I have been trying to setup a MikroTik router with a pretty simple configuration. I am clearly overlooking something simple, because it isn’t working.
I am working with subnet 166.70.117.192/26
My ISP router is 166.70.117.193. I have assigned 166.70.117.194/30 to eth1.
I have eth5 set to 166.70.117.225/27. I have a server connected to eth5 that is assigned 166.70.117.250 (plus a few other aliased address in the range).
The mikrotik router can ping .193, .194, .225, and .250, but systems outside can only see .193 and .194.
What am I missing? Why is the router not forwarding packets to the internal interfaces or systems?
What you are thinking about there is a layer 2 network and not a layer 3.
While you can bridge all of the Ethernet ports on the 750 and make it act like a layer2 device, you could of just gone to a local electronics store and bought a dumb switch for about the same price to do just that.
By assigning all of your public IP addresses to one interface, i.e. ether1, and having a private subnet on the LAN of the router, you are then able to set up one-to-one NATs to specific devices on the LAN and use the built in SPI firewall of the MikroTik to protect the servers/devices behind it.
I enabled proxy-arp on eth1 and I could immediately connect to the internal system .250. I still cannot ping .225 however. Can someone explain why proxy-arp was necessary, or why I still cannot ping the .225 address? There is another system @ .253 that I would like to put on eth4. How would I need to subnet the network to get outside connectivity to that system? Would proxy-arp still be the solution?
The Mikrotik way of doing thing is still pretty new to me. Is there a better way of doing this?
There are usually a lot of ways to accomplish things. It all depends on your preference and what your ultimate goal is. Explain what you are aiming for and your current setup as best as you can so that we can give pointers and advice on how to set things up.
i personally would go with a ether1 setup with a switch behind so later down the road if you added another ISP or wanted a DMZ or internal you have ports left over. also to me its a simpler setup.
but there is also more then one way to do things it just comes down to what you understand and feel comfortable doing
It is simple. I have a RB450, the subnet 166.70.117.192/26, and two servers. The servers are addressed as .250 (with some aliases .247, .248, .254) and .253. I would like to route traffic to and from those servers using the Mikrotik device and firewall.
I can see how using a switch and 1 to 1 nat would work, but I am trying to keep as small a space footprint as possible (there is very little physical space). It would be best if I could plug the servers directly into eth4 and eth5.
5.) Set up a DHCP server if you want to hand out DHCP to the LAN, if not, don’t worry about it.
6.) Set up your one-to-one NATs to your servers and their aliases. Also a catch all NAT rule. Keep in mind that order of rules is VERY important. If a rule higher up in the list catches something, it will not get processed further down the list. The same goes for the firewall filter.
You can get more specific with the dstnat rules if you want to only forward certain services to them such as HTTP, or SMTP. You can then also set up what filter rules you want in /ip firewall filter to protect your router and the servers behind the router.
Another option is to bridge all of the Ethernet ports together and check in the bridge “use IP firewall” and set up your filter rules there. That way you would only assign the management IP to the bridge so that you could connect to the MikroTik and then you could assign the public IP addresses directly to your servers. I don’t have much experience with this kind of setup so it would probably take a bit more tweaking to get it working like you wanted.
I am hesitant to use an internal private IP range and nating because I would have to reconfigure the servers and their applications. It seems like overkill. How could I keep the public IP range for all the devices?
This sounds like exactly what I am looking for, but I don’t have much experience with Mikrotik bridging. Can someone give me some more specific information?
It will probably have to be done via the console port to do it all in one fell swoop, or do it in a couple of parts for testing. You’ll also want proxy-arp turned off on all interfaces
1.) Have an IP assigned to Ether1 that you will use for admin needs for now, a private IP will work because you probably want to assign one of the public IP addresses to the router itself for remote admin needs.
2.) Follow step 3 that I listed to bridge ether2 through ether5 together. Attach your modem/router and all of your servers to the those ports. At this point all servers should be able to access the internet and be accessible remotely since they will in essence be on a layer2 network
3.) In the bridge menu click on settings and check “Use IP Firewall”.
4.) Set up whatever firewall filter rules you want to use to protect the router and servers.
5.) Make sure you can access the router off of the IP assigned to the bridge remotely. If so and you need the extra port, feel free to add ether1 to the bridge.
Note that you will still need a default route set on the Mikrotik for remote administration. This should be all that is required, but may require some more playing around with to get it working the way you want. Probably the trickiest part past this will be setting up the firewall rules that you want.