Public Ip on Local(Private) Server

RouterOS General
1

I’m trying to wrap my head around this but can’t quite figure it out. I am attempting to setup a Direct Access Server behind a NAT which is not supported by Microsoft. It is necessary to have two Network Adapters, one with two private IP’s for the internal side, and one with two consecutive public IP addresses for the external side. I do not want my server directly online without a firewall, but it’s a requirement to have public IP addresses on the external interface of the server.

This trickery here is supposed to work behind a NAT, I’m just not quite sure how I’d go about setting it up with Mikrotik. Any Help would be greatly appreciated.

\

  1. have two internal ip’s nat’d to the two public ip;'s you want to use.

2 .Give the internal interface on the DA server an ip from your internal network

  1. Give the external interface the two public addresses you will use.

  2. put the external interface on a new vlan

  3. make the gateway for the new vlan an ip in the same range as your public ip

  4. nat your external ip to the internal ip that is nat’d to your public ip

It’s tricking the direct access server into thinking it is on the public internet, but in reality it is going from public-internal-public.


I understand how to NAT a public IP to private IP, I’m just a little confused as to how I’d go about setting up the VLAN and gateway.


Below is the thread where I found this info.

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/d29b4570-6513-4595-9458-9250af1f918b/

Thanks again for any help You can provide.

2

I’d just skip the step of setting up a Public-Private-Public NAT in your case. I would just assign the “public” IP addresses to the server and to the MikroTik, and then do the NAT like you normally would with a private IP address, there is nothing in place to prevent that. With that being said, using a random public subnet could potentially cause problems for users accessing certain websites. Lets say domain.com resolves to 1.1.1.3 but that is the IP you chose to give to your server, anytime someone tries to go to domain.com your router will send them to your server instead of where they really wanted to go.

Another option is kind of an ugly hack,doesn’t have the potential problem of the one above, but does have it’s own potential problems. It’s called proxy-arp. If you own the entire subnet on your WAN, and check with your ISP to make sure there won’t be problems with enabling proxy-arp, then you can assign the actual public IP addresses you want to use to your server.

/interface etherent
set ether1 arp=proxy-arp
/ip route
add dst-address=1.1.1.3/32 gateway=LAN

This basically causes the router to respond to all ARP requests on ether1 (can cause massive problems), and then it has a specific route, so it knows to reach 1.1.1.3 on the LAN interface.