setup 2 public IP addresses NAT, mail server, web server

godovic · December 21, 2016, 2:39pm

Need advice how to setup 2 public IP addresses on mikrotik RB951G.
One address is for NAT on all local ip addresses and a web server.
The second one is only for an email server which also has web server. Email server is on private IP address.

Do I need switch before mikrotik to separate these two ip addresses in two mikrotik ports ether1 and ether2 or have to assign two public ip address on ether1?

Wanna do a NAT from local IP pool 192.168.88.0/24 to one public IP 181.x.x.79 and forward port 80 and 443 to a local web server 192.168.88.11 and I am clear how to do that.

But also wanna forward all email transfer ports (25,80,143,443,465,587,993) on public IP 181.x.x.80 to a mail server with local IP address 192.168.88.10
The email server has to use only 181.x.x.80 as public IP

Also doesn’t want a scenario were local LAN users use a internet to access email sever and waste traffic.
The mail server needs to be connected to a router or via switch?

Sob · December 21, 2016, 5:23pm

Put both public addresses on WAN interface.

Then for NAT, this should be what you want:

/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.88.10 to-addresses=181.x.x.80
add action=src-nat chain=srcnat src-address=192.168.88.0/24 to-addresses=181.x.x.79
add action=dst-nat chain=dstnat dst-address=181.x.x.79 dst-port=80,443 protocol=tcp \
    to-addresses=192.168.88.11
add action=dst-nat chain=dstnat dst-address=181.x.x.80 dst-port=25,80,143,443,465,587,993 \
    protocol=tcp to-addresses=192.168.88.10

Don’t forget to allow forwarded ports:

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

Accessing mail server on public address from the rest of LAN won’t really waste traffic (only in LAN, where connections will bounce via router, but it shouldn’t be a problem). But if you want to avoid it, you can set static DNS for mail server in “/ip dns” (clients have to use your router as their DNS resolver for it to work).

Mail server can be connected to switch or switched/bridged LAN port on router, it doesn’t matter much.

godovic · January 5, 2017, 2:24pm

Sob:

Put both public addresses on WAN interface.

Then for NAT, this should be what you want:
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.88.10 to-addresses=181.x.x.80
add action=src-nat chain=srcnat src-address=192.168.88.0/24 to-addresses=181.x.x.79
add action=dst-nat chain=dstnat dst-address=181.x.x.79 dst-port=80,443 protocol=tcp \
    to-addresses=192.168.88.11
add action=dst-nat chain=dstnat dst-address=181.x.x.80 dst-port=25,80,143,443,465,587,993 \
    protocol=tcp to-addresses=192.168.88.10
Don’t forget to allow forwarded ports:
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
Accessing mail server on public address from the rest of LAN won’t really waste traffic (only in LAN, where connections will bounce via router, but it shouldn’t be a problem). But if you want to avoid it, you can set static DNS for mail server in “/ip dns” (clients have to use your router as their DNS resolver for it to work).

Mail server can be connected to switch or switched/bridged LAN port on router, it doesn’t matter much.

Why I am getting public IP instead of local IP address when I am looking for router in winbox neighbors?

edit: when I set out interface public on src nat line, I cannot access email server.. Do I need hairpin or static DNS entry for local IP of the mail server

Sob · January 5, 2017, 8:01pm

To get rid of public address in neighbors, add src-address-type=!local to second src-nat rule.

Hairpin NAT is built-in in this solution. If you access mail server using public address from anywhere in LAN, mail server will see client’s source address as 181.x.x.79 and it will work. The usual hairpin NAT with masquerade would use router’s internal address, but it doesn’t really matter, both work fine. I even like the first better, because it at least allows you to tell connections made by router itself from connection made by other clients.

You can also add DNS record pointing to mail server’s internal address directly, it can’t hurt. In fact, in a way it’s even better, but it’s extra work. Not that it’s too hard to add one record. But if you e.g. had more hostnames and later moved one to external server, you must remember to remove it from here.

godovic · January 5, 2017, 8:11pm

Sob:

To get rid of public address in neighbors, add src-address-type=!local to second src-nat rule.

Hairpin NAT is built-in in this solution. If you access mail server using public address from anywhere in LAN, mail server will see client’s source address as 181.x.x.79 and it will work. The usual hairpin NAT with masquerade would use router’s internal address, but it doesn’t really matter, both work fine. I even like the first better, because it at least allows you to tell connections made by router itself from connection made by other clients.

You can also add DNS record pointing to mail server’s internal address directly, it can’t hurt. In fact, in a way it’s even better, but it’s extra work. Not that it’s too hard to add one record. But if you e.g. had more hostnames and later moved one to external server, you must remember to remove it from here.

so, you prefer not adding out interface like it says in wiki primer:
e.g. add chain=srcnat src-address=192.168.1.0/24 action=src-nat to-addresses=1.1.1.1 out-interface=Public ?
not using hairpin nat ?
adding src-address-type=!local to second src-nat to address to address nat rule

tnx

Sob · January 5, 2017, 8:26pm

Correct, do not add out-interface, you don’t need it.
Not exactly. This config does have hairpin NAT. Just not as extra srcnat rule. Required behaviour is accomplished by main srcnat rule alone.
Yes:

add action=src-nat chain=srcnat src-address=192.168.88.0/24 src-address-type=!local to-addresses=181.x.x.79

godovic · January 5, 2017, 9:00pm

Sob:

Correct, do not add out-interface, you don’t need it.

Not exactly. This config does have hairpin NAT. Just not as extra srcnat rule. Required behaviour is accomplished by main srcnat rule alone.

Yes:
add action=src-nat chain=srcnat src-address=192.168.88.0/24 src-address-type=!local to-addresses=181.x.x.79

Now it seems to be faster, or maybe it just look like that..

is this necessary?

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat

'cos everything looks like is working fine?

Sob · January 5, 2017, 10:27pm

It’s necessary if you have proper firewall configuration that does not allow forwarding of everything by default.

godovic · January 5, 2017, 10:52pm

this is my firewall filter rules, but IP address in blockbad list arrent blocked?

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward in-interface=ether1 src-address-list=blockbad
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1

Sob · January 6, 2017, 12:40am

So basically what you have is default firewall. In that case you don’t really need this rule (“allow all forwarded ports”):

add action=accept chain=forward connection-nat-state=dstnat

Because this (“block everything from WAN, unless it’s forwarded port”) protects you from unwanted connections from WAN, but allows forwarded ports:

add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1

And port forwarding from local LAN is allowed by default.

Regarding your blocklist, rules are processes in order, so if you want to prevent some external addresses from accessing your internal servers, it can’t work with this rule being #2, because all forwarded ports were allowed by rule #1 and rule #2 didn’t have a chance to do anything.

zipvault · January 6, 2017, 2:05am

im trying to get my head around balancing two isps

for simultanious use for redundancy and increased speed

if one drops the other is still there

rather than if one drops it connects to the other

maybe you wish to chime in here sob: http://forum.mikrotik.com/t/balance-and-failsafe/104882/1

Sob · January 6, 2017, 2:12am

There are two public addresses, but only one WAN port in this thread, no bridge. If you have two WANs, don’t bridge them.