Hello, I have a setup with a Mikrotik CCR1009.
I have been assigned with a set of public IP addresses /29 for connectivity.
i have a request from my client to use two public IP's, one for public internet connectivity and one for corporate VPN to be able to access from outside the private phisical network. this Ip's are being served in the same CPE interface so I was thinking to create a 3 port WAN bridge and masquerade the public LAN to one AP through one of this interfaces with public IP and assign a second IP to the other WAN interface in the bridge so this specific request for the client to access the VPN from outside can be accomplished.

My problem is that as soon as I assign the second IP to the second WAN interface in the bridge, the public LAN network lost connectivity and no one on that network is able to navigate.

As soon as I disable the second interface, everything comes back to normal and everyone is able to navigate.

I am not a Mikrotik expert but i like to play with this amazing features from Mikrotik creating virtual interfaces and bridges and switches etc... obviously i am doing something wrong but maybe one of you experts can point me in the right direction.

Thanks in advance, any help will be very well appreciated.

Multiple interfaces sound confusing. Do you know that you can assign multiple IP addresses to one interface? Wouldn't it be enough for you?

Thank you Sob, Honestly I didn’t know that, I thought that it was possible to add only one IP per interface.

Can you please guide me on how can I assign several IP’s to one interface?. Or where can I find some documentation about this process.

Thanks again.

I'm not sure how to respond, if you added one address, then repeat what you did with another. But since that should be obvious, you're perhaps asking about something else, I guess?

IP > Address, just add the second IP to the same interface. You may need a src-nat rule in IP > Firewall > NAT.
I don't understand your requirements though. Is Public IP #1 meant for guests, and Public IP #2 is meant for the corporate LAN?

Hello, I have followed up Sob Advice but I am still loosing connectivity on the Guest LAN.

Van9018, thanks for your advice. I have seted up the second IP on the same interface as the 1st public IP.

As I am not an expert so when you tell me that I may need a src-nat rule in IP>Firewall>NAT I may know how to create a src-nat is just that i dont know the right process that you are referring to, like if it has to be masquerade, jump, redirect, accept, etc. I am not sure what i have to type in Src. Address or Dst. Address, In or Out interfaces etc...

To answer your question, yes... first IP is to give access to internet to guess LAN and second IP is assigned to a device so the port eth2 must act as a bridge to advertise the network in that interface.

What I did so far is the I have reset to default the router and I have reconfigured like this:

Bridge WAN
eth1-ISP-IN = No IP (connected ISP service)
eth2-VPN = No IP (connected VPN switch with secondary IP)
eth3-WAN-IP1 (Nothing connected Assigned first IP Address)

Bridge LAN
eth4
eth5
eth6
eth7

masquerade src=0.0.0.0/0 to Bridge WAN interface

DHCP server on Bridge LAN

This configuration seems to be working, I'll keep you posted if something happens, i will know in the next 8 hours when the people start to work.

Thanks.

If you need the second address directly on another device (I thought you wanted both on router and use NAT), then don't add it to router of course, and your current config with bridge is correct. Well, almost, if you have primary address on interface which is part of bridge, correct config is to put it on bridge interface (even though it works on bridge port too, it shouldn't be there).

Hello Sob, I have assigned the IP to the bridge WAN as you have suggested and everything is working OK, there is only one thing that I have been experiencing with this configuration.

Usually with a normal configuration all the devices on the LAN are able to communicate to the cloud for monitoring but in this configuration the AP's that are inside the LAN are not communicating with cloud, for this communication i have never had to make any spacial rules on Mikrotik, do you think that there may be something that I need to do in order for this devices to communicate with the cloud?.

Event that if this AP's are functioning properly they are not being seen online.

Thank you.

Nothing special should be needed. Whether the WAN interface is bridge or single ethernet interface, it doesn't change anything for basic LAN to WAN access. Of course there are many ways how to break something in RouterOS, so anything is possible. You'd have to export and post your config, then someone could spot a mistake, if there's any.

Is there anything that i shuould do about security before pposting the configuration here?.

If you use "/export hide-sensitive", it will remove things like passwords. Then if you don't like to share your public addresses with the world, you'll have to censor them manually, but do it in consistent manner, e.g. replace first two numbers: 159.148.147.205 => x.x.147.205. That way nobody will find the real addresses, but config will be clear, even when they are used in different places, it will be possible to tell which is which.

Here is my config, hopefully I did it right:

/interface bridge
add name=br-LAN
add name=br-WAN
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN-IN
set [ find default-name=ether2 ] name=eth2-TO-VPN
set [ find default-name=ether3 ] name=eth3-WAN-CT
set [ find default-name=ether4 ] name=eth4-LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.255.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=br-LAN name=dhcp1
/interface bridge port
add bridge=br-WAN interface=eth1-WAN-IN
add bridge=br-WAN interface=eth2-TO-VPN
add bridge=br-WAN interface=eth3-WAN-CT
add bridge=br-LAN interface=eth4-LAN
add bridge=br-LAN interface=ether5
add bridge=br-LAN interface=ether6
add bridge=br-LAN interface=ether7
/ip address
add address=X.X.235.202/29 interface=br-WAN network=X.X.235.200
add address=192.168.0.1/16 interface=br-LAN network=192.168.0.0
/ip dhcp-server lease
add address=192.168.1.34 client-id=1:50:60:28:8:f6:30 mac-address=\
50:60:28:08:F6:30 server=dhcp1
add address=192.168.1.121 client-id=1:50:60:28:8:f7:30 mac-address=\
50:60:28:08:F7:30 server=dhcp1
add address=192.168.1.67 client-id=1:50:60:28:8:f6:56 mac-address=\
50:60:28:08:F6:56 server=dhcp1
add address=192.168.1.35 client-id=1:50:60:28:8:f6:e mac-address=\
50:60:28:08:F6:0E server=dhcp1
add address=192.168.1.114 client-id=1:50:60:28:8:f6:3e mac-address=\
50:60:28:08:F6:3E server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/16 gateway=192.168.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=br-WAN
/ip route
add distance=1 gateway=X.X.235.201
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes port=2200
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Costa_Rica
/system identity
set name=WORKSHOP
/tool graphing interface
add interface=eth1-WAN-IN
add interface=eth2-TO-VPN
add interface=eth3-WAN-CT
add interface=br-LAN

You can hardly make it any simpler. If those APs are connected to any of br-LAN ports and they either use dhcp or they have static 192.168.x.x and 192.168.0.1 as default gateway, they have access to internet. The only problem apparent from this config could be DNS, there isn't any for LAN clients. So either give them some using DHCP or use static config. You can either use external addresses as you have on router, or you can use the router itself as DNS cache. For the latter you'd have to enable remote requests in "/ip dns", but definitely don't do that until you do something with your currently non-existent firewall. Which would not be bad idea anyway, even if you don't enable remote DNS requests.

Sob, I have made the suggested change regarding DNS on LAN, I have missed that detail when I change the last config, I cannot test because the client have taken the decision to move the network phisically to the old router so I may have to wait until tomorrow. I will be probably in place in the next two days, this is because the location is at a 4 hour drive, I will be testing locally which it will be easier to troubleshoot then.

What do you think about this firewall config, please give me your thoughts.

/ip firewall filter
add action=accept chain=input comment=IN_CONN_ESTABLISHED_Y_RELATED connection-state=established,related log-prefix=""
add action=drop chain=input comment=IN_DROP_CONN_INVALID connection-state=invalid log-prefix=""
add action=accept chain=input comment=IN_CONN_RED_LAN log-prefix="" src-address-list="Red LAN"
add action=drop chain=input comment="IN_DROP_ALL" log-prefix=""
add action=accept chain=forward comment=FW_CONN_ESTABLISHED_Y_RELATED connection-state=established,related log-prefix=""
add action=drop chain=forward comment=FW_DROP_CONN_INVALID connection-state=invalid log-prefix=""
add action=accept chain=forward comment=FW_CONN_RED_LAN log-prefix="" src-address-list="Red LAN"
add action=drop chain=forward comment="FW_DROP_ALL, Excepto DST-NAT" connection-nat-state=!dstnat log-prefix=""

If you have more than 1 PUBLIC IP... you have to use src-nat in your firewall NAT chain. NOT Masquerade.

Lets use this an example...
ISP issues you... xxx.xxx.229.105/29
Gateway as xxx.xxx.229.110

You would connect one connection from the WAN MODEM to one port on your router... say ether1.
You would then add IP address to the interface.
xxx.xxx.229.105/29
xxx.xxx.229.109/29

Lets assume 2 subnets. Local and VPN as 192.168.88.0/24 and 192.168.89.0/24
For traffic from the local subnet to "USE" the 105 WAN IP... a rule like this...

Firewall looks ok.

And about srcnat/masquerade, router in this case has only one public address (other is on different device), so it will have only one to choose from. But using action=src-nat with specific addres doesn't hurt, in fact it's better, because masquerade is special case of srcnat, where router has to find the right address. So you can save it some work if you give it one to use.

Hello friends, I am on site now, how can I share an image with the tracert result? to the cloud server.

thank you

Images can be attached to post, look at "Attachments" below the editor.

An update, i went to the site and by testing and will all your advises I have solved the issue, at the end the client have asked me to add another IP address to one of the Mikrotiks interfaces, so I've decided to configure src-nat instead of masquerade so I can route the two LANS to their own IP, and i have checked my main office mikrotik configuration and replicate src-at to this router.

Thanks to you guys and for your help I was able to solve the issue and the client have just called me to do a dst-nat to an internal device but that is just another story.
Thank you.