I understand how to set up a Mikrotik router in an office environment where there’s one public IP on the WAN port and there’s a route such as “0.0.0.0/” with the Gateway IP address to the ISP’s gateway router, and then using NAT in the router.
But now I’m trying to learn how to set up a MikroTik router where the ISP is providing a block of public IP addresses such that I can route these public IP addresses to individual ‘devices’ on a network.
(Obviously, I’ve changed the IP addresses from the ‘real ones’ to something else, for privacy reasons).
For example, the ISP has provided 38.1.2.128/29 for the ‘interface’ IP addresses. They stated that 38.1.2.133 to 38.1.2.135 are for ‘customer’ (me) and that I should use 38.1.2.133 on my WAN port and 38.1.2.131 as my ‘gateway’.
They’ve provided 198.7.8.9/29 as the public IP address block, to be assigned to ‘devices’ on the network.
So, would I set up my WAN port with 38.1.2.133 and then a ‘default route’ with 0.0.0.0/0 and the Gateway address as 38.1.2.131?
Then, would I set one of the 198.7.8.x addresses (such as 198.7.8.128) as the LAN IP address on my router (which would then be the Gateway IP address in the ‘devices’ on the network?
And then would I set up routes from my router to each ‘device’ on the network, to route the public IP addresses to these ‘devices’?
Then, would I set one of the 198.7.8.x addresses (such as 198.7.8.128) as the LAN IP address on my router (which would then be the Gateway IP address in the ‘devices’ on the network?
Yes
And then would I set up routes from my router to each ‘device’ on the network, to route the public IP addresses to these ‘devices’?
No, you would change the IP of the device(s) on the network that you want to have public IPs to 198.7.8.x addresses. So they would have 198.7.8.x addresses and would no longer have private IP addresses.
I understand that each ‘device’ on the network would be programmed with it’s own public IP address. I realize that I didn’t mention that I understood that.
Would I still have to have routes to reach each device from the ‘outside world’?
Not “each device”, but one route for the subnet, yes. However, since you are adding an IP on that subnet onto your router, your router will automatically have a “connected” route to that subnet, so you do not need to add anything. Your provider will have to add a route for that subnet, but I’m assuming they have already done that since they told you what IP to assign to the WAN port of your router.
If the ‘device’ is another route that’s on the other side of another router, like this:
Edge Router → Router 1 → Client Router
Then, I would need a route (static or use something like OSPF) in the Edge Router, to route a public IP to the Client Router, since the Client Router is not directly connected to the Edge Router. Is that correct?
That depends - keep in mind that if you have a router there are probably networks on both sides, so if this is shown for the client router, your diagram would actually look like this:
Edge Router ← network A → Router 1 ← Network B → Client Router ← Network C →
So in this case, for Network B, the edge router will need a route to network B, but Router 1 and the Client Router will already have a route because they both have IP addresses on that network.
For Network C, both the Edge Router and Router 1 will need routes to Network C in order to reach it, but the client router doesn’t because it is directly connected. This is only the case if you are not doing NAT on the client router of course.
You may also need routes in the other direction, but in many cases this will be taken care of by a chain of default routes (assuming the default route path is going from right to left in the above diagram).
One problem that I think I’m having is that I don’t think in terms of ‘networks’. I think in terms of ‘devices’. I do think of a point-to-point ‘network’ as a ‘path’, but I think of it as a ‘path’ between two ‘devices’. And one ‘device’ doesn’t communicate with a ‘network’, but communications with another ‘device’.
This likely coming from over 40 years of working at a component level with commercial radio communications systems where ‘devices’ communicate with each other. A ‘system’ is a simply a group of ‘devices’ that communicate with each other.
So, I have to re-think this and teach my brain to think in terms of ‘networks’, rather than just ‘devices’.
Meanwhile, thinking in terms of ‘devices’…
The Edge Router needs a route in place to get incoming traffic to the Client Router, because there’s another Router (Router 1) between the Edge Router and the Client Router. Correct?
The Edge Router already knows how to reach Router 1, because they’re directly connected (so the route is automatically set up). Correct?
And Router 1 already knows how to connect to the Client Router, because they’re directly connected (so the route is automatically set up). Correct?
There’s a lot of public IP addresses in that plan going to waste.
Many years ago an Australian ISP would give you a WAN IP like 203.173.50.133/22, Gateway 203.173.48.1 via DHCP.
Then you would have your IP addresses 198.7.8.9/29 . Using your router you would be able to allocate all 8 addresses by setting them as /32 to the devices directly connected to your router ports.
So port 1 WAN 203.173.50.133/22, Gateway 203.173.48.1
Port 2 LAN 10.0.0.1/24
Port 3 10.0.11.9/32 GW 198.7.8.9 1st server. Server connected to this port would have IP address 198.7.8.9/32 gateway 10.0.11.9
Port 4 10.0.11.10/32 GW 198.7.8.10 2nd server etc.
If needed these could be assigned to VLAN interfaces and then the servers attached to a managed switch.
Yes, what you say is correct, and that would allow the client router itself to get online, but only the client router itself - any devices behind the client router would not get connectivity because they would be on a network that the other devices do not have routes for.
Your scenario is therefore very artificial. You would not give a client a router with the intention to give connectivity to the router but to nothing behind it. Connecting routers together is not the point of the internet - connecting computers together is, and routers are just a tool in facilitating that. As someone who works for an ISP, if I told a customer that the Internet service that we gave them would allow their router to get online, but their computers and phones etc could not go on the internet through it, they would rightly ask what the point was.
mducharme, I think I understand what you’re saying. I think this again goes back to my background in communications. I’m definitely going to have to ‘reshape’ my thinking.
And there’s obviously going to have to be routes in the Client Router to reach the internet, correct?
Jebz, I see what you mean now. Right now I’m working with the IP addresses that the upstream provider gave me. Those may likely change.
Yes, obviously, but that direction can be taken care of with default routes in this simple scenario.
Going back to this altered diagram:
Edge Router ← network A → Router 1 ← Network B → Client Router ← Network C → Client computers/printers/servers/etc.
Each router has an address on both networks. Ignoring things such as firewalls that are external to routing, it is a rule that if a device has a route to a network (and there is a return path back), it will be able to reach all devices on the network. In the above example, Network C is the network the client computers/printers/servers/etc are on.
In the above example, each router will have an IP on each network it is connected to. The client router for instance will have an IP address on Network B and and IP address on Network C.
Router 1 could ping the Client Router’s address on Network B and get a reply without having to configure anything, but not the edge router. If you manually added a route for Network B onto “Edge Router” and you had routes (ex. default route) to carry the traffic the other way, then the Edge Router can ping the IP address the client router has on Network B, but could not ping the IP the client router has on Network C. As a result, you could say the Client Router is kindof half-reachable - it can be reached only on one of its two IP addresses. This is the problem with thinking in terms of “devices” instead of “networks”, because with a device like a router, it is possible to have “partial connectivity” where you can reach one interface on a router but not others. The customer devices on Network C would also not be reachable from the edge router.
On the other hand, when you are creating routes, you are making routes for networks, not for devices. When you have the ability to reach a network, you have the ability to reach the devices on that network (again, excluding things like firewalls that are external to routing). If you were to add routes for Network C onto the Edge Router and Router 1 (and the routes were present for the return traffic), you could then reach Network C from those two routers, which means you could ping both the Client Router’s address on Network C and other devices on Network C, like computers, servers, etc.
From Site Router 1, I can ping the Client Router. If I understand correctly, this is because there is a route automatically set up in Site Router 1, since the Client Router is directly connected to Site Router 1. Is this correct?
From the Edge Router, I can not ping the Client Router, as I don’t have a Route set up in the Edge Router to reach the Client Router through Site Router 1.
At this point, I don’t want to reach the 192.168.1.0 network (the Client PC, for example), just want to reach the WAN port of the Client Router (10.1.1.1/24).
So, I then set up a Route in the Edge Router, 10.1.1.0/24 with a Gateway of 10.0.247.101/24, that should let me reach the Client Router’s WAN port on 10.1.1.1/24.
But I still can’t ping 10.1.1.1 from the Edge Router.
But I still can’t ping 10.1.1.1 from the Edge Router.
What am I doing wrong?
Most likely you are missing the return path in routing. Either you need routes to the specific networks going back in the other direction, or the default gateways need to be set up to carry the traffic in a chain (Client router will have the site router as a default gateway, site router will have the edge router as a default gateway).
Client Router has 0.0.0.0/24 with Gateway as 10.1.1.254 (which is one of the LAN IP addresses on the Site Router).
Site Router has 0.0.0.0/24 with Gateway as 10.0.247.254 (which is one of the LAN IP addresses on the Edge Router).
Client routers have internet access just fine, so I know that the outbound routes are working.
Add two firewall rules to allow all ICMP on input and forward chains and move them to the top of the list on all three routers, then try the ping again.
