Community discussions

MikroTik App
 
johnsk
just joined
Topic Author
Posts: 10
Joined: Mon Mar 13, 2006 11:15 pm

How to setup RouterOS with 2 different subnets from ISP

Sat Dec 15, 2012 9:08 pm

Dear friends,

I have changed my ISP and have a problem with configuring my RouterOS installation.

The previous ISP provided only one external (1) IP address - thus I used SRC NAT with MASQUERADE all was fine.

However my new ISP gave me one internal (1) IP address and a range of IP addresses that are public (e.g. one (1) 87.199.20.70/30 and then a range of IP addresses which are pingable from the Internet - e.g. 217.122.1.50/29).

I am baffled how to setup this type of connection where I have 2 different subnets and would be grateful for any and all tips :)

Thank you very much in advance for all help

john
 
User avatar
asaleh75
Trainer
Trainer
Posts: 193
Joined: Thu Nov 17, 2011 2:51 pm
Location: Dhaka, Bangladesh
Contact:

Re: How to setup RouterOS with 2 different subnets from ISP

Sat Dec 15, 2012 9:39 pm

Dear friends,

I have changed my ISP and have a problem with configuring my RouterOS installation.

The previous ISP provided only one external (1) IP address - thus I used SRC NAT with MASQUERADE all was fine.

However my new ISP gave me one internal (1) IP address and a range of IP addresses that are public (e.g. one (1) 87.199.20.70/30 and then a range of IP addresses which are pingable from the Internet - e.g. 217.122.1.50/29).

I am baffled how to setup this type of connection where I have 2 different subnets and would be grateful for any and all tips :)

Thank you very much in advance for all help

john
You have to add 87.199.20.70/30 at WAN interface & 217.122.1.49/29 at LAN interface. Your usable IP will be 217.122.1.50-217.122.1.54 & configuration will be :
/ip address
add address=87.199.20.70/30 disabled=no interface=ether1
add address=217.122.1.49/29 disabled=no interface=ether2 
/ip route
add  dst-address=0.0.0.0/0 gateway=87.199.20.69
 
johnsk
just joined
Topic Author
Posts: 10
Joined: Mon Mar 13, 2006 11:15 pm

Re: How to setup RouterOS with 2 different subnets from ISP

Sat Dec 15, 2012 11:33 pm

Thanks a lot ;) And then for my local addresses to have internet access (e.g. clients in the 192.168.1.1/24 subnet) I should assign 192.168.1.1 to ether3 and create a SRCNAT/MASQUERADE rule in firewall?
 
User avatar
asaleh75
Trainer
Trainer
Posts: 193
Joined: Thu Nov 17, 2011 2:51 pm
Location: Dhaka, Bangladesh
Contact:

Re: How to setup RouterOS with 2 different subnets from ISP

Sun Dec 16, 2012 3:07 pm

Thanks a lot ;) And then for my local addresses to have internet access (e.g. clients in the 192.168.1.1/24 subnet) I should assign 192.168.1.1 to ether3 and create a SRCNAT/MASQUERADE rule in firewall?
Yes, you can. This configuration will be same as your previous configuration with first ISP.
 
User avatar
asaleh75
Trainer
Trainer
Posts: 193
Joined: Thu Nov 17, 2011 2:51 pm
Location: Dhaka, Bangladesh
Contact:

Re: How to setup RouterOS with 2 different subnets from ISP

Sun Dec 16, 2012 3:16 pm

Command line will be :
/ip address
add address=192.168.1.1/24 disabled=no interface=ether3
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether1
 
johnsk
just joined
Topic Author
Posts: 10
Joined: Mon Mar 13, 2006 11:15 pm

Re: How to setup RouterOS with 2 different subnets from ISP

Mon Dec 17, 2012 10:15 pm

Hmmmm.. unfortunately the proposed configuration doesen't work :(

What I don't understand - how does adding an IP to LAN2 (add address=217.122.1.49/29 disabled=no interface=ether2) make a difference when it's not physically connected to any other LAN ports or in a bridge?
 
User avatar
nickshore
Long time Member
Long time Member
Posts: 521
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: How to setup RouterOS with 2 different subnets from ISP

Tue Dec 18, 2012 11:34 am

The suggestion to put the /29 on LAN2 would mean that the IPs would be available directly on LAN2

ie a machine connected to LAN2 could be assigned an address in that range and not need any NAT.

If you want to use NAT instead then you would assign all IPs to the WAN interface, and then add specific srcnat rules to use them eg:
/ip address add address=217.122.1.49/29 disabled=no interface=ether1 
/ip address add address=217.122.1.50/29 disabled=no interface=ether1 
/ip address add address=217.122.1.51/29 disabled=no interface=ether1 

/ip firewall nat add action=src-nat chain=srcnat comment="192.168.1.10 goes out on .50" out-interface=ether1 src-address=192.168.1.10 to-addresses=217.122.1.50

/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade everything else" out-interface=ether1


Hope that helps

Nick.
 
jt2048
newbie
Posts: 40
Joined: Mon Feb 06, 2012 9:53 pm

Re: How to setup RouterOS with 2 different subnets from ISP

Tue Dec 18, 2012 10:50 pm

The suggestion to put the /29 on LAN2 would mean that the IPs would be available directly on LAN2

ie a machine connected to LAN2 could be assigned an address in that range and not need any NAT.

If you want to use NAT instead then you would assign all IPs to the WAN interface, and then add specific srcnat rules to use them eg:
/ip address add address=217.122.1.49/29 disabled=no interface=ether1 
/ip address add address=217.122.1.50/29 disabled=no interface=ether1 
/ip address add address=217.122.1.51/29 disabled=no interface=ether1 

/ip firewall nat add action=src-nat chain=srcnat comment="192.168.1.10 goes out on .50" out-interface=ether1 src-address=192.168.1.10 to-addresses=217.122.1.50

/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade everything else" out-interface=ether1


Hope that helps

Nick.
I have a similar situation with a /28 that is currently on a Fortigate that I want to move to MikroTik. If I understand the above it maps the 217.122.1.50 public address to the 192.168.1.10 address on the outgoing side (from the 192.168...) and provides NAT and source masking. What would the incoming side look like?

TIA ... JT
 
User avatar
nickshore
Long time Member
Long time Member
Posts: 521
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: How to setup RouterOS with 2 different subnets from ISP

Wed Dec 19, 2012 11:12 am

For inbound NAT you can use a dstnat rule eg:
/ip firewall nat add action=dst-nat chain=dstnat dst-address=217.122.1.50 to-addresses=192.168.1.10
This would NAT all traffic through, you could reduce this to just the ports you want by adding some ports eg
dst-port=80,8080
Note that NAT happens first and then IP -> Firewall -> Filter so you need to make sure the traffic is allowed in the forward chain using the internal address as the dst-address, eg:
/ip firewall filter add chain=forward dst-address=192.168.1.10 dst-port=80,8080 protocol=tcp
would allow port 80 and 8080

Who is online

Users browsing this forum: No registered users and 44 guests