Before we switched to Mikrotik, I was using two servers to handle our wireless network:
A Linux machine running iptables and dhcpd. Any customer with one of our wireless CPEs could connect to our towers.
A Linux machine running bridge-utils and ebtables (to prevent arp cache poisoning). We would manually configure our business public IP addresses to run through the bridge.
This setup worked great, but once people cracked any wireless encryption, they could get onto our networks without a password. That’s why we are now using PPPoE on Mikrotik.
I have just set up my first Mikrotik RouterOS on an Intel Based PC. I have successfully set up PPPoE. Customers get 192.168.20.X addresses if they’ve paid for 512k download speed, 192.168.30.X if they’ve paid for 1024k download speed, and so on up through business class speeds. They are routed through the Firewall and it is working great.
But now, many business customers are requesting that they receive a static public IP address to access their servers from home. We have multiple class C’s so we have plenty of public addresses, I am just not sure how to set it up here. I know I can hand them a public IP address via PPPoE, but it still routes them out on the internet through the Router OS box. Do I need to set up bridging to enable this? And once I do, how do I ensure that those with public IP addresses are fully accessible from the public internet? Any help or suggestions on setting up both public and private IP addresses on a network would be appreciated. If we should go to all bridged public IPs, please say so. If we should keep everyone routed, but somehow allow a customer to have their own public IP, I would welcome any suggestion.
Is this not a Beginner Question? Maybe this topic should be in the General section. I can delete this and repost this somewhere else if it is suggested.
Are you saying that you do not want the customers with the public IPs to go straight to the internet from the RouterOS device, but rather want them to go through a separate firewall from the one in the RouterOS device? I currently use the PPPoE server on a RB532A running RouterOS myself in a fashion similar to what you are describing and I’m just using the built-in firewall.
I want the customers who have public IP addresses to go directly out on the internet without passing through the RouterOS firewall at all. I do not want the masquerade srcnat rule to apply to those clients. They need access to all of their ports directly. As an example, if they receive the public IP address 1.2.3.4 from the PPPoE server, and they run a web server, they should be able to go home and type in http://1.2.3.4 in their browser and connect to their system. All the customers with 192.168.X.X should continue to go through the firewall.
techsimp: yes, it sounds like we are running almost the exact same thing right now, but I need to add this level of service for people who do not want to go through the firewall. I just am not sure if this is done in the Firewall rules or if I have to create a Bridge.
Thank you for any help that you can provide. I will continue working on this until I have a resolution. I will post if I figure it out.
I haven’t used NAT on my setup, but as I look at it through Winbox, it appears that you can assign the srcnat to a particular input and/or output interface. In my setup, each pppoe session shows up as it’s own interface, and thus I believe they would not be subject to any rule applied to the srcnat interface. Can anyone verify my assumptions? If I’m correct, then all you’d need to do is go back to each of your rules and add to the rules the particular input/output interface corresponding to your srcnat customers.
This post by KCCoyote was his resolution to this issue, I’ve used it and it works, if you have any trouble let me know I struggled with this one for a week or so reading through the same posts, once the light goes on its easy, as long as your provider routes your public addresses to you.
I have a configuration that’s very similar to KCCoyote, the only difference being that I use a Layer 2 VPN connecting a remote site to a Data Center. The reason for the VPN is that I need to encrypt the traffic as well as use the Public IPs that I have at the Data Center. The VPN is working and so is the PPPoE server, but the problem that I have is that when I go to http://www.whatismyip.com, the IP that shows up is the one for the Router at the Data Center and not the one that I assigned to the customer via the PPPoE server.
Here is a snapshot of my topology:
Any suggestions will be appreciated.
That didn’t work, so I must have an issue somewhere else. I made the same change on both routers - the local one and the remote.
When I check the IP I get the one from the WAN interface on the remote router (remote being the one at the Data Center). I will recheck the configuration on the remote one as soon as I get back.
Just to be clear, that was supposed to replace what you already had. The basic idea is to build an address list of addresses that are not to be NAT’d, and then tell the router not to NAT them. Alternatively you can also exempt them like below without editing existing rules:
