Public IPs to Private Subnets

RouterOS General
1

This is for a Mikrotik RB4011iGS+5HacQ2HnD-IN.

I have six public IPs from my ISP that are part of a /25 network on their side. I need for each of those IPs to match up to six different LAN subnets (one each to ether-2 through ether-7) and for traffic on each of the LAN subnets to be routed through the corresponding public IP. At this point, I have been trying to make this work for several days and am still unable to access the Internet from any of the LAN ports.

Public IPs: x.x.x.11 (ether1), x.x.x.50 (ether1), x.x.x.55 (ether1), x.x.x.60 (ether1), x.x.x.73 (ether1), x.x.x.74 (ether1)
LAN Subnets: 10.11.0.0/28 (bridge11/ether-2), 10.50.0.0/20 (bridge50/ether-3), 10.55.0.0/28 (bridge55/ether-4), 10.60.0.0/28 (bridge60/ether-5), 10.73.0.0/20 (bridge73/ether-6), 10.74.0.0/22 (bridge74/ether-7)
Routes: 10.11.0.0/28 (x.x.x.11), 10.50.0.0/20 (x.x.x.50), 10.55.0.0/28 (x.x.x.55), 10.60.0.0/28 (x.x.x.60), 10.73.0.0/20 (x.x.x.73), 10.74.0.0/22 (x.x.x.74)
NAT: chain: srcnat, out. interface: ether-1, action: masquerade

From the Terminal in WinBox, I can successfully ping 10.11.0.1 and 10.73.0.1, but I cannot ping 10.50.0.1, 10.55.0.1, or 10.74.0.1. I cannot ping any of the assigned public IPs, nor the gateway IP (x.x.x.1)

I’m not sure what other information to provide, but I would appreciate help/guidance anyone is willing to share.

2

The first thing you have to post to get any useful response is the export of the current configuration: from the command line (use the [Terminal] button in Winbox to open a command line window), run /export file=some-nice-name; then download the some-nice-name.rsc, open it in your favourite text editor and properly obfuscate it before posting, as in substitute any usernames for external services, serial numbers, MAC addresses, and other information you don’t want to reveal, and use the find&replace function of the text editor to systematically replace each unique public or global address prefix by a unique string, so that the fact that some addresses that belong to the same subnet remains visible after the obfuscation. Do not remove any part of configuration, even if you do not deem it related to your issue, as the misconfiguration is typically in a part you would not even dream of being related.

As for your issue in particular:

  • all the public addresses must be attached to ether1 so that your router would respond to ARP requests regarding all of them that come from the ISP router ((I suppose you’ve already done that)
  • instead of the single action=masquerade rule, you have to use individual action=src-nat rules:
    chain=srcnat src-address=10.11.0.0/28 action=src-nat to-addresses=pub.lic.ip.11
    chain=srcnat src-address=10.50.0.0/20 action=src-nat to-addresses=pub.lic.ip.50
    etc.