Recently we finally got our bigger subnet (e.g. 18.104.22.168/27). Unfortunately, this is more of a headache than I thought.
But I think it is due to a mistake in my thinking or a misunderstanding on my part.
Here is a very simple drawing of our network:
The ISP forces us to use his router. However, there is a DMZ mode where all public IPs are passed to the ETH01 from your router. The ETH01 port ISP router (22.214.171.124) is then connected to the MikroTik CCR ETH01. Via IP address we have the address 126.96.36.199/27 from the MikroTik router to the ETH01. To avoid errors we have set up a very simple firewall:
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid log-prefix=invalid_input
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid log-prefix=invalid_forward
add action=drop chain=input in-interface=ISP1
add action=drop chain=forward in-interface=ISP1
add action=masquerade chain=srcnat comment="NAT Masquerade ISP1" out-interface=Init7
The routing tables also look quite normal:
AS 0.0.0.0/0 188.8.131.52 reachable ISP1 Distance 1
DAC 192.168.1.0/24 LAN reachable Distance 0
DAC 184.108.40.206/27 ISP1 reachable Distance 0 pref source 220.127.116.11
Now for my misunderstanding, in my eyes we should now simply be able to set a NAT rule with 18.104.22.168:80 -> 192.168.1.1:80 and a FW rule with accept forward 192.168.1.1:80. But this is not possible, I have to register the IP we want to use as /32 on the ETH01 of MikroTik. I'm just wondering if I can't see the forest for the trees.