Hi,
ive a /24 public ip block, ie 80.1.2.0/24. ive a setup like this:
INTERNET <—> mikrotik <-----> servers running public services
normally that works fine, if the servers are in a private network, with port forwarding on mikrotik, but i want to give public addresses to servers.
so ive done that setup:
-give mikrotik an ip address on internet side: 80.1.2.2/30 and set 80.1.2.1 as default gateway
-give mikrotik a second ip address, on server side: 80.1.2.253/30
-give one of the servers an ip address: 80.1.2.254/30 and 80.1.2.253 as default gateway.
because of NAT, all packages leaving the server is marked as leaving from 80.1.2.2, and if i disable NAT, the server is unreachable.
i checked the wiki (NAT/firewall section) but couldnt find a similar situation.
The canonical solution is to have that IP space routed to you rather than directly provisioned. Talk to whoever gives you that IP space to see if you can set that up.
Alternatively you can set .2 as a /24 on the WAN side and enable proxy ARP, and then use smaller, overlapping subnets on the LAN side. Getting routed space set up would be FAR cleaner, though.
Actually I’m suggesting your ISP adds an unrelated /30 (could even be private - they are 10.0.0.1/30 and you’re 10.0.0.2) between your router and theirs, and then they add a route for 80.1.2.0/24 via 10.0.0.2 (your router). You can then do whatever you want with 80.1.2.0/24 behind your router because the ISP simply knows to reach it via 10.0.0.2 and doesn’t have to worry what 10.0.0.2 actually does with it.
Im trying to understand; OK i can make them to put a /30 lets say virtual 10.0.0.1 and 10.0.0.2 as your example ,between two routers.
i really cant see what will differ,
how to use public ip adrresses behind the mikrotik, again ?
the servers will not be able to reach 10.0.0.1 :\
If the ISP knows to route the public IPs to you via the /30 you can then do whatever you want to do with them behind the Mikrotik. For example, you can assign a public /30 to a router port and plug it into the server. The router uses the public on the Mikrotik LAN interface as its default gateway, that’s how it reaches 10.0.0.1 - via its default route.
What i am trying to understand is,how does that differ if i use something else instead of 10.0.0.[1,2]
I mean why should i need any address that is not in my /24
a) presumably the ISP router isn’t configured for a /30 right now, because they gave you a /24 - that’s why they’re expecting all IPs on that /24 to be directly connected to them, which they’re not
b) it’s much easier for the ISP to route you your full /24, which they can’t do if you’re already using a /30 subnet from it on a link with them
c) why waste public IPs you can use for something else on that link when you don’t have to, let the ISP cough up another /30 for it
So again, you can just make your .2 a /24 as well, turn on proxy ARP, and route behind the Mikrotik router - but it would be far, far cleaner if you talked to the ISP and got them to insert a /30 like we discussed.