I seldom use Mikrotiks for much other than CPE, so always NAT and the out of box config for the most part. Trying to use one here as a very dumb router - no firewall, NAT, etc.
I have one setup now that has a /28 block of public IPs routed to it, but its WAN IP is a private address in the ISP’s network. The subnet is chopped into /31’s and /30’s with an IP assigned from each subnet to an ethernet interface on the router (ie: ether1 - WAN, private IP, ether3 not in a bridge, has a /30 assigned to it, ether4, same - not in a bridge, /30 assigned to it, etc.).
Additionally, based on some reading here, I added a fake “loopback” IP by creating a bridge with no ports and adding a /32 from my /28 to it. This is the IP I want to use for management.
Here’s where things get a bit odd. The ISP can ping this /32 inside their network, but nobody can ping/trace to it from outside. I’m thinking two possibilities:
The ISP has something amiss with this route at their transit router
The Mik is responding to pings and requests to other services with the WAN (private) address and not the address that I’m using for management (or any interface IPs in the /28 public block)
The latter seems incorrect if that’s what’s going on, but perhaps someone here has some insight on that.
You’ll have to show us (an obfuscated version of) config … because it’s not entirely clear (to me) how exactly you’re using your address space and even less how exactly you configured router. When obfuscating, just mask off leading two octets of public IP addresses (and if you feel like obfuscating the private WAN IP address, do it the way it will be different than the public IPs).
Here’s where things get a bit odd. The ISP can ping this /32 inside their network, but nobody can ping/trace to it from outside. I’m thinking two possibilities:
hmm.. can you describe which nor what kind of wan service you have rent?
was it site to site private wan with internet last mile?
i think that routing scheme you have now is pretty much normal in isp network. usually isp use pe router to test both ce end link. after those tests are passed, then they will build your internet link. l3vpn route leaking. that is why you have private ip for your site to site private wan, and public ip for your internet last mile.