Hello I’ve some static public ip from my ISP:
95.95.26.192/28

I set them on my routerboard RB1 connected with the ISP.

Now I need other static public ip so my ISP assigned me a new set of ips:
95.95.144.192/27 with a static route trought ip 95.95.26.206

so I can catch up with the netmap configuration other devices on my LAN using these new addresses:
ex.: 95.95.144.201–NAT–10.10.10.250

/ip firewall nat
add chain=srcnat action=netmap to-addresses=95.95.144.201 src-address=10.10.10.250
add chain=dstnat action=netmap to-addresses=10.10.10.250 dst-address=95.95.144.201

But this device has always pubblic ip 95.95.26.206 and not 95.95.144.201.

Is there a way to get out on the internet with this public address 95.95.144.201?

cetalfio

Read the mikrotik static route. you will get a better information.

A useful help?

cetalfio

A good first step would be to black hole route the /27 on RB1.
/ip route add dst=95.95.144.192/27 type=blackhole

This way, whenever port scan / IP scan traffic comes to unused addresses from your /27 it won’t cause ping-pong traffic between your router and the ISP router until TTL expires. (may those bastards rot in hell)

Then, make sure that the netmap rules you posted are actually EARLIER in the chain than the default masquerade rule.

Thanks ZeroByte for blackhole advise.
The masquerade is the last row on NAT setting.

My IPs are:
95.95.26.192/28
and
95.95.144.192/27 on static route in 95.95.26.206

The netmap on the first subnet, the IPs do not have problems:
/ip firewall nat
add chain=srcnat action=netmap to-addresses=95.95.26.194 src-address=10.10.10.200
add chain=dstnat action=netmap to-addresses=10.10.10.200 dst-address=95.95.26.194
95.95.26.194 has 95.95.26.194 some as internet ip both incoming and outgoing traffic.

But with subnet 95.95.144.192/27 the forward works well incoming, I can reach the device through internet but when I check my internet IP that is always 95.95.26.206.

The statis routes 95.95.144.192/27 on static route in 95.95.26.206 is made on Cisco ISP where I can not access, is it possible that the problem is on the CISCO router?

cetalfio

So your Mikrotik’s default gateway is 95.95.26.206?

What about your IPs in that first range, do they also show up as 95.95.26.206?

This sounds like maybe the ISP’s router is doing NAT

Maybe I’m wrong something:

I’ve changed the Cisco ISP router with a MT, It’s connected directly to the Internet:
/ip address

ADDRESS NETWORK INTERFACE

0 ;;; IP vlan1-101
xxx.xxx.3.82/30 xxx.xxx.3.80 vlan1-101
1 95.95.26.193/28 95.95.26.192 ether1-master-local
/ip route
0 A S ;;; Default route
0.0.0.0/0 xxx.xxx.3.81 1
1 ADC 95.95.26.192/28 95.95.26.193 ether1-master-l… 0
2 A S ;;; Rotta Statica 95.95.144.192/27
95.95.144.192/27 95.95.26.206 1
3 ADC xxx.xxx.3.80/30 xxx.xxx.3.82 vlan1-101 0

RB1
/ip address
;;; LAN address
10.10.10.253/24 ether2_LAN
95.95.26.206/28 95.95.26.192 ether1_WAN
;;; Gateway classe 95.95.144.192/27
95.95.144.193/27 95.95.144.192 ether4
/ip route
0 A S 0.0.0.0/0 95.95.26.193 1
1 ADC 10.10.10.0/20 10.10.10.253 ether2 0
2 ADC 95.95.26.192/28 95.95.26.206 ether1_WAN 0
3 ADC 95.95.144.192/27 95.95.144.193 ether4_Rete_Tes… 0
4 SB ;;; Blackhole
95.95.144.192/27 1
5 S 95.95.144.192/27 95.95.144.193 1

RB2
/ip address
1 95.95.144.201/27 95.95.144.192 ether1
/ip route
0 A S 0.0.0.0/0 95.95.144.193 1
1 ADC 95.95.144.192/27 95.95.144.201 ether1 0

/tool traceroute
address: 8.8.8.8

ADDRESS LOSS SENT LAST AVG BEST WORST

1 95.95.144.193 0% 3 0.3ms 0.8 0.3 1.7
2 95.95.26.193 0% 3 0.4ms 1.3 0.3 3.3
3 xxx.xxx.3.81 0% 3 0.6ms 0.7 0.6 0.8

from RB2 this site http://www.myip.dk says your IP address is: 95.95.26.206

I am confused cetalfio

check all involved routers /ip firewall nat
check all involved routers connections to try to isolate where the NAT is taking place…