Set IP public to server behind mikrotik rb4011 wihtout nat

torfin · March 18, 2021, 4:04pm

Hello all.

i’ve 1 IP for my rb4011 named A1/30 with the gateway A2/30. So the ISP give me 5 other IP address named B1, B2, B3, B4 and B5 in other range than A1.

I want to attribute the B1 to a server behind the rb4011 without nat because the server must have the public IP address.

So i’ve for an other ISP an address C1/29 for the main access and all users is behind the rb4011 with masquerade output to this ISP.

Can you help me. i’ve search but don’t find for this.

best regards

erkexzcx · March 20, 2021, 11:23pm

Graphical scheme would be appreciated.

I want to attribute the B1 to a server behind the rb4011 without nat

Let’s say you have ether1 port dedicated for WAN and ether2 dedicated for your server. Create bridge in your Mikrotik router and add eth1 and eth2 interfaces. Consider your created bridge as WAN interface.

Assign static IP to your created bridge - this IP will be used by Mikrotik as this is Mikrotik’s WAN interface.

Since server is in the same bridge and “directly” connected to WAN, in actual server configure another static IP.

mkx · March 21, 2021, 11:00am

The solution by @erkexzcx will work only if the extra addresses are handed out exactly the same way as A1 (come with gateway and subnet mask). If you follow the solutuon, then RB’s firewall won’t protect server unless you configure bridge to use IP firewall. Another option is to create a DMZ bridge and use proxy-ARP so that firewall will work “out of the box”, but you’ll use one of B-addresses for router in that subnet.

If OTOH the extra addresses are routed via A1, then you have 2 options:

if addresses are continous, you can use them as a subnet. You will loose 3 of them (one used for router in that subnet, one network address and one broadcast address), but setup is pretty straight-forward
you can actually use them for NAT (you can do that also in case if addresses are not routed towards you) in a 1:1 manner (nat action=netmap). This way you can use all of addresses, RB will automatically firewall server, the only thing is that server will still use private IP address. You have to think about the requirement for server to have public IP address (what is basic reason for that).

torfin · March 31, 2021, 3:43pm

Hello, thanks for your answer this are the graphical.

So all it’s okay for the vlan 20 and for vlan 440-445. the problem is with the vlan 21

the ISP give me IP A.B.72.81 to the box and the IP A.B.72.82 for my router. And give the additionnal IP at A.B.73.91 to A.B.73.95

loloski · April 2, 2021, 5:33pm

Hey,

If your switch L3 capable you can create a point to point /30 private IP between RB4011 and your switch then route the additional
ip block given to you by the ISP ( A.B.73.91 to A.B.73.95) on this private IP in this way you will not waste public IP and no NAT will be involved, then your switch next-hop 0.0.0.0/0 would be the RB4011

Use the same technique that your ISP does to transport / route the additional IP block to you, I hope it make sense. Just my 0.2$

torfin · April 6, 2021, 7:08am

I’m sorry loloski,
but i don’t understand how i can do that.
We have about 10 or 12 switch with many vlan on it those vlan are in trunk between each.

i’ve think about that solution, but i don’t know if it will work with ipsec vpn.
So the rb4011 will have all IP on it, then on the vlan 21 we will have private ip like 10.20.73.0/24 then use the mikrotik to make 1:1 from the IP A.B.73.91 to internal IP 10.20.73.91. and the default route will be 10.20.73.1 (rb4011) for the server.

Thanks for reply

torfin · April 23, 2021, 2:23pm

So we have solved the issue with this solution:

ether2 with the IP X.X.72.82
ether3 with the IP X.X.73.91 (one was used by the older firewall and we reused it like that) as the gateway for other IP in the pool on some VMs.