Community discussions

MikroTik App
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

How can I assign an external IP address to one of the local ones?

Fri Mar 13, 2020 10:07 am

Greetings to all. Please tell an inexperienced person how to make sure that packets originating from a specific local network exit through a designated external IP address?

I have three external ip addresses: 1.1.1.156, 1.1.1.157, and 1.1.1.158, as well as local ones: 10.0.10.0/24, 10.0.20.0/24, and 10.0.30.0/24. Here's how to use NAT or Route or something else to make the Internet, for example, 10.0.30.0/24 go under 1.1.1.158?
 
angriukas
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Fri Nov 22, 2013 9:20 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Fri Mar 13, 2020 11:27 am

 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Fri Mar 13, 2020 11:49 am

So I should do this ?:
/ ip address
add address=10.0.10.0/24 network=10.0.10.0 interface=bridge-main
add address=10.0.20.0/24 network=10.0.20.0 interface=vlan157
add address=10.0.30.0/24 network=10.0.30.0 interface=vlan158
add address=1.1.1.156/23 network=1.1.1.0 interface=ether1-wan
add address=1.1.1.157/23 network=1.1.1.0 interface=ether2-wan
add address=1.1.1.158/23 network=1.1.1.0 interface=ether3-wan
P.S: now I have such settings, because vlan157 and vlan158 go through the 5th port to the switch, where I already spread VLANs on the port

/ ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.156,1.1.1.157,1.1.1.158 check-gateway=ping

/ ip firewall nat
add chain=srcnat out-interface=ether1-wan action=masquerade
add chain=srcnat out-interface=ether2-wan action=masquerade
add chain=srcnat out-interface=ether3-wan action=masquerade

/ ip firewall mangle
add chain=input in-interface=ether1-wan action=mark-connection new-connection-mark=156
add chain=input in-interface=ether2-wan action=mark-connection new-connection-mark=157
add chain=input in-interface=ether3-wan action=mark-connection new-connection-mark=158
add chain=output connection-mark=156 action=mark-routing new-routing-mark=main-ip
add chain=output connection-mark=157 action=mark-routing new-routing-mark=second-ip
add chain=output connection-mark=158 action=mark-routing new-routing-mark=third-ip

/ ip route
add dst-address=10.0.10.0/24 gateway=1.1.1.156 routing-mark=main-ip
add dst-address=10.0.20.0/24 gateway=1.1.1.157 routing-mark=second-ip
add dst-address=10.0.30.0/24 gateway=1.1.1.158 routing-mark=third-ip
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: How can I assign an external IP address to one of the local ones?

Fri Mar 13, 2020 2:42 pm

Do you have three WANs (that's what the other thread is about) or is it one connection from one ISP with three addresses?

The latter would be simple srcnat:
/ip firewall nat
add chain=srcnat src-address=10.0.10.0/24 out-interface=<WAN> action=src-nat to-addresses=1.1.1.156
add chain=srcnat src-address=10.0.20.0/24 out-interface=<WAN> action=src-nat to-addresses=1.1.1.157
add chain=srcnat src-address=10.0.30.0/24 out-interface=<WAN> action=src-nat to-addresses=1.1.1.158
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Fri Mar 13, 2020 2:49 pm

Do you have three WANs (that's what the other thread is about) or is it one connection from one ISP with three addresses?

The latter would be simple srcnat:
/ip firewall nat
add chain=srcnat src-address=10.0.10.0/24 out-interface=<WAN> action=src-nat to-addresses=1.1.1.156
add chain=srcnat src-address=10.0.20.0/24 out-interface=<WAN> action=src-nat to-addresses=1.1.1.157
add chain=srcnat src-address=10.0.30.0/24 out-interface=<WAN> action=src-nat to-addresses=1.1.1.158
This is a one connection from one ISP with three addresses. The Internet cable from ISP is included in the switch, from which there are three cables to the router, the first (156), the second(157) and the third(158)
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: How can I assign an external IP address to one of the local ones?

Fri Mar 13, 2020 2:55 pm

And how do you get those addresses? Is it DHCP? Or static addresses, but locked to specific MAC address? In other words, you can't just put them all on one interface?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Fri Mar 13, 2020 2:57 pm

And how do you get those addresses? Is it DHCP? Or static addresses, but locked to specific MAC address? In other words, you can't just put them all on one interface?
I get three white (statiс) IP addresses over the fiber with a binding to the MAC address
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: How can I assign an external IP address to one of the local ones?  [SOLVED]

Fri Mar 13, 2020 3:24 pm

In that case, you need to treat it as multi-WAN. The only difference is that you most likely have the same gateway for all addresses, so when creating other routing tables, you need to include interface (1.1.1.X is gateway address):
/ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.X%ether1-wan routing-mark=main-ip
add dst-address=0.0.0.0/0 gateway=1.1.1.X%ether2-wan routing-mark=second-ip
add dst-address=0.0.0.0/0 gateway=1.1.1.X%ether3-wan routing-mark=third-ip
Depending on how strictly you want to link LANs to WANs, you may either use the approach with mangle rules, marking connections and routing for them, or you can have routing rules.

For mangle rules, you also need to mark connections from LANs. Check PCC example for some ideas. The article is mainly about load balancing, which is done by two rules with per-connection-classifier option, so just ignore that and focus on understanding the rest, because it applies to any multi-WAN config.

With routing rules you can have all-static mapping without mangle rules:
/ip route rule
add src-address=1.1.1.156 action=lookup table=main-ip
add src-address=1.1.1.157 action=lookup table=second-ip
add src-address=1.1.1.158 action=lookup table=third-ip
add src-address=10.0.10.0/24 action=lookup table=main-ip
add src-address=10.0.20.0/24 action=lookup table=second-ip
add src-address=10.0.30.0/24 action=lookup table=third-ip
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Fri Mar 13, 2020 3:54 pm

Thank you! I'll check it out and sign it off tonight. I don't forget!
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Fri Mar 13, 2020 9:51 pm

Thank you! I'll check it out and sign it off tonight. I don't forget!
I've tried everything, it still doesn't work , even though I'm 10.0.10.0/24, 10.0.20.0 /24 or even 10.0.30.0/24, I still send requests/responses via 1.1.1.156. Checked on two computers! Here are screenshots: https://imgur.com/a/I4i3vgT
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: How can I assign an external IP address to one of the local ones?

Fri Mar 13, 2020 11:44 pm

You have wrong gateways. See my previous post, the routes there with 1.1.1.X, it should be 1.1.1.1 for all three (1.1.1.1%ether1-wan, 1.1.1.1%ether2-wan, 1.1.1.1%ether3-wan).

And better than screenshots is to do:
/export hide-sensitive file=myconfig
and then post content of resulting myconfig.rsc in code tags (you can mask addresses if you want, but in some consistent and understadable way).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Sat Mar 14, 2020 12:10 am

You have wrong gateways. See my previous post, the routes there with 1.1.1.X, it should be 1.1.1.1 for all three (1.1.1.1%ether1-wan, 1.1.1.1%ether2-wan, 1.1.1.1%ether3-wan).

And better than screenshots is to do:
/export hide-sensitive file=myconfig
and then post content of resulting myconfig.rsc in code tags (you can mask addresses if you want, but in some consistent and understadable way).
Omg.... Thank you very much! Thanks to the foreign community, everything is perfectly searched for and works. Love you. Microtik is the best
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Sat Mar 21, 2020 6:31 pm

You have wrong gateways. See my previous post, the routes there with 1.1.1.X, it should be 1.1.1.1 for all three (1.1.1.1%ether1-wan, 1.1.1.1%ether2-wan, 1.1.1.1%ether3-wan).

And better than screenshots is to do:
/export hide-sensitive file=myconfig
and then post content of resulting myconfig.rsc in code tags (you can mask addresses if you want, but in some consistent and understadable way).
Sob, hello! I have a problems... again. Can you help me ?
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: How can I assign an external IP address to one of the local ones?

Sat Mar 21, 2020 6:48 pm

Not if you don't post it.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Sat Mar 21, 2020 6:59 pm

Not if you don't post it.
I can 't understand why I can 't open port 27016 for the SE game server . When I check the port status via 2ip, packets arrive to it, that is, the counter increases, but the port usually does not respond to the source. The same thing happens with port 53. I have a web server at home on ISPmanager from ISPsystem. Before the server , of course, there is MikroTik, in it I open everything. The port seems to be open , and when I enter it:
root@rd-web:~# dig roffdaniel.com @193.***.***.157/158

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> roffdaniel.com @193.***.***.157/158
;; global options: +cmd
;; connection timed out; no servers could be reached
Gives an error , I don 't understand

Tell me please...
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Sat Mar 21, 2020 7:01 pm

My NAT config
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether1-wan log=no 
      log-prefix="" 

 2    chain=srcnat action=masquerade out-interface=ether2-wan log=no 
      log-prefix="" 

 3    chain=srcnat action=masquerade out-interface=ether3-wan log=no 
      log-prefix="" 

 4 X  chain=srcnat action=src-nat to-addresses=193.***.***.156 
      src-address=10.0.10.0/24 out-interface=ether1-wan log=no log-prefix="" 

 5 X  chain=srcnat action=src-nat to-addresses=193.***.***.157 
      src-address=10.0.20.0/24 out-interface=ether2-wan log=no log-prefix="" 

 6 X  chain=srcnat action=src-nat to-addresses=193.***.***.158 
      src-address=10.0.30.0/24 out-interface=ether3-wan log=no log-prefix="" 

 7 X  chain=srcnat action=src-nat to-addresses=193.***.***.156 
      src-address=192.168.0.0/24 out-interface=ether1-wan log=no log-prefix="" 

 8 X  chain=srcnat action=src-nat to-addresses=193.***.***.156 
      src-address=192.168.10.0/24 out-interface=ether1-wan log=no log-prefix="" 

 9    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=8080 
      protocol=tcp dst-address=193.***.***.157 dst-port=8080 log=no 
      log-prefix="" 

10    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=80 protocol=tc>
      dst-address=193.***.***.157 dst-port=80 log=no log-prefix="" 

11    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=443 
      protocol=tcp dst-address=193.***.***.157 dst-port=443 log=no log-prefix="" 

12    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=25 protocol=tc>
      dst-address=193.***.***.157 dst-port=25 log=no log-prefix="" 

13    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=587 
      protocol=tcp dst-address=193.***.***.157 dst-port=587 log=no log-prefix="" 

14    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=465 
      protocol=tcp dst-address=193.***.***.157 dst-port=465 log=no log-prefix="" 

15    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=110 
      protocol=tcp dst-address=193.***.***.157 dst-port=110 log=no log-prefix="" 

16    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=995 
      protocol=tcp dst-address=193.***.***.157 dst-port=995 log=no log-prefix="" 

17    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=993 
      protocol=tcp dst-address=193.***.***.157 dst-port=993 log=no log-prefix="" 

18    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=53 protocol=tc>
      dst-address=193.***.***.157 dst-port=53 log=no log-prefix="" 

19    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=53 protocol=ud>
      dst-address=193.***.***.157 dst-port=53 log=no log-prefix="" 

20    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=3306 
      protocol=tcp dst-address=193.***.***.157 dst-port=3306 log=no 
      log-prefix="" 

21    chain=dstnat action=netmap to-addresses=10.0.20.25 to-ports=21 protocol=tc>
      dst-address=193.***.***.157 dst-port=21 log=no log-prefix="" 

22    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=8080 
      protocol=tcp dst-address=193.***.***.158 dst-port=8080 log=no 
      log-prefix="" 

23    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=80 protocol=tc>
      dst-address=193.***.***.158 dst-port=80 log=no log-prefix="" 

24    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=443 
      protocol=tcp dst-address=193.***.***.158 dst-port=443 log=no log-prefix="" 

25    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=25 protocol=tc>
      dst-address=193.***.***.158 dst-port=25 log=no log-prefix="" 

26    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=587 
      protocol=tcp dst-address=193.***.***.158 dst-port=587 log=no log-prefix="" 

27    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=465 
      protocol=tcp dst-address=193.***.***.158 dst-port=465 log=no log-prefix="" 

28    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=110 
      protocol=tcp dst-address=193.***.***.158 dst-port=110 log=no log-prefix="" 

29    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=995 
      protocol=tcp dst-address=193.***.***.158 dst-port=995 log=no log-prefix="" 

30    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=993 
      protocol=tcp dst-address=193.***.***.158 dst-port=993 log=no log-prefix="" 

31    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=53 protocol=tc>
      dst-address=193.***.***.158 dst-port=53 log=no log-prefix="" 

32    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=53 protocol=ud>
      dst-address=193.***.***.158 dst-port=53 log=no log-prefix="" 

33    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=3306 
      protocol=tcp dst-address=193.***.***.158 dst-port=3306 log=no 
      log-prefix="" 

34    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=21 protocol=tc>
      dst-address=193.***.***.158 dst-port=21 log=no log-prefix="" 

35    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=1500 
      protocol=tcp dst-address=193.***.***.158 dst-port=1500 log=no 
      log-prefix="" 

36    chain=dstnat action=netmap to-addresses=10.0.30.30 to-ports=8006 
      protocol=tcp dst-address=193.***.***.158 dst-port=8006 log=no 
      log-prefix="" 

37    chain=dstnat action=netmap to-addresses=10.0.30.30 to-ports=22 protocol=tc>
      dst-address=193.***.***.158 dst-port=86 log=no log-prefix="" 

38    chain=dstnat action=netmap to-addresses=10.0.30.35 to-ports=22 protocol=tc>
      dst-address=193.***.***.158 dst-port=22 log=no log-prefix="" 
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: How can I assign an external IP address to one of the local ones?

Sun Mar 22, 2020 12:09 am

You have several dstnat rules forwarding ports to same server. So if all those ports work, there's no reason why just one wouldn't. The only difference is that 53 is udp and others are tcp (I don't know about 27016). So make sure that you don't block udp in firewall filter. You can go step by step and verify what exactly happens. If counter for dstnat increases, it means that packet arrived to router, but it doesn't guarantee that it was sent to server (that's why you need to check firewall filter). You can also verify on internal interface that it really went there, using either Tools->Torch or logging rule in postrouting. Next step is that server must send something back, use the same way to check it.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Sun Mar 22, 2020 2:13 pm

You have several dstnat rules forwarding ports to same server. So if all those ports work, there's no reason why just one wouldn't. The only difference is that 53 is udp and others are tcp (I don't know about 27016). So make sure that you don't block udp in firewall filter. You can go step by step and verify what exactly happens. If counter for dstnat increases, it means that packet arrived to router, but it doesn't guarantee that it was sent to server (that's why you need to check firewall filter). You can also verify on internal interface that it really went there, using either Tools->Torch or logging rule in postrouting. Next step is that server must send something back, use the same way to check it.
I still don 't understand how it works, sorry...
Here is I a bit cleaned NAT from unnecessary IP addresses, 158 th acts as a service, 157 th acts as access to the sites themselves. Watch this video please: https://youtu.be/RDqX123Sodw
P.S: at the end of the video, I did not correctly open port 27016, there is no problem with it anymore

I open the ports as I know, check on all the ones I need: 21 (FTP/ TCP), 22(SSH/TCP), 25(SMTP/TCP), 53(DNS/UDP) 143(IMAP/TCP), 995(IMAPS/TCP), 465(SMTPS/TCP), 3306(MySQL/TCP).

21, 22-work, and the rest can not respond to packages or do not accept them at all...

I don 't want to waste your time just because I'm new, I'm studying, and I have to pay for my education. Please help me and I will pay for your spend time
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: How can I assign an external IP address to one of the local ones?

Sun Mar 22, 2020 10:37 pm

I'll be honest, I didn't watch the video closely, it's rather long and quite boring. ;) But I skimmed through it, tried to check the ports from my side, and it doesn't work at all, there's no response from any of them. But now I realize that you never posted whole config, so that would be great next step, do:
/export hide-sensitive file=myconfig
And post content of resulting myconfig.rsc here in code tags.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Mon Mar 23, 2020 11:02 am

I'll be honest, I didn't watch the video closely, it's rather long and quite boring. ;) But I skimmed through it, tried to check the ports from my side, and it doesn't work at all, there's no response from any of them. But now I realize that you never posted whole config, so that would be great next step, do:
/export hide-sensitive file=myconfig
And post content of resulting myconfig.rsc here in code tags.
Yes, i am sorry, keep it
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: How can I assign an external IP address to one of the local ones?

Tue Mar 24, 2020 4:12 am

I expected to find something very wrong, but I don't see it.

Outgoing connections work correctly, right? If you try to go to internet from e.g. 10.0.20.20, it uses correct outgoing inteface and address?

I remember one interesting thing in your video, you removed dst-address from dstnat rule and it started to work. Can you do it again, at the same time enable logging for that rule (check Log on Action tab), connect to that port from outside and post what it logs?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
RoffDaniel
just joined
Topic Author
Posts: 23
Joined: Fri Mar 13, 2020 10:04 am
Contact:

Re: How can I assign an external IP address to one of the local ones?

Wed Mar 25, 2020 4:41 pm

I expected to find something very wrong, but I don't see it.

Outgoing connections work correctly, right? If you try to go to internet from e.g. 10.0.20.20, it uses correct outgoing inteface and address?

I remember one interesting thing in your video, you removed dst-address from dstnat rule and it started to work. Can you do it again, at the same time enable logging for that rule (check Log on Action tab), connect to that port from outside and post what it logs?
Already everything seems normal, the problem was not in the ports, but in the settings of the web server. Thank You, Sob! <3

Who is online

Users browsing this forum: ballefjant, didipov and 103 guests