Hi
I am new to Mikrotik and am still trying to get to grips with routing in general. I live in a very remote region and set up a Wisp so that my neighbors and I stay in touch with the world I started with Ubiquiti (really simple) and now need to make the giant leap into mikrotik! I learned everything from youtube but it has its limits, it only tells you how and not why,
We get internet from fiber connection with a static public IP, The service provider has removed the NAT which we now handle on a Microtik HEX.
XXX.XXX.XXX.18 This is the public static IP address on the WAN (ether1)
XXX.XXX.XXX.21 This is forwarded to a router 192,168.2.61 on network.
We have 3 networks behind the NAT:
ether2 192.168.1.0/24
ether3 192.168.2.0/24
ether4 192.168.3.0/24
None of these 3 networks has a DHCP service and all IP addresses are fixed (static). However some of the devices on the 3 sub-nets are routers and have DHCP but on the other side of a NAT. But the WAN IP’s on the 3 networks on ether2, 3 and 4 are always fixed. My public IP is also static.
My firewall setup was straight out of you tube. But then I read the following on the mikrotik Wiki;
Masquerade
Firewall NAT action=masquerade is unique subversion of action=srcnat, it was designed for specific use in situations when public IP can randomly change, for example DHCP-server changes it, or PPPoE tunnel after disconnect gets different IP, in short - when public IP is dynamic.
The IP on the the 3 sub nets are all fixed and our public is also static, so why am I using masquerade? What is the right way here my settings are listed bellow,
I would really appreciate some help.
Router Settings:
/ip address
add address=XXX.XXX.XXX.18/29 comment=ISP interface=ether1 network= XXX.XXX.XXX.16
add address=XXX.XXX.XXX.21/29 interface=ether1 network=XXX.XXX.XXX.16
add address=192.168.1.1/24 comment=KALK interface=ether2 network=192.168.1.0
add address=192.168.2.1/24 comment=KROMDRAI interface=ether3 network=192.168.2.0
add address=192.168.3.1/24 comment=RENOS interface=ether4 network=192.168.3.0
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp - This was added by the guys who do the VoIP service,
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.1.0/24
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.3.0/24
add action=netmap chain=dstnat dst-address=XXX.XXX.XXX.21 to-addresses=192.168.2.61
add action=netmap chain=srcnat src-address=192.168.2.61 to-addresses=XXX.XXX.XXX.21
add action=masquerade chain=srcnat
/ip firewall service-port
set sip disabled=yes The VoIP guys disabled this,