Hi everyone,
I asked my isp for a class / 29 of public IPs, therefore 6 usable.
I now connect with a mikrotik RB4011iGS + with a public fixed ip 82.xx.xx.xx / 24 they gave me the GW 82.xx.xx.1 (this is configured and working)
Now I have a class 86.yy.yy.yy / 29 that I don’t understand how to configure (I did a lot of tests but without many results), they also gave me an IPV6 class of which: 1 IP a GW, a LAN address that matches to GW and 2 DNS Prefix Length / 48.
do you help me make light?
I thank you in advance,
Michele
By default (with no firewall rules).. Just set one of the /29 IP addresses on another interface (or the bridge interface) as the gateway IP for your other devices.
IP - Routes Have the 0.0.0.0/0 destination the .1 IP of your ISP.
Connect the other devices to the same interface (or any of the bridged interfaces) and it should just work. Setup the DHCP server if you want, but for testing, just statically assign a host another IP from the /29, using the IP you gave the RouterBoard as the gateway.
Hello,
Thanks for the reply.
in practice I have to make a network like the one I attach.
I set almost the minimum to try:
in ether6 the wan with the address 82.xx.xx.xx / 24
in eth7 the lan1 with dhcp
in the fpp the lan 2 with dhcp
each address / 29 on the WAN.
set dst and src for each address
seems to work with ipv4.
With the data I have of ipv6, I don’t know, the mikrotik always gives me errors.
one thing I noticed is that on the lan 2 VMs if I ask for the public ip address it returns the address 82 ../24 not the address / 29.
I don’t understand why…
one thing I noticed is that on the lan 2 VMs if I ask for the public ip address it returns the address 82 ../24 not the address / 29.
Do you have any NAT firewall rules? You don’t want to be doing NAT.
Hello,
yes I have set 2 nat (dst and scr) rules for addresses /29 plus there is the usual nat masquerade above these 2.
I would like every VM to be seen with its address /29.
So doesn’t that nat sound good?
Do you want the VMs to have addresses from the /29? Or do you want them to be seen with addresses from the /29?
From your first post, it sounded like you wanted the VMs to have addresses from the /29… If that is the case, you will be using RouterOS as an actual router, no NAT needed.
If you want to assign RFC1918 IPs to your VMs and have them appear from the /29, you will need to add a lot more details about how you want your network setup.
hei,
so I would like to set on the router that the public address 82.xx.xx.xx / 24 does nat with LAN 10.29.22.0/24 and everything works here, the 3 servers connect to this network via eth1 and this is my lan manager.
now in addition I have the class 86.yy.yy.yy / 29 (with routing on the 82.xx.xx.xx / 24 from the ISP) of this class I would like the vm to have a public address like 86.yy.yy. 10 - 86.yy.yy.11 -86.yy.yy.12 etc.
of course these are in the LAN network 192.168.1.1/24 to be able to communicate with each other internally.
so for example:
server1.dns will have 86.yy.yy.10 + 192.168.1.10
server2. mail will have 86.yy.yy.11 + 192.168.1.11
etc
As @kevinds has suggested - you have to make your src-nat or masquerade rule ignore connections from source addresses from the /29 subnet.
If you want to make the hosts in the /29 accessible from the internet, you must set appropriate rules in chain=forward of your firewall.
if you don’t understand what I’m talking about, follow the hint in my automatic signature.
Ok
Then don’t set the /29 IP on the router.
Just use
dstnat
dst address - 86.yy.yy.10
action - dst-nat
To 192.168.1.10
srcnat
src address 192.168.1.10
action - src-nat
to 86.yy.yy.10
dstnat
dst address - 86.yy.yy.11
action - dst-nat
To 192.168.1.11
srcnat
src address 192.168.1.11
action - src-nat
to 86.yy.yy.11
Repeat for each IP. You can use all 8 IPs in the /29 doing it this way.
Wait..
Re-reading this…
Do you want your VM servers to have two IP addresses? Or just the 192.168.1.x IP?
you should also have internal ip and public ip / 29 ip.
would it be better to set 2 nic on the machines? nic1 for lan and nic2 for public address?
however I did as you report in the dstnat and srcnat rules however when I do #curl ifconfig.me from the machine I get the public ip of the non-class router / 29
you should also have internal ip and public ip / 29 ip.
Huh? Does this mean you want both IPs on one interface?
would it be better to set 2 nic on the machines? nic1 for lan and nic2 for public address?
Probably, then you could set the router up the way I was first describing. Just leave out the 192.168.1.1 gateway.
however I did as you report in the dstnat and srcnat rules however when I do #curl ifconfig.me from the machine I get the public ip of the non-class router / 29
I’m not sure what you mean by this…?
I begin to lose some thread.
practically:
I connect to the internet with ip 82.xx.xx.81 / 24 GW 82.xx.xx.1 to this ip I connected the LAN1 I set nat masquered and firewall rules and here everything works.
now on the class / 29 I have to make work:
1 web server myip1.com (where multiple domains will be hosted) → public ip 86.yy.yy.11
2 server dns ns1.myip1.com → public ip 86.yy.yy.12 e
ns2.myip1.com → public ip 86.yy.yy.13
1 mail server mail.myip1.com → public ip 86.yy.yy.14
these servers are VMs in LAN2 192.168.1.0/24
if from the terminal of the web server I launch the command #curl ifconfig.me looking like to see as public ip the address 86.yy.yy.12 while instead I get another ip, that of the router 82.xx.xx.81 .
Once again:
To make your LAN hosts with private IPs receive responses from hosts in the internet, you need to src-nat their connections to the hosts in internet to the address(es) in 82.xx.xx.81/24. For that, you already have an action=masquerade or action=src-nat rule in chain=srcnat of your /ip firewall nat table.
Now for your LAN hosts with public IPs from the /29 subnet, you need to prevent the rule above from working, which can be done e.g. by adding src-address=**!**86.yy.yy.8/29 to that rule.
After doing that, your curl ifconfig.me should start showing their public IP from 86.y.y.8/29. But there is a caveat in it, if your VMs prefer their private IP to send the traffic, the NAT rule will still work. So you have to make sure that this doesn’t happen by either assigning the private and public IPs of the VMs to different “physical” interfaces and make sure that the default route uses the 86.y.y.9 as gateway.
Now if you want the hosts in 86.y.y.8/29 to act as servers, i.e. to respond to requests coming from the internet, you must permit access to their service ports (http, https, no idea which ones you actually use) by adding corresponding rules to proper places in chain=forward of /ip firewal filter of your Mikrotik.
Or, alternatively, you can let the VMs use only the private addresses and use src-nat and dst-nat to translate the VM’s individual internal private addresses to the addresses from 86.y.y.8/29 (which requires one NAT rule per each (private,public) address pair and direction or a single action=netmap rule per direction if the last byte of the private and public IPs would be the same), but this approach induces more headache in other areas run so I would avoid it.
what to say Sindy, thank you very much for this more substantial clarification.
I’m sorry, unfortunately I was a bit in trouble, I had never had to set a class.
Thanks also to Kevinds for the many replies you gave me.
I don’t have to try ..
thank you, I’ll let you know
Hello,
succeeded, everything ok.
However I also have a subnet / 48 to set.
the isp provided me:
subnet /48
wan ip and gw
lan ip / 48
dns1 and dns2.
is it possible to set the mikrotik?
who helps me?
That /48 network is probably IPv6? Usually you assign a /64 to every subnet interface and either enable DHCPv6 server (good luck with that on MT) or router advertisements (and let devices autoconfigure from there). Just make sure you have default IPv6 route set … and most importantly, gave ROS 6.44.3 (or newer) installed (6.44.2 fixed a nasty long lived bug) and decent IPv6 firewall.
It’s not probably, it is IPv6. IPv4’s highest subnet (from 0 up) is /32 which is a single host. The slash /48 is for IPv6 and you are correct, it’s meant to be split in the /64’s.
I am lucky not to have had to configure IPv6 on Mikrotik yet, but depending on your device model (and thus default package configuration), the first thing needed may be to enable (or even install) the package named ipv6. Use /system package print where name~“ipv6” to check whether it is installed and, if yes, whether it is enabled.
I would recommend to disconnect the machine from the uplink before you enable/install the package (both require a reboot) until you configure the IPv6 firewall rules; basically a single action=drop rule in each of chain=input and chain=forward of /ipv6 firewall filter is enough to safely reconnect the uplink to shorten the downtime, but unfortunately you cannot do that before enabling the package. Later on you’ll have to add some permissive rules so that you could test the routing after you configure the IPv6 subnet up to the advice given by @mkx.
yes yes guys an ipv6, sorry I didn’t write it.
the mikrotik is a RB4011iGS +, I will do some tests I keep you updated,
thank you