public subnet routing

clawmvp · February 25, 2019, 9:47pm

Hello, i am new to mikrotik, i was trying to follow the directions from here: http://forum.mikrotik.com/t/public-subnet-routed-through-public-ip/105817/1 to setup a public subnet through my public ip, but i can t get it right:

details: a public ip from my isp: 82.76.208.40 gw: 82.76.208.1
a subnet routed through my public ip: 86.120.124.24/29
router: rb2011

setup: bridge1 (lan) ports from 2 to 5
bridge2 (public subnet) ports from 6 to 10

on bridge1, nat is seted up, and working.
on bridge2, i want to allow this ports to use the public subnet
my goal: i want to use all 8 public ips on diffrent servers in my network.

what i did:
firewall: add 2 rules
add action=accept chain=forward comment=clasa_86 connection-state=“” dst-address=86.120.124.24/29
in-interface=ether1 out-interface=bridge2
add action=accept chain=forward connection-state=new in-interface=bridge2 out-interface=ether1
src-address=86.120.124.24/29
nat: add 1 rule
add action=accept chain=srcnat connection-type=“” src-address=86.120.124.24/29

and one route:
this is little odd
add distance=1 dst-address=86.120.124.24/29 gateway=bridge2

if i remove the route, it does not work anymore, with the route added, it s working intermittently , in and out, i can ping a host from that subnet or ping from the host a public dns like 1.1.1.1

the output is like this:

Request timeout for icmp_seq 6093
Request timeout for icmp_seq 6094
Request timeout for icmp_seq 6095
Request timeout for icmp_seq 6096
Request timeout for icmp_seq 6097
Request timeout for icmp_seq 6098
Request timeout for icmp_seq 6099
Request timeout for icmp_seq 6100
Request timeout for icmp_seq 6101
Request timeout for icmp_seq 6102
Request timeout for icmp_seq 6103
Request timeout for icmp_seq 6104
Request timeout for icmp_seq 6105
64 bytes from 86.120.124.26: icmp_seq=6106 ttl=117 time=35.435 ms
64 bytes from 86.120.124.26: icmp_seq=6107 ttl=117 time=38.500 ms
64 bytes from 86.120.124.26: icmp_seq=6108 ttl=117 time=36.088 ms
64 bytes from 86.120.124.26: icmp_seq=6109 ttl=117 time=35.227 ms
64 bytes from 86.120.124.26: icmp_seq=6110 ttl=117 time=35.607 ms
64 bytes from 86.120.124.26: icmp_seq=6111 ttl=117 time=35.639 ms
64 bytes from 86.120.124.26: icmp_seq=6112 ttl=117 time=39.545 ms
64 bytes from 86.120.124.26: icmp_seq=6113 ttl=117 time=37.590 ms
Request timeout for icmp_seq 6114
Request timeout for icmp_seq 6115
Request timeout for icmp_seq 6116

i would appreciate any advices, thanks

bramwittendorp · February 26, 2019, 7:31pm

Hi,

You have to choose: either use transparante mode (which I will be explaining) or use the subnet with NAT.

I would suggest the following configuration, remove the config you have made before (as you specified in your post):

Add the first usable IP-address from the routed-subnet on the Bridge2. The clients will use this IP-address as gateway (router-address)

/ip address
add address=86.120.124.25/29 interface=bridge2

On you client, use the following configuation

IP-address: 86.120.124.26/27/28/29/30
Subnetmask: 255.255.255.248
Gateway: 86.120.124.25

\
Add a rule allowing new connection from the bridge 2 interface; established and related connections should already be allowed, assuming you have a similair configuration as the MIkroTik default firewall (https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Firewall).

/ip firewall 
add action=accept chain=forward comment="Allow New-connections from Bridge2" connection-state=new in-interface=bridge2

Furthermore, from new connections towards your servers, be specific in the access rules. For example for a webserver on the IP-adress 86.120.124.26 you’ll need the following access rule, everything else should be blocked:

/ip firewall 
add action=accept chain=forward dst-address=86.120.124.26 protocol=tcp src-port=80
add action=accept chain=forward dst-address=86.120.124.26 protocol=tcp src-port=443

Let me know if you wanna know more or why I do these suggestions. But I think this will give you the most transparent set-up while maintaining security

Sob · February 26, 2019, 10:38pm

So, if you gave all eight addresses from /29 to servers, what do you use as gateway on them? Also, what IP addresses (exact config) you have on bridge2?