Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Is it OK to set public IP to bridge?

Post Reply
 
kubajaburek
just joined
Topic Author
Posts: 1
Joined: Wed Mar 10, 2021 8:24 pm

Is it OK to set public IP to bridge?

Wed Mar 10, 2021 8:55 pm

Hello,
I host some servers behind my Mikrotik router using NAT. My ISP gives out a private IPv4 to every customer (for me let’s say 10.20.2.12) and an optional public IP (let’s say 92.62.3.13). The WAN interface on my router is configured with the private IP (this is required by the ISP) and when someone accesses the public IP, the ISP does NAT from 92.62.3.13 to 10.20.2.12 and then my router from 10.20.2.12 to the appropriate server in my internal network.

However, with this setup, I’m not able to access my servers using my public IP from my own network – when I ping 92.62.3.13, it doesn’t work (it works from other networks). I read the wiki entry about Hairpin NAT, but was unable to get it working (my ISP actually told me that this is not possible with their setup and I would have to lease an entire IPv4 subnet to be able to do this).

Then I realized I could solve it by routing packets with destination IP of 92.62.3.13 directly to the Mikrotik router. So I added IP 92.62.3.13 to the bridge (then a dynamic route was automatically created) and reconfigured destination NAT to translate packets with destination address of not only 10.20.2.12 but also 92.62.3.13.
Code: Select all
/ip address print
 #   ADDRESS            NETWORK         INTERFACE
 5   10.20.2.12/30      10.20.2.10      ether6
 6   92.62.3.13/32      92.62.3.13      bridge

/ip route print
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          10.20.2.11                1
 8 ADC  92.62.3.13/32      92.62.3.13      bridge                    0

/ip firewall address-list print
 #   LIST                          ADDRESS
 0   nat-public                    92.62.3.13
 1   nat-public                    10.20.2.12

/ip firewall nat print
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    chain=dstnat action=dst-nat to-addresses=192.168.20.20 protocol=tcp dst-address-list=nat-public dst-port=80
Everything now appears to work, I can use my public IP to access the servers even from my internal network. I personally don’t see any problem with this setup, but I also haven’t seen anything like this on the forums. So I want to ask – is this configuration OK, or are there any issues that I might have caused with this?

Thanks in advance to everyone!
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is it OK to set public IP to bridge?

Wed Mar 10, 2021 11:29 pm

In principle it is fine to have more than one IP address set to same interface (bridge in your case). However, just to perform NAT it is not necessary to assign that IP address to any of router's interfaces, your NAT rule #1 (the second one counting from #0) should work regardless.

NAT rule will affect any matching packet arriving at router and the reason for arrival at router doesn't matter at all (packets can either target router or they can be routed through router with destination beyond the router in question).
The only reason for having address set to some of router's interfaces is to make router answer to ARP who has requests with its own MAC address. For that to happen some other devices should have their IP address from the same subnet. If devices are in different subnet than target IP address, then those devices will use their own default gateway. In your case that will be your Mikrotik anyway which means packets targeting your WAN IP address will have to pass your router anyway and router will be able to perform (hairpin) NAT on those packets.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot] and 50 guests
  4. RouterOS
  5. Beginner Basics