Public LAN block configuration.

magi · November 14, 2016, 3:44pm

hello,

I have a mikrotik on my home and it was working okay .. but i was using only WAN ip from ips to connect from outside.. but in WAN ip every port is blocked , so i made a deal with my ISP they gave me PUBLIC lan block ip’s to configure them into my mikrotik and every port for my ips will be opened and not blocked from them.

Can someone help me how to configure it?

Here is the configuration from them

ip address 79.101.17.x 255.255.255.252 (in your case, 79.101.40.56 255.255.255.252) (right address is 79.101.40.57 255.255.255.252)
ip address 192.168.1.128 255.255.255.0 sub (secondary, your network)

Your WAN is 109.92.137.52/30. Address of our router is 109.92.137.53/30 and your address is 109.92.137.54.
Your LAN is 79.101.40.56/30 and useful addresses are 79.101.40.57/30 i 79.101.40.58/30 (79.101.40.56/30 is network, 79.101.40.59/30 is broadcast)

Can someone help me how to configure them please? i really need it urgent.

Thanks in advance.

Sob · November 14, 2016, 5:54pm

The simplest way is to put 79.101.40.57/30 on router’s LAN interface, then give 79.101.40.58/30 to selected machine in LAN with 79.101.40.57 as gateway, and that’s it. You’ll waste 3/4 available addresses (not completely, you can still use them with NAT), but it will work.

magi · November 14, 2016, 7:52pm

hello, thanks for your reply.

If i lose 3/4 ips thats not a problem, i just need one ip to make port forwarding to a local server, that’s all ..

but where should i enter this ip 79.101.40.57/30 ? into IP ->> Addresses? for a LAN interface? i already tried this .. when i do this then i can access mikrotik with this ip and this ip gives ping also when i ping, but when i try port forwarding to port 22 still don’t work.. i though that i was doing something wrong

any idea?

Sob · November 15, 2016, 12:55am

It depends on your config. For example, if you were using default firewall, it blocks forwarding of all incoming connections from WAN, unless they are forwarded ports. In your case, it would block traffic to 79.101.40.58 (if other machine in LAN has it) and you’d need to allow it in forward chain, something like:

/ip firewall filter
add action=accept chain=forward dst-address=79.101.40.58 in-interface=<WAN> out-interface=<LAN>

And put it before the blocking rule.

Another option, if you just want to forward some ports and don’t require to have the public address directly on another machine, would be to assign any of 79.101.40.56-59 to router with /32 netmask (doesn’t really matter to which interface) and then use it with NAT:

/ip firewall nat
add action=src-nat chain=srcnat out-interface=<WAN> src-address=192.168.1.x to-addresses=79.101.40.58
add action=dst-nat chain=dstnat dst-address=79.101.40.58 dst-port=22 protocol=tcp to-addresses=192.168.1.x

Where 192.168.1.x is server’s LAN address and srcnat rule must be before your current masquerade rule.

If it doesn’t work, export your current config and post it here.