I tried posting this in the routing thread but for some reason it never shows up. So I will try here…
I would like to thank everyone in advance for any assistance. As you can see this is my first MT product and first post. I am trying to set up the Router board to allow me to access a couple of servers that have public IP that are inside my network. Specifically the VM server. I have tried to follow some utube video and set up 4 NAT rules that I think should work but are clearly not. When the NAT rules are active I am not able to log into the MT externally only from the internal 10.x.x.x network. I am however able to ping the VM server but not log into it. When the 1st NAT rule is shut off then I can get into the MT externally but the ping no longer working. I would love some advice on what I am doing wrong. The 4 rules I have listed below. As a run down on the setup I have a public IP provided by my ISP and a /28 range for the internal public IP also provided by my ISP.
Rule 1 under the general tab the chain is dstnat and the DST address is my public IP of the router, Action tab has action dst-nat and the to address is the /28 range from my ISP
Rule 2 under the general tab the chain is srcnat and the SRC address is the /28 range from the ISP, Action tab has action src-nat and the to address is the public IP
Rule 3 under the general tab the chain is dstnat and the DST address is the /28 range from the ISP, Action tab has action dst-nat and the to address is the public IP
Rule 4 under the general tab the chain is srcnat and the SRC address is the public IP of the router, Action tab has action src-nat and the /28 address range.
Basically what I want the router to do is just act as a bridge from any traffic to and from the range of public IP that I have inside my network.
Add DST Port numbers on DST Nat rules for services you need to access on servers from internet, i.e. if it is web servers, then port 80, 443 as example.
This will then not forward ports like for Winbox and you will be able to access the router then
Please make sure your router is secure though if you allow Winbox, etc from internet
Hello Everyone and thanks for the assistance so far. I was able to get this to work for the VM server so thank you for the push in the right direction. I don’t think this will be the correct direction for my ultimate goal however.
I was asked by a small community in Northern Ontario to help them with implementing a very small WISP. They have funding and have had some very bad advice as to the setup and how to get things to work. The wireless side of things I understand extremely well and have fixed all their issues for that portion of things. My reason for assisting them are a little personal as my grandparents live in this community. They currently have 62 customers running on a Baicell network with an ultimate goal of the whole 213 population being connected. Single central tower with two repeater cells connected via microwave so they can cover the whole town and some of the surrounding area. The network is working very well and we are getting roughly 30/30 connections(previously they were getting 4/.5 on a good day) for just about everyone. They have a fiber connection thanks to the government so PLENTY of bandwidth.
Currently I have setup the network to run from the ISP IP on the WAN into the cloud core router and internal IP’s for the network. The network is running a 10.x.x.x with DHCP server on the cloud core. There are 3 businesses in the town which would like to have their own public IP. I have managed to guide them through getting a /28 range from their ISP so they have 14 addresses they can use for this purpose. This is where my knowledge is sketchy. How would I go about setting this up for them?
Any help would be greatly appreciated as I am trying to save them as much money as I can. This venture was grossly over-billed by a less than honorable contractor for the tower purchases and and construction not to mention the router and switch they had in place. I really don’t want to see them paying for this setup if I can figure out how to do it properly.
So the goal is to deliver public IP addresses provided by several different ISPs to local branches of some businesses which use those ISPs on their other locations, or do you have in mind that you’ve received a /28 subnet from the ISP which provides the uplink for the central tower?
The end goal is to provide internet to those businesses from the ISP that provides the fiber link. They are a “reseller” for their own community. Basically they got fed up with the lack of service in the town and one of the town council did some research and discovered that the government would provide some of the funding needed to get them real internet speeds. I was able to get that running for them with setting things up as your normal “internal” type network where each home is on an internal IP provided by the DHCP server on the Mikrotik. I am not sure how to incorporate the public IP they have gotten from their ISP.
So the current setup is Bell > MT router> hands out 10.x.x.x address to the homes
and I need it to be Bell>MT router> hands out 10.x.x.x address to homes as well as the public IP provided by Bell(these will actually be assigned static so no need for a second DHCP server).
So is this as simple as setting up a separate VLAN for the public IP?
If you don’t mind that you lose one of the 14 available addresses from that subnet for the 'Tik itself or for the Bell’s router, depending whether you get that subnet from them as L2 in a VLAN or routed, and that the edge routers of those businesses can see each other at L2, then yes, it is that simple.
If you want to use all the 14 available addresses for clients, you have to set up a PPPoE server on the 'Tik and let the clients run PPPoE clients - that way, the gateway IP may not be in the same subnet and is basically not needed at all, but in that case Bell must route that subnet to you (i.e. send to you, via some interconnection subnet, anything for that /28 subnet).
I think I will try the PPPoE option and see if I can get that to work first. The VLAN I can set up in my sleep if needed but I have a feeling once a few of the community business have this as an option we may have a few more come online and perhaps 1 or 2 home based businesses. It is a fairly small community and I was able to get them started on requesting a full class C from ARIN but who knows when that will be supplied.
I will give it a try next weekend when I am up there visiting my grandparents and let you know how it goes.
Just double-checked with a colleague - if you use PPPoE, you can even use all 16 addresses, including the x.x.x.0 and x.x.x.15 as the previous router with route to x.x.x.0/28 will send also packets for these two destination addresses to you.