I have a situation where I have 16 Public IPs delivered from my ISP to my router. They aren’t routed to me, they are all bridged, so one address is used for ether1 (my external). I would like to use the other 15 on the ether2 (my internal).
Any pointers on how to do this? The old router we are replacing had translation rules for each address. The translation rule was set up with the same IP address on the inside and outside (interesting).
probably, full NAT will be suitable method for you. User has local addreess, but router translates request from/to him using public address,
http://wiki.mikrotik.com/wiki/How_to_link_Public_addresses_to_Local_ones
That’s sort of what I figured, but since I haven’t done this before, I was nervous.
If one of the boxes (that now has an internal address) is a web server, ftp server, or citrix server, what configuration “gotchas” are there in setting them up with the new address?
If one of the workstations (which are internal) attempt to access one of the boxes by its external address, is the route:
workstation → internal interface → external interface → internal interface (now NATed) → web server? (Not an issue, just for my info)
If you will set correct NAT rules, then internal host should be redirected to the respective server.
I did as was suggested and everything works except for an FTP server. It is using pasv mode and when it responds back to the client, it is stating to use the internal address (ie: 192.168.1.4) to talk to the server. I have read the docs for the FTP stuff, and they say this is a problem with the NAT. The NAT is not translating this. Any suggestions as to what I need to do?
You could probably send them an email and ask for a /30 subnet for routing. Then have them route those 16 ip addresses thru the new /30 they assign you. Most providers are happy to help you get things setup properly.
Oh that it was so simple! The ISP providing this evidently hasn’t heard of ROUTING. I don’t know if it is their equipment or what, but they cannot route these addresses to me.
What is the terminating device?
Whatever it is, set a /30 for transport and then add routes so all the others /30 and /29 go to your Mikrotik or whatever. That gives you 12 ips to use out of the 16 since 4 are tied up in the transport.
ex.
Router internal ip xx.xx.xx.1/30
Mikrotik Wan ip xx.xx.xx.2/30
In router that Mk connects to
add route xx.xx.xx.4/30 xx.xx.xx.2
add route xx.xx.xx.8/29 xx.xx.xx.2
Now your mikrotik has 12 ips to hand out.
If you can not do this, then add pppoe and dish them out as you see fit.
I would like to get back to my original problem:
I have NAT set up and everything works except for an FTP server. It is using pasv mode and when it responds back to the client, it is stating to use the internal address (ie: 192.168.1.4) for the data channel. I have read the docs for the FTP system, and they say this is a problem with the NAT. The NAT is not translating this. Any suggestions as to what I need to check or do so NAT works correctly?
are you using the ftp nat helper? Not sure it changes the payload, but it does help in most situations. So it’s not the firewall dropping it but a problem of the remote side finding the private ip ? Which FTP server? I think servuftp asks for the external IP so it can place it within the payload.
I’m not exactly sure how to use the ftp nat helper.
Correct, the firewall doesn’t drop the packets, the remote gets a Pasive command with the value being set to (for example) 192,168,1,2,7,239
192.168.1.2 being the ftp server. The client then attempts to communicate to the server on this address (at port 2031 in this case) which, of course, fails.
This ftp server is running ssl on a different port than 21, no option to tell it an external IP addr to use.
One other problem with this:
Following the full NAT example that sergejs referenced, My email server is xx.xx.xx.18, my routher’s external is xx.xx.xx.16. When the email server sends traffic, it routes through xx.xx.xx.16 (the router) instead of xx.xx.xx.18
I am assuming this is because of the prefsrc setting, but why isn’t the NAT srcnat rule from 192.168.1.4 to xx.xx.xx.18 working?
Maybe you can use bridge for both ethernet?
You still can do bandwidth management and firewalling.