Public IP on LAN

malevans · January 23, 2017, 1:45am

Hi All - I have a client that is insisting on using public IPs across the entire private network (I can’t explain why but that is what they requested…)

I have the WAN and LAN configured with with public IPs as per attached diagram however I am not able tp pass traffic across the firewall. I am not even able to ping from .50 to .54.

I guess I am missing something here (I’ve not tried to configure this previously).

Would anyone be able to give me some advice on what I need to be doing?

Cheers

MJ

malevans · January 23, 2017, 1:47am

further to this here is my current config. Note the NAT statement is disabled.

/interface ethernet
set [ find default-name=ether2 ] name=MPN
set [ find default-name=ether1 ] name=WAN
/ip address
add address=103.225.70.50/30 interface=WAN network=103.225.70.48
add address=103.225.70.54/30 interface=MPN network=103.225.70.52
/ip firewall nat
add action=masquerade chain=srcnat comment=“NAT rule to allow LAN access to Internet” disabled=yes out-interface=WAN
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=1 gateway=103.225.70.49
add distance=1 dst-address=103.225.70.64/30 gateway=MPN
#error exporting /routing rip
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no
/system identity
set name=pn-mrc-fw01
/system ntp client
set primary-ntp=103.225.68.7

Sob · January 23, 2017, 2:19am

It looks like you want this instead of your original route:

/ip route
add distance=1 dst-address=103.225.70.64/30 gateway=103.225.70.53

And the device at bottom with 103.225.70.53 must have 103.225.70.54 as its default gateway.

malevans · January 25, 2017, 11:26pm

@Sob - thanks

I now have all my internal routing working fine but I can’t pass traffic across the firewall. e.g I am unable to ping from 103.225.70.54 to 8.8.8.8. I can ping from 103.225.70.54 yo 103.225.70.50 though.

A colleague suggested I need to configure a rule to allow all traffic through the firewall. I have tried to configure that as follows to begin with:

/ip firewall filter
add chain=input in-interface=WAN
add chain=input in-interface=MPN

But I am still not able to ping from MPN to any public IPs.

I am feeling really stupid right now .

Can anyone tell me where I am going wrong?

Thanks
MJ

Sob · January 26, 2017, 12:15am

103.225.70.54 and 103.225.70.50 are on same machine, so ping between them must work ok.

Your colleague is basically right, you need to allow traffic going through router. It’s done in forward chain, not in input. But by default, everything is allowed, so if you didn’t omit some blocking rules from “/ip firewal filter” when posting your config, it’s already allowed.

Does everything else have proper routes to all bottom subnets? That would be at least the router with 103.225.70.49 address and possibly other routers, if there are more between these subnets and internet.

malevans · January 26, 2017, 12:27am

Thanks Sob. I suspect I have been looking in the wrong place. I have virtually no config on the Mikrotik so I suspect my route from 103.225.70.49 is incorrect. I need to sort that out first.

Appreciate your help

Cheers
MJ