two ip from same subnet

mirzasoltan · June 17, 2020, 10:53am

hi
i have problem for configuring 2 ip from same subnet to one interface

i have ip x.x.65.140/29 and x.x.65.141/29 and i set them to an interface (ether1) from IP > Addresses

i have a local network that use internet from them, i set one src nat and everything is fine when clients using internet.
my nat configuration from winbox is:
Action=src-nat chain=srcnat src-Addresse: 192.168.2.0/24 and in Action tab for To Addresses: x.x.65.140/31

now my problem is that when i set a dst-nat to access my local services from internet, only first ip (x.x.65.140) work, and i can not access my services from internet with second public ip address (x.x.65.141)

can anyone help me to resolve this?

thank you.

k6ccc · June 17, 2020, 3:00pm

Based on the rather limited information that you gave, it would appear that all you outbound traffic is going to use your .140 address. That would mean that traffic to your .141 address is going come back to the origination from a different address (the .140 address), so the external source is going to reject the packet.
With that said, you gave us far too little information to work with. Please export your configuration and post it in a code block
/export hide-sensitive file=anynameyouwish
Then paste that in a code block (the symbol to the left of the quotation marks.

mirzasoltan · June 17, 2020, 6:39pm

thank you for your reply
here is the configuration

/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=\
    xx:xx:xx:xx:xx:xx
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    Local
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/queue interface
set ether1 queue=ethernet-default
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add list=LAN
/ip address
add address=x.x.65.140/29 interface=ether1 network=x.x.65.136
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=x.x.65.141/29 interface=ether1 network=x.x.65.136
/ip cloud
set update-time=no
/ip dns
set servers=8.8.4.4
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.2.0/24 to-addresses=\
    x.x.65.140
add action=masquerade chain=srcnat src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment=Remote-PC dst-address=x.x.65.140 \
    dst-port=3389 protocol=tcp to-addresses=192.168.2.10 to-ports=3389
add action=dst-nat chain=dstnat comment=Application-Srv_5000 dst-address=\
    x.x.65.140 dst-port=5000 protocol=tcp to-addresses=192.168.2.3 \
    to-ports=5000
add action=dst-nat chain=dstnat comment=Application-SRV_6000 dst-address=\
    x.x.65.140 dst-port=6000 protocol=tcp to-addresses=192.168.2.3 \
    to-ports=6000
add action=dst-nat chain=dstnat comment=Application-Srv_6001 dst-address=\
    x.x.65.140 dst-port=6001 protocol=tcp to-addresses=192.168.2.3 \
    to-ports=6001
add action=dst-nat chain=dstnat comment=Application-SRV_9000 dst-address=\
    x.x.65.140 dst-port=9000 protocol=tcp to-addresses=192.168.2.3 \
    to-ports=9000
add action=dst-nat chain=dstnat comment=Application-SRV_44350 dst-address=\
    x.x.65.140 dst-port=44350 protocol=tcp to-addresses=192.168.2.3 \
    to-ports=44350
add action=dst-nat chain=dstnat comment=Application-SRV_4433 dst-address=\
    x.x.65.140 dst-port=4433 protocol=tcp to-addresses=192.168.2.3 \
    to-ports=4433
add action=dst-nat chain=dstnat comment=Application-SRV_80 dst-address=\
    x.x.65.140 dst-port=80 protocol=tcp to-addresses=192.168.2.3 \
    to-ports=80
add action=dst-nat chain=dstnat comment=Application-SRV_443 dst-address=\
    x.x.65.140 dst-port=443 protocol=tcp to-addresses=192.168.2.3 \
    to-ports=443
add action=dst-nat chain=dstnat comment=Stream-SRV_7000 dst-address=\
    x.x.65.140 dst-port=7000 protocol=tcp to-addresses=192.168.2.4 \
    to-ports=7000
add action=dst-nat chain=dstnat comment=Stream-SRV_7001 dst-address=\
    x.x.65.140 dst-port=7001 protocol=tcp to-addresses=192.168.2.4 \
    to-ports=7001
add action=dst-nat chain=dstnat comment=Azure-SRV_80 dst-address=\
    x.x.65.141 dst-port=33899 protocol=tcp to-addresses=192.168.2.6 \
    to-ports=80
add action=dst-nat chain=dstnat comment=AirPort-SRV_3389 dst-address=\
    x.x.65.140 dst-port=33892 protocol=tcp to-addresses=192.168.2.200 \
    to-ports=3389
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add distance=1 gateway=x.x.65.137 pref-src=x.x.65.140
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-autodetect=no
/system identity
set name=Mikrotik-140
/system note
set show-at-login=no

k6ccc · June 17, 2020, 7:13pm

On my moderately quick read, my initial suspicion appears to be right. Your source NAT is specifying that all outbound traffic from the LAN to the internet use the .140 address. For the one service that is destination NATed using the .141 address, when your server replies, it is also going out via the .140 address. That will cause a problem (not in the router) with the computer at the far end. It sees traffic coming back from a different address than I sent it to and rejects it - as it should.
The easiest solution would be to use the .140 address for that one service - like all the rest of them.

Sob · June 17, 2020, 7:39pm

That’s not how it works, both srcnat and dstnat rules apply only to new connections (first packet). If there’s connection to some address and dstnat sends it elsewhere, all further packets in both directions are part of established connection and neither srcnat or dstnat rules affect them anymore. Addresses are fixed automatically, i.e. if destination was .141 and dstnat changed it, then responses will have their source changed back to .141.

I don’t see anything wrong in config. So make sure that .141 works at all (can you ping it from internet?). And since you have all dstnated ports different, you can also try if it would work with .140, to rule out that e.g. target server may not be listening on given port.

mirzasoltan · June 18, 2020, 4:44pm

thank you for your reply
yes i can ping .141 from internet and when i disable ip address from mikrotik , my ping give time out.

but no dst-nat rule (like remote desktop to a local machine remotely from internet) work well with this ip address.

for example, remote desktop to my machine work well from .140 to .141 from another machine in that local network and i can sure that remote desktop port (3389) is open at .141 from service provider, but from internet it doesnt work. when create dst-nat rule to .140 everything is fine, but when change it to .141 it doesnt work.

i add another interface (ether3) and set .141 to this interface, but it does not work.

i collocate my server to an isp, and they give me one switch port that i connected it to one of my server Ethernet port, and a /29 subnet. i install esxi into my server and use mikrotik appliance vm to configure my machine servers.

from that server interface i have one public ip as esx remote access that work well, and one virtual switch port to my mikrotik vm that set those two ip, one work well another does not work and i dont know why.