Community discussions

MUM Europe 2020
 
ebbarkj
just joined
Topic Author
Posts: 3
Joined: Sun Jan 12, 2020 4:54 pm

Help! Routed public subnet

Sun Jan 12, 2020 9:20 pm

I am in a multi-company building. We are connected to the internet through a MikroTik RB3011.
They assigned us a public subnet 185.89.XXX.104/29

The RB3011 = Gateway
It's IP is 185.89.XXX.110

The ethernetport 8 of the RB3011 is connected to ethernetport 1 of our router, a MikroTik RB2011

The RB2011 has a static IP 185.89.XXX.105
The subnetmask is 255.255.255.248 (/29)
Gateway 185.89.XXX.110

I am a completely newbie as far as Router OS is concerned

I want our servers to connect to the internet with the allocated IP's
server 1 with IP 185.89.175.106 on port 2 of RB2011iL
server 2 with IP 185.89.175.107 on port 3 of RB2011iL
server 3 with IP 185.89.175.108 on port 4 of RB2011iL
server 4 with IP 185.89.175.109 on port 5 of RB2011iL

What is the simplest way to achieve this in Router OS on the RB2011?

Any help appreciated.
 
bpwl
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Mon Apr 08, 2019 1:16 am

Re: Help! Routed public subnet

Mon Jan 13, 2020 1:22 am

Hi,

you need to give more information, there are too many possible uses and configurations with what you disclosed. Being in a multicompany building, is this a distribution by the building owner, or is this a direct connection from an ISP (mica-ip.nl ?)

Just 4 servers to connect with an external IP address? Nothing else? No local client devices ?? You have only one extra public IP address.for a fifth device.

If only 4 servers are to be connected and it is an open connection (Protection is in the RB3011) you could just bridge everything to one bridge at that's it. (You reduced the RB2011 to a switch)

But it would surprise me if this could be the solution you need. !!!

Just guessing what your needs are, here is a possible scenario ....

You probably need a WAN type connection on ether1 , with protection for incoming requests from that side. That means ether1 is on the default "interface list" named WAN, having a fixed IP address or DHCP client, masqerading all outgoing traffic in the NAT rules of the firewall, and is a firewall protected interface.
Ether2-5 are bridged to one bridge. That bridge has a DHCP server and is in the default LAN "interface list". It runs it's own subnet private network. Servers get reserved or fixed ip adresses in that local range. Default route is towards 185.89.175.110 in IP routing.
Local client devices and servers use local IP adresses in this setup. (To be able to have more than 1 client device)

The bridge to ether1 traffic needs dedicated NAT rules for the servers in the firewall NAT section, so that on ether1 they have the public IP adresses you named.
You may need firewall rules to forward ether1 incoming requests to the servers. Only open the ports that you want to be public.
DNS setup on RB2011 will normally use local addresses for the servers, and forward other requests to the ISP DNS servers.
If you need to contact your servers with their public IP address from the local network, you will need to set up hair-pin NAT in the RB2011. (https://wiki.mikrotik.com/wiki/Hairpin_NAT)
 
ebbarkj
just joined
Topic Author
Posts: 3
Joined: Sun Jan 12, 2020 4:54 pm

Re: Help! Routed public subnet

Mon Jan 13, 2020 12:30 pm

Thanks for your reply,
You need to give more information, there are too many possible uses and configurations with what you disclosed. Being in a multicompany building, is this a distribution by the building owner, or is this a direct connection from an ISP (mica-ip.nl ?)
Indeed Mica-IT does the technical management on the RB3011
Just 4 servers to connect with an external IP address? Nothing else? No local client devices ?? You have only one extra public IP address.for a fifth device.
Ports 6 to 10 will be used for LAN
If only 4 servers are to be connected and it is an open connection (Protection is in the RB3011) you could just bridge everything to one bridge at that's it. (You reduced the RB2011 to a switch)
This could (partly) be the solution. All I want is a transparant routed connection to the ports 2, 3, 4, and 5. At this moment we have a switch connected to the RB3011 and the RB2011 connected to the switch. The servers are directly connected to the switch and have each a public subnet IP. The LAN is already configured on the RB2011.The idea is to skip the switch and run everything directly through the RB2011. I have never done this in MikroTik OS.

There is one complicating factor. We run an Apple High Sierra Server in a VM under ESXi. The ESXi box has a local IP just like two local VM servers but the Apple server has to have a public IP (the fifth public IP) How can I achieve that?

Because I have relatively little experience with MikroTik OS I try to test everything first before I implement it in the real situation.
 
bpwl
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Mon Apr 08, 2019 1:16 am

Re: Help! Routed public subnet

Mon Jan 13, 2020 1:07 pm

Hmmm, that's an interesting combination.

I see one bridge for ether1 to ether 5. (You take over the switch function that way.) That bridge will have IP address 105 and be on the WAN interface list. (Ether1 is a slave interface now)

For the LAN we have the second bridge, assign it to the LAN interface list, and taking the rest of the ethernet ports. The configuration is with the default firewall and NAT That bridge has a local ip subnet and DHCP server.

The only difference from a usual "gateway" setup, is that the WAN side now is not a simple interface but a bridge with public interfaces and servers.

The VM machine can have a public IP address on the WAN side (see the hair-pin wiki exemple).

Your LAN devices will go out as 104 (dst NAT masquerade)
Your 4 servers will have public adresses 105 till 108
Your VM machine will go out as 109 (dst NAT masquerade, src NAT for hair-pin). You will have to add the forwarding firewall rules to make it reachable. (This is IN your LAN, so be carefull)

A more secured setup would be to make a DMZ out of your 4 server network. (This is an independant second LAN). Firewall rules are a bit more complex but you will manage and control traffic between LAN-DMZ-Internet.
ether1 is WAN =internet
ether2-ether5 on bridge 1 = DMZ (needs NAT to internet)
ether6-etherN on bridge 2= LAN (needs NAT to internet, and firewall rules to DMZ).
Normally you do not allow traffic initiation from DMZ to LAN, or internet to LAN
VM server needs firewall rules for from DMZ and internet initiated traffic to that LAN server.
 
ebbarkj
just joined
Topic Author
Posts: 3
Joined: Sun Jan 12, 2020 4:54 pm

Re: Help! Routed public subnet

Tue Jan 14, 2020 9:23 am

Thanx bpwl for your extensive answers to my questions.
Next week I will try it out in my test setup. I'll be back with the results.

Who is online

Users browsing this forum: Delete and 61 guests