Community discussions

MikroTik App
 
Peque
newbie
Topic Author
Posts: 44
Joined: Mon Oct 26, 2015 9:35 am

3 public IP's how to create the rules

Wed May 12, 2021 6:35 pm

Hi Forum
I have an question regarding having 3 different public's IP - with different portforward pr ip
I should have port 80/443 open on each public IP towards 3 differnet subnets. + the ISP have added 2 Extra IP's

But the normal portforward from before adding the extra IP's are still working - But I cannot make the rules on the "new" IP's work.

The 1. public IP - is used for user network internal --> this IP is added from ISP DHCP server
The 2. public IP - is used for their mail system --> This IP is static addad from ISP
The 3. public ip - is used for the Webservers --> This IP is static addad from ISP

How do I difference on which IP should flow to - The Masquerade part is up and running, the 3 different subnets have a seperate public Ip
Notmally I create the rules etc in winbox - so cannot make the line for creating the rule
But created under firewall - NAT
Under generel:
chain=dst-nat destination-address=Public IP 2 protocol=tcp destination-port=80 in-interface=WAN
Under Action
action=dst-nat to-address=172.16.200.2 to-port=80
But with this I cannot see any trafic through the rule.

Under Routes
I see one rules created for the extra IP
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          95.166.152.189            1
 1 ADC  95.166.152.188/30  95.166.152.190  WAN                       0
 2 ADC  172.16.100.0/24    172.16.100.1    DMZ                       0
 3 ADC  172.16.200.0/29    172.16.200.1    WEB-DMZ                   0
 4 ADC  192.168.201.0/24   192.168.201.1   LAN-Bridge                0
 5 ADC  192.215.239.96/28  192.215.239.98  WAN                       0

The addresses are added manuelly under address list - to the WAN interface - but only created route for one of the IP - should this autocreated be delketed - and the add them manually ???

And the last thing I'm struggling with is - I'm able to ping the first public IP - not number 2 or 3 - but my guess it have something to do with the routing.
But What I do not get - is when the machine in the WEB-DMZ resolves to the 99 public IP
root@fws-vm02:/home/pbj# dig +short myip.opendns.com @resolver1.opendns.com
195.215.239.99
So what am I missing here

Thanks in advance
P
 
tdw
Forum Veteran
Forum Veteran
Posts: 854
Joined: Sat May 05, 2018 11:55 am

Re: 3 public IP's how to create the rules

Mon May 17, 2021 1:49 pm

The output of /export hide-sensitive would be more informative than just the current routing table. It is likely your dst-nat rule is not being hit as an earlier more generic rule is matching the packets.

Assuming the ISP routes the additional subnet to you there are several methods of using the addresses, e.g.
You can assign the subnet to an interface (or bridge containing several interfaces) and connect devices using the public IPs - no NAT involved, but consumes three addresses from the subnet for network, broadcast and gateway.
You can add the subnet as an unreachable or blackhole route - this prevents packets bouncing back and forth between you and the ISP until the TTL expires. You can then add NAT rules as required, to make individual addresses respond to ping they have to exist e.g. by adding each /32 to a dummy interface, or NAT ICMP packets to the target.

When using masquerade from an interface with multiple addresses the lowest is picked, to specify an address use src-nat instead.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 3 public IP's how to create the rules

Tue May 18, 2021 3:04 am

For obvious reasons its very difficult for a router to know what to with an incoming port that is duplicated.
In this case if coming over from different IP addresses it should be doable.
Typically the ONE NATTED IP address can only handle one instance of an incoming port
To get around this one can use a different incoming port and translate it to the same to port.
In your case you dont need that trickery because you have separate WANIPs going to locations not on the NATTED subnet

For dynamic wanip (natted subnet)
add chain=dst-nat action=dst-nat in-interface=WAN1 protocol=tcp dst-port=1234 to-addresses=192.168.88.10

ISP2 (one to one mapping --> public IP to private IP)
add chain=dst-nat action=dst-nat dst-address=wanip2 protocol=tcp dst port=1234 to-addresses=192.168.25.2

ISP3 (one to one mapping --> public IP to private IP)
add chain=dst-nat action=dst-nat dst-address=wanip3 protocol=tcp dst-port=1234 to-addresses=192.168.50.3


YOu should post your config for better answers.
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: No registered users and 17 guests