[Solved] Please help me set up /29

RouterOS Beginner Basics
1

I’ve been stuck trying to give a unique IP to each of my 2 PCs. Any help would be much appreciated.

I have 2 PCs connected to RB connected to a modem
Subnet given by my ISP: 1.1.1.0/29 (hypothetically)

I first tried to set up a DHCP server using winbox:

Quick Set → PPPoE:

PPPoE user: user@myisp.com
PPPoE pass: mypass
Local Network:
IP Address: 1.1.1.1
Netmask: 255.255.255.248/29
Range: 1.1.1.2-1.1.1.6

Checks “DHCP Server” checkbox
Apply

Under DHCP server → Networks:

Address: 1.1.1.0/29 Gateway: 1.1.1.1 DNS: 8.8.8.8

The problem is only 1 PC has connection to the internet. This PC is connected to ether2 on the router, and DHCP server interface is also set to ether2. What am I doing wrong?



------- ignore below if you don’t want to waste time -------


Method 2:

So I tried something else, which also failed:

Resets RB to an empty config

  1. Made a new bridge (all settings on default)
  2. Added ether2-4 under Bridge-> Ports.
  3. PPPoE → new PPPoE Client → filled out my ISP credentials
  4. Used ether1 as the PPPoE client’s interface.
  5. Filled out the IPs under network adapter properties (in windows):
    IP Address: 1.1.1.2 (also tried 1.1.1.3-6)
    Mask: 255.255.255.248
    Gateway: 1.1.1.1

DNS: 8.8.8.8
Alternate: 8.8.4.4

Again, my friends could ping 1.1.1.2 but I had no connection because I’m just following instructions and don’t know what I’m doing.

What you see is exactly what I did. Nothing more or less. Now I’m like a sitting duck and would appreciate any help.

2

Dont complicate things. Simply add 2layer switch to ether2 on your router and then attach both of your computers to switch. Problem solved.

3

You need to configure the IP address on the LAN side of your router as well.

If using a bridge, add the address 1.1.1.1/29 to the bridge-local interface.
Then you can put DHCP server on the interface if you like, but I’ve found that DHCP on a very small segment like this can lead to pool exhaustion easily if devices connect and disconnect often.

Since you’re putting real routable IP addresses straight onto your machines, you’re going to want to filter the Internet’s ability to reach them directly.
At the very least, make sure there’s a filter rule in the forward which blocks new connections if the in-interface is pppoe1. If you want to run a server on one of the machines, then just before this filter rule, add another which allows exactly the ports your service needs (e.g. 80 for web, 25 for SMTP, etc)

You could also make another bridge for a normal private IP LAN and MASQUERADE traffic from it toward the Internet. You should make sure the masquerade doesn’t happen if the lan wants to talk to the DMZ or the DMZ wants to talk to the LAN. (although, dmz->lan is usually blocked, hence the name ‘dmz’)

4

Thanks for helping out guys. I do want to take the easiest route to give each PC a permanent unique public IP, and /29 is my only option… I have an unmanaged switch and don’t know if that would help.

To not muddy the water any more, I’ll stick to setting up a DHCP server in the router.

For now, PC1 has connection but PC2 doesn’t, and here’s what I did:

Under “Quick Set”:

  1. Gateway: 1.1.1.1
  2. Range: 1.1.1.2-1.1.1.6
  3. Checks “DHCP server” checkbox

PPPoE status: connected

  1. Added bridge1 and ether2-4 under Ports

  2. Added 1.1.1.1/29 under IP → Addresses

  3. Set bridge1 as 1.1.1.1/29’s interface

  4. Under DHCP → server, set bridge1 as the interface.

Now PC1’s public IP is 1.1.1.6, but PC2 has no connection. I see in DHCP → Leases, there’s one active address: 1.1.1.6.

I must’ve messed up somehow but don’t know why. Thanks for any help!

5

I’d actually recommend just using static IP address configuration on each PC since it’s such a small IP range and given the fact that you want each machine to be a permanent thing. That’s the simplest thing to do.

If this post doesn’t help you get things finished, please post the model of your router so that I can give some more accurate interface names / account for things like wireless (if it has wifi)

ok - let’s start with the simplest configuration - no bridge interface, no dhcp server, etc.

I’m assuming that you have a 5-port device with an integrated switch (such as the 951G)

Go into /interfaces menu, ethernet tab, and edit each interface ether2 through ether5 as follows.

For ether2 - set master port = none
For ether3 through ether5 - set master port = ether2

This causes ether2-5 to be a 4-port dumb switch. The “interface” to use from now on inside the Mikrotik is ether2. Anything that you configure on ether2 is also available on ether3 - 5.

Go into IP > Addresses
Add 1.1.1.1/29 interface=ether2

Go into IP > Firewall > NAT
There will be a rule by default that says action=masquerade out-interface=pppoe1-out - add a condition to this rule:
src-address= ! 1.1.1.0/29 (! is the little checkbox next to the input blank, and it means “NOT” - so this condition requires that the source IP is NOT one of your public IP addresses)

Finally - for the filter rules - in particular the forward chain - by default the firewall allows outbound things, but blocks inbound things.
It also has a rule by default now which allows packets with a condition that nat state = dst-nat. Think of this rule as a “bookmark” of sorts now - it doesn’t do anything for you because your IP addresses are public. However, it’s a good idea to block everything except what you want to open to the Internet. If you want to make 1.1.1.4 be a mail server, for instance, you would put a rule right before the “bookmark” rule, and craft it like this:
dst-address=1.1.1.4 protocol=tcp dst-port=25,110,143,993,995 action=accept
(This rule allows SMTP, POP3, IMAP, IMAP-secure, and POP3-secure.)

That should be literally everything you need to do to get each server running.

6

Thanks so much for being so detailed, and your post did the job!

One last thing about firewall. My RB had no firewall filters because I started with an empty config. (By the way I’m on RB70Gr2 6.33. No wireless function)

In Filters, I set the input chain to “reject”; the forward and output chain to “accept”. Does this make sense? Reading the firewall wiki now as we speak…

7

No - because input means packets to the Mikrotik itself (regardless of input interface)
forward means packets through the Mikrotik - so packets from the users’ computers to the Internet, or from the Internet to the computers will use the forward chain.

You can specify in-interface=wan to make a forward rule that applies to the Internet interface, though.

8

Done. You just saved my ass. Much appreciated!