Looking for a little help in setting up a CCR1016-12S-1S+ for Multi-Tenant Routing.

We are having a new Fiber Internet Circuit installed and the Carrier provided a /30 WAN IP Range and both a /28 and /29 Public Static IP Range. I have the CCR configured with the WAN Interface Address and utilizing a 172.16.X.X between the two tenant routers I am able to get basic ping and trace routes to work.

What I'm struggling with is routing the Static IP blocks from the WAN (Outside Internet) to the two Tenant Ports. Would this be accomplished by NAT on the CCR1016 Router or something else?

Basic Diagram Below:

CCR1016 Router Tenant 1 MikroTik Router
WAN IP (12.247.X.X/30) sfp1 -> Tenant 1 (172.16.1.1/30) sfp4 -> Tenant 1 (172.16.1.2/30) ether1 -> /28 Static (12.0.X.X)

Tenant 2 MikroTik Router
-> Tenant 2 (172.16.2.1/30) sfp5 -> Tenant 2 (172.16.2.2/30) ether1 -> /29 Static (12.1.X.X)

Post a proper diagram, even hand drawn will do.

Here's the Diagram, using 172.16.X.X address to preserve the full Static IP Blocks for the Tenants.

Forgot to Mention running 6.34.3 on all Routers.

On both tenants routers, you need to add CCR as the gateway (CCR end /30 ip) for the default (0.0.0.0/0) route:

Tenant1:
0.0.0.0/0 gateway 172.16.1.CCR_endIP

Tenant2:
0.0.0.0/0 gateway 172.16.2.CCR_endIP

On CCR you need to add two routes:
12.0.0.x/29 gateway 172.16.1.tenant1_endIP
12.1.x.x/28 gateway 172.16.2.tenant2_endIP

That's all, no nat needed.

@acemary: Welcome to the forum! I'd make a seperate post for your question on the Begginer questions forum, even a little searching will surely return lots of posts with questions identical if not similar to yours.

@pukkita based on information you provided the inbound side of the traffic is working great. However I am having trouble with the outbound side of the traffic if I don't have a srcnat "masquerade" in place no outbound traffic from either Tenant Router can proceed out but this doesn't allow protocols that require two-way communications to pass the Tenant Static IP's such as GRE. I would assume I either need to provide some sort of NAT,Mangle, or Routing Protocol to pass traffic back outbound.

Any ideas?

You shouldn't need to do any NAT in your network if the customers' (tenants') devices have public IP addresses configured on them directly. You just forward packets to the proper device based on the public IP.

@Zerobyte, can you provide an example of what you mean? If I turn Nat Masquerade off on the Carrier Router nothing from the Tenant Router can access the outside world.

No matter what I try I cannot seem to preserve the Static IP passthrough from the Tenant Router via the Carrier Router to the outside world. But the reverse from Outside via the Carrier Router to Tenant Router works just fine.

At Carrier Router Level, I have the following defined:
0.0.0.0 via 12.247.X.X via sfp1 (Default Route)
172.16.1.0/30 via gateway sfp5 (Tenant A) Pref Source 172.16.1.1
12.33.X.X/28 via gateway sfp5 (Tenant A)
No Firewall Restrictions for 172.16.1.0/30 or 12.33.X.X/28

At Tenant Router Level, I have the following defined:
0.0.0.0 via 172.16.1.1 via sfp3 (Default Route)
172.16.1.0/30 via gateway sfp3 (Carrier) Pref Source 172.16.1.2
12.33.X.X/28 via gateway sfp3 (Carrier)
Additional I have src-nat and dst-nat configured for 12.33.X.X/28 Hosts here

Then something is worng with routing (BGP filtering?), or nat... Post the /ip firewall nat of carrier and tenant routers... it should be being masqueraded somewhere.

Do a traceroute from outside to your 12.33.x.x ranges, and viceversa.