I have a PC running RouterOS with 4 NIC’s in it, I’m trying to seperate out my networks 3 of the cards with one being a WAN port, so the other three are 192.168.1.0/24, 72.165.56.0/24, 10.2.0.0/24, also I need DHCP servers to run on all three of these networks off of the Mikrotik, I don’t want to to it with a VLan because we are trying to keep the physical seperation. Any help is aprecciated.
Hi,
help with what? jajja
you must put in IP/route the 0.0.0.0/0 route that is gateway to internet and you have to put and ip to the 4 ethernet.
Martín
Thank you for that very clear and helpful reply
Classic!
Ok so assuming you being sarcastic, here’s my response.
You don’t say what you’ve got in place or what you’ve tried but it certainly isn’t that difficult. You need to assign an IP address to each network card in your router that corresponds to the IP address range that you want.
In terms of DHCP, you can have a DHCP server per network, so once you have the networks defined, the DHCP once again is not that difficult to setup.
Depending on your WAN connection, you may have to do a src-nat NAT rule per network to give the individual networks Internet access.
Does this make sense?
I also assume you don’t want these networks to talk to each other?
Shout if I’m totally off track please.
well, the biggest problem I’m having is that when I’m trying to set up static routes for the interfaces it keeps saying that it can’t change a dynamic interface… So right now I’m just trying to set a static route to the bridged interface that’s connecting my first network, I’m don’t necessarily want to them to communicate, with each other, I just need them to be able to get out, I already have it set up so they are sending dhcp numbers out, but I can only get one interface to go out. I already tried the src-nat, and that didn’t work, I couldn’t get out to the rest of the world. I tried dst-nat too with the same results. I’ve been trying different things…, and now the last thing I’m running into is that I do need to set my interfaces as static, I was looking through some pages, and I was wondering if I need to do that in ARP.
Why don’t you setup a masquerade rule for each LAN card?
I tried masquerading, but the bridge doesn’t seem to want to let me get out while I’m masquerading. so I have three network segments, but I need to have them all talk to the bridge at the same time.
Hi,
BRIDGE - that is exactly your problem.
A bridge can not do NAT, it is a bridge, a unique Interface with more than one port, but only one Interface.
Just delete the bridge, give each LAN interface his own IP in it’s own address space and give the WAN interface it’s IP or set it to DHCP-client. Then make one Firewall entry with NAT / Masquerade, chain srcnat, out-interface WAN, action masquerade and you should be set.
If this doesn’t work, you can try with 3 masquerade-rules, but I don’t think this will be neccessary.
If you have a Router in front of your mikrotik box wich does NAT already for the internet-connection, you could skip the step with the masquerade rules and just make the mikrotik box the standard gateway for all clients in all 3 networks, then give the WAN-port of the mikrotik the above mentioned NAT-Router as standard gateway and your networks traffic will be routed through the mikrotik box instead of NATted. Multiple NAT is said to cause some Problems with some applications, personally I haven’t had any I would know about yet, but better be safe than sorry 
At least Port Forwardings from Internet to your 3 Networks will be more work to do, as you have to put them in every NAT-device on your Network wich passes the connection.
As you say with one network you can have internet access, all the neccessary routes seem to already be establihed for a working setup.
Bridge is for transparent connection inside one IP-Address-Range, for anything else like routing / NAT you don’t want a bridge at all.
Sincerly
Schnulch
I tried doing just a single srcnat masquerade, and all that accomplished was taking down the internet for the entire company, how would one go about doing the three masquerades, would it be done in dstnat? the biggest problem is that there are three competing routers that are causing havoc in our network. we are trying to make the nikrotik do the routing for the three different network segments so we don’t have so much competition.
Not sure what’s so difficuly about this configuration. Name your interfaces Internet, LAN1, LAN2, and LAN3
/ip address add address=/ interface=Internet
/ip address add address=192.168.1.1/24 interface=LAN1
/ip address add address=72.165.56.1/24 interface=LAN2
/ip address add address=10.2.0.1/24 interface=LAN3
/ip route add gateway=
/ip dns set primary-dns= secondary-dns= allow-remote-requests=yes
/ip pool add name=dhcp_pool_LAN1 ranges=192.168.1.2-192.168.1.254
/ip pool add name=dhcp_pool_LAN2 ranges=72.165.56.2-72.165.56.254
/ip pool add name=dhcp_pool_LAN3 ranges=10.2.0.2-10.2.0.254
/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=192.168.1.1
/ip dhcp-server network add address=72.165.56.0/24 gateway=72.165.56.0.1 dns-server=72.165.56.0.1
/ip dhcp-server network add address=10.2.0.0/24 gateway=10.2.0.1 dns-server=10.2.0.1
/ip dhcp-server add name=dhcp_LAN1 interface=LAN1 address-pool=dhcp_pool_LAN1
/ip dhcp-server add name=dhcp_LAN2 interface=LAN2 address-pool=dhcp_pool_LAN2
/ip dhcp-server add name=dhcp_LAN3 interface=LAN3 address-pool=dhcp_pool_LAN3
/ip firewall nat add chain=srcnat action=masquerade out-interface=Internet
That should get it up and running as long as the MT is directly connected all four networks. You don’t have to add routes to the directly attached networks since they are added dynamically when you add the address to the interface. You are using a Public range for LAN2, should probably change that to a private range.
I forgot to say that our wan link is done on a 72.165.56.x number, so we need to be able to let a 72.x.x.x network work behind the MT and have a 72.x.x.x gateway.