. I have a fiber from my upstream ISP to my CCR1009-7G-1C-1S+
They have provided me with the following public IP’s
WAN IP BLOCK xx.xx.152.228/30
WAN Gateway xx.xx.152.229
WAN IP xx.xx.152.230
I asked them to route that /28 through the /30 for I will have internal public IP’s for servers, ect..
I’m having a hard time splitting the router interfaces up
Let’s say ether 1-3 for public routing to servers, clients wanting public’s Ect. Ether 4-6 for private LAN applications for clients that don’t need Public’s management vlan ect. on a 172.16.x.x/24 for example
I have the for example ether1-3 running with dhcp server set up for my /28 public’s and working fine, I can take another MikroTik with basic config plug it in and boom DHCP a public no issue, but im not able to get for example ether4-6 working and the 172.16.x.x/24 able to ping and trace route to the internet. Is this even possible what I’m attempting ?
Do you have any (at least half-working) config you can post? It’s easier to comment config if we know what you’ve got so far.
But generally: if you want to assign addresses to clients dynamically (i.e. using DHCP server), then it’s easiest to have two separate L2 domains for your “LAN”. Which might mean two bridges, one with interfaces ether1-3 (and named e.g. LANpub) and one with interfaces ether4-6 (and named e.g. LANpriv). Then configure each of bridges with appropeiate IP addressm IP address pool, DHCP server etc.
Then for LANpriv you need appropriate SRC-NAT rule. You have to decide which of public IP addresses will be used for masking private addresses, you might want to use your “primary IP address” (xx.xx.152.230) … the only special thing is that NAT has to be performed unless target is in the same bridge (i.e. also when communicating with public IP addresses), something like this:
If the example comand makes SRC-NAT “too greedy” (e.g. you want to make SRC-NAT work slightly differently based on in-interface and/or some other criteria), then you may have to create multiple src-nat rules instead.
Another possibility would be to have all LAN interfaces in same L2 domain (which would bring some complications), but then you’d have to construct src-nat rules based on src-address …
Thanks for the quick reply, I have gotten everything working at the moment, DHCP set up on public bridge, and 4 /24 blocks of 172.16.x.x set up on my private bridge. My current config
rules 1-7 have set up for the public bridge and the rest for the private bridge, every things seems to be working fine, but i’m not sure if this is overkill, or not even effective at all
rule 2 add action=drop chain=forward in-interface=“Private Bridge” out-interface=“Public Bridge”
rule 3 add action=drop chain=forward comment=“Drop invalid connections through router” connection-state=invalid in-interface=“ether0 Public WAN” out-interface=“Public Bridge”
rule 4 add action=drop chain=forward comment=“Drop all traffic from addresses on "CountryIPBlocks " address list"” in-interface=“ether0 Public WAN” out-interface=
“Public Bridge” src-address-list=CountryIPBlocks
rule 5 add action=drop chain=input comment=“Drop all traffic from addresses on "CountryIPBlocks " address list"” in-interface=“ether0 Public WAN” src-address-list=
CountryIPBlocks
rule 6 add action=accept chain=input comment=“Allow established connections to the router, these are OK because we aren’t allowing new connections"” connection-state=
established in-interface=“ether0 Public WAN”
rule 7 add action=accept chain=input comment=“"Allow related connections to the router, these are OK because we aren’t allowing new connections"” connection-state=related
in-interface=“ether0 Public WAN”
rule 8 add action=fasttrack-connection chain=forward comment=“Established and Related connections” connection-state=established,related in-interface=“Public Bridge” out-interface=
“Private Bridge”
rule 9 add action=accept chain=forward comment=“Allow new connections from Private lan” connection-state=new in-interface=“Private Bridge” out-interface=“Public Bridge”
rule 10 add action=accept chain=input comment=“allow lan to router” in-interface=“Private Bridge”
rule 11 add action=accept chain=input disabled=yes in-interface=“Private Bridge” src-address-list=allowed_to_router
rule 12 add action=accept chain=input in-interface=“Public Bridge” protocol=icmp
rule 13 add action=drop chain=input in-interface=“Public Bridge”
rule 14 add action=drop chain=forward comment=“Drop invalid” connection-state=invalid in-interface=“Private Bridge” log=yes log-prefix=invalid out-interface=“Private Bridge”
rule 15 add action=drop chain=forward comment=“Drop incoming packets that are not NATted” connection-nat-state=!dstnat connection-state=new in-interface=“Public Bridge” log=yes
log-prefix=!NAT out-interface=“Private Bridge”
rule 16 add action=drop chain=forward comment=“Drop incoming from internet which is not public IP” in-interface=“Public Bridge” log=yes log-prefix=!public out-interface=
“Private Bridge” src-address-list=not_in_internet