Hi all, semi new to Mikrotik Routers and RouterOS. Not new to networking though. I am trying to configure a mikrotik router to act as almost like a passthrough router to split a block of public IP addresses and put them each on their own port interface on the mikrotik router. I do not need any heavy firewall rules on the mikrotik as each end point device/router/server will have their own firewalls and protection. I have no access to the ISP Router.
ISP ROUTER ----- ETHERNET Port 4 = Block of IP addresses: xxx.xxx.xxx.176/29---------> MIKROTIK ROUTER (ETHER1 WAN)
MIKROTIK ROUTER (ETHER2) -----------> SERVER (Public IP = xxx.xxx.xxx.182) MIKROTIK ROUTER (ETHER3) -----------> Unifi Router (Public IP = xxx.xxx.xxx.178)
How is L3 connectivity towards ISP done? Does ISP provide that /29 subnet, but reserves one address for their own router (and the rest of devices are supposed to use that IP address as gateway)? Or is that router gets own IP address (outside the mentioned /29 address block) and that address block gets routed to your mikrotik?
If it’s the former, then you have to bridge ether1, ether2 and ether3 ports (kind of a switch). You can then disable HW offload and set use-ip-firewall=yes to enable firewalling (can be basic or complex set of rules, doesn’t matter).
If it’s the later, then create bridge with ether2 and ether3 ports, set one of /29 addresses as bridge’s IP address and set the connected devices to use it as gateway. Nothing special needs to be done to enable firewalling in this case (unless you want to filter traffic between the WAN-facing servers). However you should adapt (potential) SRC-NAT rule, the default (which NATs all traffic leaving router through WAN port) is not good in this case.
ISP Provides /29 subnet which has 8 IP’s. The first address of that block is the gateway, ISP reserves 2 for themselves which leaves me 5 usable routed IP addresses to use from one ethernet port on ISP’s router.
Last night while awaiting moderation for my post, I bridged the ether1(WAN) on the mikrotik to ether2 and ether3. I assigned ether1(WAN) to take one address from IP block, and then on my server and the USG PRO 4 I setup their IP addresses to be two of the other IP addresses from the block and filled in the gateway for those as the ISP gateway. I have internet connection to both my server and my unifi router. Both are reachable from their assigned public IP’s. Not sure if this is best practice?? I followed this video: https://www.youtube.com/watch?v=H4uaO8nDE4Q
In regards to the default NAT: Doesn’t all traffic need to leave the router through the WAN port anyways to access the internet?
I have setup basic firewall rules to protect the Mikrotik router. Is there anymore you recommend that I should add?:
The way you configured router is fine. Only thing to fix (it seems to work fine, but it actually is not done correctly) is to move router’s WAN IP address from ether1 to bridge.
Re NAT: usually there are numerous devices behind a router in a LAN and LAN devices use private IP addresses (e.g. 192.168.x.y or some such). Those addresses have to get NATed when devices communicate with internet. SOHO routers come with default config which includes (a pretty decent) firewall and NAT. Default NAT rule is to affect all traffic leaving router through WAN interface. With your use case one would have to be careful not to affect traffic originating from devices with one of public IP addresses. It seems you have one of pro devices (probably a CCR) which doesn’t have any default config. Your firewall does protect router itself but doesn’t do anything about traffic passing it towards end devices.
My bad, I did in fact configure the WAN IP to bridge and not WAN, thanks for catching my typo!
I will be getting a CCR but I have an old RB750GL just to test with before I purchased the CCR. I removed the default config from the router so I could have a clean slate to work with.
Firewall: Okay good, I don’t have any need to do anything to the traffic passing towards end devices except I would like to create a QOS for my server and my unifi router. I assume I would just use Smart Queues for this and that the way I have the bridge and everything configured Smart Queues on the ether2 and ether3 ports should work?
Even though you don’t intend to enforce firewall you can still have a look at it. If you’re running recent ROS, execute /system default-configuration print on your RB750 and go through firewall settings. It might give you some ideas …