70.0

/ip arp

add address=192.168.100.100 interface=ether3-LAN-Home mac-address=xxx

add address=10.0.20.40 interface=ether4-LAN-Servers mac-address=xxx

add address=10.0.20.4 interface=ether4-LAN-Servers mac-address=xxx

add address=10.0.20.5 interface=ether4-LAN-Servers mac-address=xxx

add address=10.0.20.3 interface=ether4-LAN-Servers mac-address=xxx

/ip dhcp-server network

add address=10.0.20.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.0.20.1 netmask=24

add address=192.168.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.100.1

/ip dns

set servers=1.1.1.1,8.8.8.8

/ip firewall address-list

add address=173.245.48.0/20 list=cloudflare_ips

add address=103.21.244.0/22 list=cloudflare_ips

add address=103.22.200.0/22 list=cloudflare_ips

add address=103.31.4.0/22 list=cloudflare_ips

add address=108.162.192.0/18 list=cloudflare_ips

add address=141.101.64.0/18 list=cloudflare_ips

add address=190.93.240.0/20 list=cloudflare_ips

add address=188.114.96.0/20 list=cloudflare_ips

add address=197.234.240.0/22 list=cloudflare_ips

add address=198.41.128.0/17 list=cloudflare_ips

add address=162.158.0.0/15 list=cloudflare_ips

add address=104.16.0.0/13 list=cloudflare_ips

add address=104.24.0.0/14 list=cloudflare_ips

add address=172.64.0.0/13 list=cloudflare_ips

add address=131.0.72.0/22 list=cloudflare_ips

/ip firewall filter

add action=accept chain=forward dst-address-list="10.0.20.0/24, 10.0.70.0/24" src-address=192.168.100.0/24

add action=accept chain=forward dst-address=192.168.100.0/24 src-address-list="10.0.20.0/24, 10.0.70.0/24"

add action=accept chain=input connection-state=established,related,untracked in-interface-list=WAN

add action=accept chain=input connection-state=established,related,new,untracked in-interface=ether2-WAN-Business

add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes

add action=accept chain=forward comment="accept established,related" connection-state=established,related

add action=accept chain=input comment="Allow WireGuard" port=xxx protocol=udp

add action=accept chain=forward dst-address=10.0.20.5 dst-port=80,443 in-interface=ether2-WAN-Business log-prefix=to_haproxy protocol=tcp src-address-list=cloudflare_ips

add action=accept chain=output dst-address=0.0.0.0 src-address=10.0.20.5

add action=drop chain=forward connection-state=invalid

add action=accept chain=forward dst-address=0.0.0.0/0 log=yes out-interface=ether2-WAN-Business src-address=192.168.100.0/24

/ip firewall nat

add action=accept chain=srcnat dst-address=10.0.20.0/24 src-address=192.168.100.0/24

add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=10.0.20.0/24

add action=masquerade chain=srcnat log=yes out-interface=ether2-WAN-Business src-address=192.168.100.0/24 to-addresses=x.x.213.231

add action=masquerade chain=srcnat out-interface=ether2-WAN-Business

add action=masquerade chain=srcnat log=yes out-interface=ether2-WAN-Business

add action=dst-nat chain=dstnat dst-address=x.x.213.230 dst-port=80,443 in-interface=ether2-WAN-Business protocol=tcp src-address-list=cloudflare_ips to-addresses=10.0.20.5

/ip hotspot profile

set [ find default=yes ] html-directory=hotspot

/ip ipsec profile

set [ find default=yes ] dpd-interval=5m dpd-maximum-failures=2 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256

/ip route

add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=x.x.213.193 routing-table=*1 suppress-hw-offload=no

add check-gateway=ping disabled=no distance=15 dst-address=0.0.0.0/0 gateway=x.y.82.1 routing-table=*1 suppress-hw-offload=no

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=x.x.213.193 routing-table=wan2 suppress-hw-offload=no

add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=x.x.213.192 routing-table=main suppress-hw-offload=yes

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www address=192.168.100.0/24,10.0.20.0/24,10.0.70.0/24

set ssh address=192.168.100.0/24,10.0.20.0/24,10.0.70.0/24,0.0.0.0/0 port=xxxx

set www-ssl address=192.168.100.0/24,10.0.20.0/24,10.0.70.0/24 disabled=no

set api disabled=yes

set winbox address=192.168.100.0/24,10.0.20.0/24,10.0.70.0/24 port=xxxx

set api-ssl disabled=yes

/ip ssh

set strong-crypto=yes

/ppp secret

add local-address=10.10.20.1 name=xxx profile=default-encryption remote-address=10.10.20.228 service=l2tp

/routing rule

add action=lookup disabled=no dst-address=10.0.20.0/24 src-address=10.0.20.5 table=main

add action=lookup disabled=no dst-address=10.0.70.0/24 src-address=10.0.20.5 table=main

add action=lookup disabled=no dst-address=192.168.100.0/24 src-address=10.0.20.5 table=main

add action=lookup-only-in-table disabled=no src-address=10.0.20.5 table=wan2

add action=lookup disabled=no src-address=192.168.100.1/24 table=wan2

/system clock

set time-zone-name=xxx/xxx

/system identity

set name=gw

/system note

set show-at-login=no

/system ntp client

set enabled=yes

/system ntp client servers

add address=ro.pool.ntp.org

/system script

add dont-require-permissions=no name=reboot owner=xxxxx policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/system reboot"

/tool bandwidth-server

set enabled=no

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN

/user settings

set minimum-categories=3 minimum-password-length=18

jaclaz · February 9, 2025, 10:06am

Before anything else, search in your configuration for “*” (asterisk).
Entries like this:

/ip route

add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=x.x.213.193 routing-table=*1 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=15 dst-address=0.0.0.0/0 gateway=x.y.82.1 routing-table=*1 suppress-hw-offload=no

mean that something ( a routing table in this case) was removed/renamed/however and all that remains is a sort of placeholder Ros automatically creates.

It likely doesn’t create any issues because the distance is high and those routes are not active normally, still …

A (even roughly sketched) network diagram would help understand your setup, even a photo of a hand drawn one would help.

As well, the output of:

/ip address print

and of

/ip route print

would be useful to understand what - besides the static entries - you have when running that config.

0wl · February 9, 2025, 11:21am

Hey jaclaz,

You’re right about the routing tables, I had a lookup table for 10.0.20.1/24 in the past, because I had another default PPPoE connection that my Home subnet was using. Also want to mention that I have the subnets bound each to a separate interface.

I managed to sketch a diagram, hope this is somewhat helpful. I just realised I have a small managed switch between the Proxmox server and the Mikrotik. I have my ILO connected to one of the switch ports and assigned to an IP in the 10.0.20.1/24 subnet, but these may just be irrelevant details.

Any suggestions on how to simplify the config would be much appreciated!

https://imgur.com/a/lmeDgOl

ip address print:

Columns: ADDRESS, NETWORK, INTERFACE

# ADDRESS            NETWORK         INTERFACE          

;;; Home

0 192.168.100.1/24   192.168.100.0   ether3-LAN-Home    

;;; Servers

1 10.0.20.1/24       10.0.20.0       ether4-LAN-Servers 

2 xx.xx.213.230/26  xx.xx.213.192  ether2-WAN-Business

3 xx.xx.213.231/26  xx.xx.213.192  ether2-WAN-Business

4 xx.xx.83.211/23   xx.xx.82.0     ether2-WAN-Business

5 192.168.1.5/32     192.168.1.5     ether2-WAN-Business

;;; Wireguard VPN

6 10.0.70.1/24       10.0.70.0       wireguard1

ip route print:

Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC; + - ECMP

Columns: DST-ADDRESS, GATEWAY, DISTANCE

#      DST-ADDRESS        GATEWAY              DISTANCE

0  Is  0.0.0.0/0          xx.xx.213.192              1

  DAc  10.0.20.0/24       ether4-LAN-Servers          0

  DAc  10.0.70.0/24       wireguard1                  0

  DAc+ xx.xx.213.192/26  ether2-WAN-Business         0

  DAc+ xx.xx.213.192/26  ether2-WAN-Business         0

  DAc  xx.xx.82.0/23     ether2-WAN-Business         0

  DAc  192.168.1.5/32     ether2-WAN-Business         0

  DAc  192.168.100.0/24   ether3-LAN-Home             0

1  As  0.0.0.0/0          xx.xx.213.193              5

2   s  0.0.0.0/0          xx.xx.82.1                15

3  As  0.0.0.0/0          xx.xx.213.193              1

0wl · February 15, 2025, 7:37pm

Just wanted to post an update; I just deleted the extra routing table and a few more vestigial stuff and it works now. So keep your config tidy I guess Also, thank you for the help!