I am not finding this scenario (which is odd) but it seems so common, it should be an FAQ/KB article. Once this is working as expected, I would like to turn it into an FAQ or KB for others to benefit. Please feel free to respond with your ideas and suggestions.
The goal is to have different DHCP/NAT segments set on Ports 2 and 3 to allow nodes to acquire the needed configuration (some statically assigned) that would allow the node to communicate with the Internet using the WAN connection on Port 1. Below is the theoretical configuration example as well as the corresponding JPG image (attached).
From ISP (eth1)
Gateway: 169.169.169.1
IP Range: 169.169.169.2-6
Broadcast: 169.169.169.7 (SM: 255.255.255.248)
Guest LAN (eth2)
Gateway: 10.10.10.1
IP Range: 10.10.10.2-250
Broadcast: 10.10.10.255 (SM: 255.255.255.0)
WLAN AP1: 10.10.10.250 (Static DHCP)
WLAN AP2: 10.10.10.251 (Static DHCP)
NOTE: Will be seen by the Internet as IP address 169.169.169.2
Corp LAN (eth3)
Gateway: 10.10.11.1
IP Range: 10.10.11.11-250
Broadcast: 10.10.11.255 (SM: 255.255.255.0)
WLAN AP1: 10.10.11.250 (Static DHCP)
WLAN AP2: 10.10.11.251 (Static DHCP)
NOTE: Will be seen by the Internet as IP address 169.169.169.3
How do I configure the 450g…
to allow eth2 and eth3 access to the Internet?
to assign the same LAN IP to a specific node’s MAC? (Static DHCP)
to allow a node, with a WAN IP (from the 169.169.169.xxx) on the LAN, access to the Internet?
to allow management of the switch from the WAN via a secure connection (SSL? TLS?)
Are my expectations of MikroTik and their “community” too high? Should I not expect quick responses?
I have been able to get the DHCP to work so that devices on port 2 get an IP address of 10.10.10.xxx and devices on port 3 get an IP addresses of 10.10.11.xxx.
However, when I attempt to get out onto the Internet, no data is returning from the up-line router 169.169.169.1. I suspect there is a problem with NAT or Firewall on the MikroTik, as I can use New Terminal to ping the outside world without a problem, but can not do the same with a computer connected to the Mikrotik.
Here is a PDF that someone else made that I used as a example. DHCP setting.pdf (480 KB)
Are my expectations of MikroTik and their “community” too high? Should I not expect quick responses?
No need to be condescending. None of us are paid to be here to fulfill your expectations. We take time out of our schedules to help each-other out where and when we can.
Some more information regarding your current configuration would be helpful in places. I have no idea what you’ve tried so far.
For setup I prefer winbox.
I would try setting up 2 SrcNAT rules (IP->Firewall->NAT), one for each subnet, 10.1.10.0/24 and 10.1.11.0/24. and masquerade them as they left out the Eth1 interface. (Make sure you have a default route, 0.0.0.0/0, set in IP->Routes)
Static DHCP is actually trivial. Easiest way is to let the target device grab a DHCP address, then go into your IP->DHCP Server->Leases. Double click the appropriate entry, and click the “Make Static” button; change the settings to your liking.
You haven’t said anything about acting as a DHCP Relay, so I’m not sure how this would happen. Perhaps you could provide more info.
SSH and Winbox settings are under IP->Services, as are other remote services.
It sounds like you may also want firewall rules to stop Eth2 traffic from passing out Eth3 and vice versa.
OK. I have managed to get MOST of what I need to do, working. Unfortunetly, it is so complicated (reading through different forums, testing different configs…etc.) that I am not sure I can explain it to someone on how to replicate it. Thus, I will be making a backup.
I have yet to figure out how to apply an external static IP to each port. The idea is that the Guest Port2 will have its own external (routable) IP address that the DHCP/NAT on port 2 will send/receive from, and port 3 will have its own separate external (routable) IP address that the DHCP/NAT on port 3 will send/receive from. At this time, Port 1 (WAN) is set for DHCP, and is using 1 externally.
Your description is a little bit fuzzy, but let me see if i can help.
So you have 2 or more public IP addresses and you wanna that each of your local networks uses only specific ones. This is done by replacing your masquerade rule with 2 src-nat rules that have src-address= , out-interface= ether1, to-address=
ALso if you use dst-nat to assign some public addresses to some services (like web-server) you can always use static DNS entries to force local users to use local IPs to resolve your server DNS names.
now from rb450 you have access to internet because your “external” ip’s are 169.169.169.2-6/29 and your gateway 169.169.169.1 make the nat if needed, this only works accesing internet from rb450.
