Community discussions

MikroTik App
 
Hamsterman
just joined
Topic Author
Posts: 21
Joined: Thu Jun 30, 2016 9:10 pm

Addition public IP

Tue Apr 25, 2017 2:03 pm

I got an extra public IP from my internet provider. Basically I want to route traffic to and from that new IP to a specific computer on my local network.
I have tried all kind of different stuff and guides but it seems I can't get it right. Below is my setup
Both old and new public IP have been changed a bit to cover real addresses

Default Public IP (info from Quick Set page of the Mikrotik)
IP: 1.1.194.166
Netmask: 255.255.255.0 (/24)
Gateway: 1.1.194.1

New Public IP (info from internet provider)
Ip:2.2.98.206
Gateway: 2.2.98.193
Subnetmask: 255.255.255.192

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.5.1/16 192.168.0.0 ether2-master
1 D 1.1.194.166/24 1.1.194.0 ether1
2 2.2.98.206/26 2.2.98.192 ether1
Where #2 is made by me

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 XI chain=srcnat action=masquerade src-address=192.168.5.15
out-interface=ether1 log=no

1 chain=srcnat action=src-nat to-addresses=2.2.98.206
src-address=192.168.5.15 out-interface=ether1 log=no

2 chain=dstnat action=dst-nat to-addresses=192.168.5.15
dst-address=2.2.98.206 in-interface=ether1 log=no

3 chain=srcnat action=src-nat to-addresses=1.1.194.166
src-address=192.168.5.0/24 log=no

4 XI ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

Where #1,2 and 3 is made by me

[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 1.1.194.1 1
1 ADC 1.1.194.0/24 1.1.194.166 ether1 0
2 ADC 192.168.0.0/16 192.168.5.1 bridge 0
3 ADC 2.2.98.192/26 2.2.98.206 ether1 0
4 X S 2.2.98.192/26 2.2.98.206 2.2.98.193 1
5 S 2.2.98.206/32 192.168.5.15 2.2.98.193 1
Where #4 and 5 is made by me

My test PC using 192.168.5.1 can ping 192.168.5.1 but not 8.8.8.8
 
solukyuz
just joined
Posts: 19
Joined: Thu Mar 24, 2016 10:42 pm

Re: Addition public IP

Tue Apr 25, 2017 4:27 pm

Dear Friend,
İf you made masquerade for your local ip addresses. You can't be able to use public ip addresses. One way; Create different ip block (10.0.0.1/24) and Chain:srcnat src.address: 10.0.0.5 Action:src-nat to addresses:public ip
 
Hamsterman
just joined
Topic Author
Posts: 21
Joined: Thu Jun 30, 2016 9:10 pm

Re: Addition public IP

Wed Apr 26, 2017 1:52 pm

Alright - could you be more explicit in what commands I need to try out. It's like I have tried everything.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1816
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Addition public IP

Wed Apr 26, 2017 5:26 pm

You do not have to make different subnet

You need to make src and dst NATS manually
# traffic from the particular PC goes via new public IP
# all others go via old public ip
add action=src-nat chain=srcnat src-address=192.168.5.15 out-interface=ether1 to-addresses=2.2.98.193
add action=src-nat chain=srcnat src-address=!192.168.5.15 out-interface=ether1 to-addresses=1.1.194.166
# traffic to from WAN the new IP pass to the particular IP
# src-nat traffic from WAN to PC to let connection tracking work
add action=dst-nat chain=dstnat dst-address=2.2.98.193 in-interface=ether1 to-addresses=192.168.5.15
add action=src-nat chain=srcnat  dst-address=192.168.5.15 to-addresses=192.168.5.1
Remember to create proper firewall rules to let the trafic flow :-)
Real admins use real keyboards.
 
Hamsterman
just joined
Topic Author
Posts: 21
Joined: Thu Jun 30, 2016 9:10 pm

Re: Addition public IP

Wed Apr 26, 2017 9:00 pm

@BartoszP Should remove the masquerade and the custom routes ?
 
mikronsultiK
just joined
Posts: 23
Joined: Wed Feb 01, 2017 12:57 am
Location: Italy
Contact:

Re: Addition public IP

Thu Apr 27, 2017 2:47 am

Hi there

one issue is that you have a single default gateway routes stating that

0.0.0.0/0 ---> 1.1.194.1
For example with current configuration, because you are masquerading traffic outgoing as src ip 192.168.5.15, with public IP 2.2.98.206. So because of the route rule and nat rule , the router 1.1.194.1 will receive traffic where src is 2.2.98.206, and this will probably be an issue

To accomplish your goal, you have to add additional route

0.0.0.0/0 --> 2.2.98.193

and using a router mark eg "2NDROUTE" and adding a mark rule in /ip/firewall/mangle like this :
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=2NROUTE passthrough=no src-address=192.168.5.15

hoping this help
IP Networking / Mikrotik Consultant
mikronsultik [at] gmail.com
skype mikronsultik
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1816
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Addition public IP

Thu Apr 27, 2017 1:42 pm

@BartoszP Should remove the masquerade and the custom routes ?
Yes, remove masqarade.
IMHO you can leave routes as router should know that packets SRCNATted to 2.2.98.193 should go via GW from this subnet.
Real admins use real keyboards.
 
Hamsterman
just joined
Topic Author
Posts: 21
Joined: Thu Jun 30, 2016 9:10 pm

Re: Addition public IP

Thu Apr 27, 2017 11:13 pm

You do not have to make different subnet

You need to make src and dst NATS manually
# traffic from the particular PC goes via new public IP
# all others go via old public ip
add action=src-nat chain=srcnat src-address=192.168.5.15 out-interface=ether1 to-addresses=2.2.98.193
add action=src-nat chain=srcnat src-address=!192.168.5.15 out-interface=ether1 to-addresses=1.1.194.166
# traffic to from WAN the new IP pass to the particular IP
# src-nat traffic from WAN to PC to let connection tracking work
add action=dst-nat chain=dstnat dst-address=2.2.98.193 in-interface=ether1 to-addresses=192.168.5.15
add action=src-nat chain=srcnat  dst-address=192.168.5.15 to-addresses=192.168.5.1
Remember to create proper firewall rules to let the trafic flow :-)
Now it looks like this

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=2.2.98.193
src-address=192.168.5.15 out-interface=ether1 log=no

1 chain=srcnat action=src-nat to-addresses=1.1.194.166
src-address=!192.168.5.15 out-interface=ether1 log=no

2 chain=dstnat action=dst-nat to-addresses=192.168.5.15
dst-address=2.2.98.193 in-interface=ether1 log=no

3 chain=srcnat action=src-nat to-addresses=192.168.5.1
dst-address=192.168.5.15 log=no

Still it does not work. But if I change #0 to 1.1.194.166 it works just fine (wrong IP though - but the traffic goes through). So it seems these rules almost work.

Not sure what I am missing.
 
mikronsultiK
just joined
Posts: 23
Joined: Wed Feb 01, 2017 12:57 am
Location: Italy
Contact:

Re: Addition public IP

Thu Apr 27, 2017 11:59 pm

HI there the reason is that you are addressing next hop router with wrong src IP as told you before: the reason is that gateway because spoofing avoidance reason will normally check the src public ip address of packets they receive to route (according with interface)
My humble suggestion is to implement a differentiation through the use of routing mark rules and it will be fine
thanks for your attention
IP Networking / Mikrotik Consultant
mikronsultik [at] gmail.com
skype mikronsultik
 
Hamsterman
just joined
Topic Author
Posts: 21
Joined: Thu Jun 30, 2016 9:10 pm

Re: Addition public IP

Sat Apr 29, 2017 7:23 pm

HI there the reason is that you are addressing next hop router with wrong src IP as told you before: the reason is that gateway because spoofing avoidance reason will normally check the src public ip address of packets they receive to route (according with interface)
My humble suggestion is to implement a differentiation through the use of routing mark rules and it will be fine
thanks for your attention
I just tried to add the two commands but still no luck. Ping went from "timed out" to
Reply from 2.2.98.206: Destination host unreachable.


Would it all be easier if my two IPs were on the same network like if I got 2.2.98.206 and 2.2.98.207?
 
stoser
Member Candidate
Member Candidate
Posts: 118
Joined: Sun Aug 21, 2016 12:04 am

Re: Addition public IP

Tue May 02, 2017 3:59 am

[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 1.1.194.1 1
1 ADC 1.1.194.0/24 1.1.194.166 ether1 0
2 ADC 192.168.0.0/16 192.168.5.1 bridge 0
3 ADC 2.2.98.192/26 2.2.98.206 ether1 0
4 X S 2.2.98.192/26 2.2.98.206 2.2.98.193 1
5 S 2.2.98.206/32 192.168.5.15 2.2.98.193 1
Where #4 and 5 is made by me

My test PC using 192.168.5.1 can ping 192.168.5.1 but not 8.8.8.8
Hamsterman:
a) I do not see Routing Rule # 5 as necessary. In fact, I believe it to be counterproductive.
b) For outgoing traffic: I agree with Mikronsultik in that you need to use a Routing mark to mark all traffic destined to leave from the 2 2.2.98.206 adress. Use a different routing mark to mark traffic destined to leave from the 1.1.194.166 adress. Then add that routing mark as a condition to your srcNAT OR masquerade rules. Make three SrcNat rules: One for each address, and a catch all rule, just in case.
c) For outgoing traffic: Your SrcNat rules are applied by the router AFTER the routing decision has been made. You have no route defined for traffic to 0.0.0.0/0 for the 2.2.2.98 address. Define it, with the routing mark as a condition, as decribed above in (b)
d) For Incoming Traffic: You now need to define DSTNat for your incoming traffic. Destination Nat incoming traffic to the appropriate internal address.
e) For accessing internal server using public address from internal LAN: Look up Hairpin NAT or looopback. Many forum posts on this topic already.

Kind regards.
 
Hamsterman
just joined
Topic Author
Posts: 21
Joined: Thu Jun 30, 2016 9:10 pm

Re: Addition public IP

Tue May 02, 2017 10:52 am

Thanks for your reply.

This is now my current configuration. Still no luck with either incomming or outgoing traffic.


[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.5.1/24 192.168.5.0 ether2-master
1 D 1.1.194.166/24 1.1.194.0 ether1
2 2.2.98.206/26 2.2.98.192 ether1


[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=src-nat to-addresses=2.2.98.193
src-address=192.168.5.15 out-interface=ether1 log=no

1 chain=srcnat action=src-nat to-addresses=1.1.194.166
src-address=!192.168.5.15 out-interface=ether1 log=no

2 chain=dstnat action=dst-nat to-addresses=192.168.5.15
dst-address=2.2.98.193 in-interface=ether1 log=no

3 chain=srcnat action=src-nat to-addresses=192.168.5.1
dst-address=192.168.5.15 log=no

4 XI ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no
log-prefix=""


[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough

1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough

3 chain=prerouting action=mark-routing new-routing-mark=2NDROUTE
passthrough=no src-address=192.168.5.15


[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 2.2.98.193 1
1 ADS 0.0.0.0/0 1.1.194.1 1
2 ADC 1.1.194.0/24 1.1.194.166 ether1 0
3 ADC 192.168.5.0/24 192.168.5.1 bridge 0
4 ADC 2.2.98.192/26 2.2.98.206 ether1 0
 
stoser
Member Candidate
Member Candidate
Posts: 118
Joined: Sun Aug 21, 2016 12:04 am

Re: Addition public IP

Tue May 02, 2017 3:47 pm

Hamsterman:

Please post

/ip route print detail

This way I can see routemarks/routing tables
 
Hamsterman
just joined
Topic Author
Posts: 21
Joined: Thu Jun 30, 2016 9:10 pm

Re: Addition public IP

Tue May 02, 2017 8:28 pm

Hamsterman:

Please post

/ip route print detail

This way I can see routemarks/routing tables
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf>
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=2.2.98.19>
gateway-status=2.2.98.193 reachable via
ether1
distance=1 scope=30 target-scope=10
routing-mark=2NDROUTE

1 ADS dst-address=0.0.0.0/0 gateway=1.1.194.1
gateway-status=1.1.194.1 reachable via
ether1
distance=1 scope=30 target-scope=10
vrf-interface=ether1

2 ADC dst-address=1.1.194.0/24
 
stoser
Member Candidate
Member Candidate
Posts: 118
Joined: Sun Aug 21, 2016 12:04 am

Re: Addition public IP

Tue May 02, 2017 9:11 pm

2 chain=dstnat action=dst-nat to-addresses=192.168.5.15
dst-address=2.2.98.193 in-interface=ether1 log=no
Hamsterman: In the above rule, you are forwarding all traffic directed at the gateway 2.2.98.193 to 192.168.5.15. I think that what you really want to do is forward traffic directed to your IP 2.2.98.206 to 192.168.5.15. Your mikrotik does not have the gateway address associated to it, your ISP does.

Kind regards
 
Hamsterman
just joined
Topic Author
Posts: 21
Joined: Thu Jun 30, 2016 9:10 pm

Re: Addition public IP

Tue May 02, 2017 9:22 pm

2 chain=dstnat action=dst-nat to-addresses=192.168.5.15
dst-address=2.2.98.193 in-interface=ether1 log=no
Hamsterman: In the above rule, you are forwarding all traffic directed at the gateway 2.2.98.193 to 192.168.5.15. I think that what you really want to do is forward traffic directed to your IP 2.2.98.206 to 192.168.5.15. Your mikrotik does not have the gateway address associated to it, your ISP does.

Kind regards
So what do I do ?
 
stoser
Member Candidate
Member Candidate
Posts: 118
Joined: Sun Aug 21, 2016 12:04 am

Re: Addition public IP

Tue May 02, 2017 9:58 pm

change

dst-address=2.2.98.193

to

dst-address=2.2.98.206
 
Hamsterman
just joined
Topic Author
Posts: 21
Joined: Thu Jun 30, 2016 9:10 pm

Re: Addition public IP

Tue May 02, 2017 10:04 pm

change

dst-address=2.2.98.193

to

dst-address=2.2.98.206
Still no luck I am afraid
 
stoser
Member Candidate
Member Candidate
Posts: 118
Joined: Sun Aug 21, 2016 12:04 am

Re: Addition public IP

Tue May 02, 2017 10:46 pm

1) If you bypassthe Mikrotik, and connect a computer directly to your ISP, does the IP address/gateway/netmask work?
2) If you have connectivity directly form a computer, reconnect to Mikrotik: Do you have filter rules that may be dropping the requests? You only posted the mangle and NAT rules ... so I have no way of knowing.
3) tracert results? What are the hops? when does it stop working?
4) Torch results: Is the outgoing traffic getting to the mikrotik? is it leaving the mikrotik? What about responses to outgoing traffic? What about incoming traffic? Play around with Torch to get a sense if the problem is a routing problem or a NAT problem.
 
Hamsterman
just joined
Topic Author
Posts: 21
Joined: Thu Jun 30, 2016 9:10 pm

Re: Addition public IP

Sun May 07, 2017 9:07 pm

This issue was never solved but - when I asked my Internet Provider for two IPs within the same network it worked almost out of the box. They had to do some stuff (which I never found out) before it worked.

So there are two possiblities. Either it would never have worked with two IPs in two different networks (because Internet Provider fault) or I did not setup the Mikrotik correctly. We will never know :)

Thanks to all that helped me.

Who is online

Users browsing this forum: sonnet and 83 guests