Guys,
I have the following setup on one location:
IMG2.jpg
From ISP I am assigned a /27 network, namely A.B.C.128/27
Address to reach router 1 (main router), A.B.C.130/27 is setup on WAN interface ether1, default GW is set to A.B.C.129.
No other static routes.
Fiber to second router, on this fiber I an running a VLAN.
On each router an IP based relay controller is connected to ether4, which is bridged to the vlan.
I want to subnet my /27 network down and assign A.B.C.152/29 to the relay controllers, address A.B.C.153/29 is set on bridge on router1.
Static addresses A.B.C.154/29 and A.B.C.155/29 is set on the relay controllers, gateway is A.B.C.153
Thought I’d be able to reach the relay controllers from outside using the public (static) addresses but no luck. Just port 80, able to reach them via A.B.C.130 if I dst-nat port 80 to one of them, but I want to use separate addresses for the controllers.
What is the correct way to achieve this?
Something I have missed with regards to assignment of IP on WAN interface or on bridge?
This ought to be child’s knowledge but I am stumped.
Anyone?
Nobody?
I simply cannot get this to work… 
Thought all packets destined for A.B.C.128/27 at least would arrive at router1’s ether1 interface, but no trace…
it won’t work so.
if the /24 is set on the interface towards the ISP (which is i think the case as i look at the picture)
the ISPs router will do an ARP lookup for the address on the connected ethernet interface. as you do not
have L2 connectivity between your bridges and the uplink towards the ISP, it will fail.
either you have to renumber your wan interface to a /30, and ask the ISP to route the /27 towards your end,
or have to insert the wan interface into the bridge (/int bridge port add …), but then it’s not routing anymore.
Thank you doneware!
Ok, I think I understand
Having my ISP to do what you suggest will take weeks I guess, so I have to do it another way.
Then plain routing simply won’t work I guess?
Let me try to understand
If I assign the addresses of my controllers to ether1 there will be a dynamic route for .154 and .155 using ether1 as GW.
Then I cannot route the same addresses out on the bridge or vlan, right?
What about assigning the controller addresses to ether1 and use mangle and routing marks for pushing them further on the bridge, will that work?
Or am I left assigning all addresses to ether1 and do NAT to internal private addresses?
Following downware’s comment it would seem to fix that problem would be to bring the port going to the ISP into the bridge.
My question is what is your reason for not doing that.
(yes, i am waiting for someone to tell me why this wouldn’t work, i’m curious)
Does your provider use a gateway address on your network?
(i.e. do they send all traffic for a.b.c.128/27 via address a.b.c.130 for this example)
When they do not do that, you should put the ether1 interface towards the provider in “proxy-arp” mode.
Then it will probably work.