Router Configuration

chrnoaria · October 16, 2013, 6:22am

Hi all,

I just bought a CCR to act as a Border Router/Firewall for my Servers. I received 3 IP blocks as following : xxx.yyy.zzz.144/30, xxx.yyy.zzz.112/28, and xxx.yyy.zzz.128/28. I need to put the IP xxx.yyy.zzz.146 to my WAN as border gateway. Then I will have to distribute the other blocks as VLAN. The topology will be as following :

                                     -----------> VLAN 1 (xxx.yyy.zzz.112/28)
                                    |
Internet -----> xxx.yyy.zzz.146 ----|
                                    |
                                     -----------> VLAN 2 (xxx.yyy.zzz.128/28)

I have setup using the basic configuration, but it seems that the IP seen by others is the 146 instead of their respective IP. Is there any other configuration I need to add to ensure that the servers seen by their own IP addresses? Also I would like to hide the topology behind the router to prevent hacking and sniffing. Is there any script I need to add?

Regards,

William

AlArenal · October 16, 2013, 7:23am

When the other IPs are working but the utside world only gets to see your .146 it can only mean you’re doing NAT for your other IPs. So check your configuration for NAT entries.

chrnoaria · October 16, 2013, 7:48am

Here’s my NAT configuration :

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=xxx.yyy.zzz.112/28

1 chain=srcnat action=masquerade src-address=xxx.yyy.zzz.128/28

2 chain=srcnat action=masquerade out-interface=ether1

Actually this kind of topology is new to me since I only use mikrotik for home/office router but never on data center/border router.

bingo220 · October 16, 2013, 10:48am

Try to add “out-interface=ether1” to each nat-rule.

Rudios · October 16, 2013, 1:32pm

I suggest to create only one rule for out-interface=ether1

chrnoaria · October 17, 2013, 3:05am

I see. I need to add the out-interface to their respective gateway.

This is the IP address allocation

 /ip address print     
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                              
 0   xxx.yyy.zzz.146/30   xxx.yyy.zzz.144   ether1                                 
 1   xxx.yyy.zzz.113/28   xxx.yyy.zzz.112   bridge1                                
 2   xxx.yyy.zzz.129/28  xxx.yyy.zzz.128   bridge2

And this is the working NAT configuration

 /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade src-address=xxx.yyy.zzz.112/28 
     out-interface=bridge1 

 1   chain=srcnat action=masquerade src-address=xxx.yyy.zzz.128/28 
     out-interface=bridge2

This config works. Thanks