Hello, I would like to route a block of public IP addresses (which is static routed to main IP on Mikrotik 1) to another mikrotik router in my network without adding this to my address list on main mikrotik.
What I ment is;
MY ISP ------ Mikrotik 1 ------ Mikrotik 2
Mikrotik 1 : 1.2.3.4/30 (main IP between ISP), also ISP assigned 2.3.4.5/29 to Mikrotik 1 (static routed to main IP /30)
Instead of assigning 2.3.4.5/29 to Mikrotik 1 and 2.3.4.6/29 to Mikrotik 2, I would like to assign 2.3.4.5/29 directly to Mikrotik 2 without doing any NAT etc.
Is this possible, if so what would be the best method?
Thanks in advance.
Re: Routing a Block of Public IP Addresses to Other Mikrotik
Am not really sure how that would work... 
Last edited by Zacharias on Thu Apr 02, 2020 10:51 am, edited 1 time in total.
-
-
millenium7
Long time Member
- Posts: 539
- Joined:
Re: Routing a Block of Public IP Addresses to Other Mikrotik [SOLVED]
Ummm this is super easy. All you do is add a static route on MikroTik 1 pointing to MikroTik 2
But MikroTik 2 still needs to have an address. Normally on the link between MikroTik 1 and 2 you would give them a private IP
i.e. 10.0.12.1/30 and 10.0.12.2/30
Then on MikroTik1 you just add your static route
/ip route add dst-address=2.3.4.0/29 gateway=10.0.12.2
Make sure on MikroTik1 you are not using NAT'ing this range when going back out to ISP1
i.e. if you just have a basic masquerade rule like
/ip firewall nat chain=srcnat out-interface=ether1 action=masquerade
You either need to modify the rule to exclude public IP addresses, or just add a rule above it so it doesn't trigger the normal masquerade
/ip firewall nat chain=srcnat out-interface=ether1 src-address=2.3.4.0/29 action=accept
MikroTik 2 you can then do whatever you want with the IP addresses. If you assign to a loopback it will work and respond, or you can assign to customers with PPPoE etc
-------------------------------------
If for some reason you don't want a private IP range between MikroTik1 and 2 (maybe because you only want public IP's to show up in traceroute) you can use /32 addresses on both with a static route so you are not wasting any, only using 1 address. These can be entirely different network ranges, its totally valid to have 1.2.3.4 and 5.6.7.8 talking to each other
MikroTik1: (assuming ether2 connects to MikroTik 2)
/ip address add address=1.2.3.4/32 interface=ether2
/ip route add dst-address=2.3.4.5/32 gateway=ether2
/ip route add dst-address=2.3.4.0/29 gateway=2.3.4.5
MikroTik2:
/ip address add address=2.3.4.5/32 interface=ether2
/ip route add dst-address=1.2.3.4/32 interface=ether2
/ip route add dst-address=0.0.0.0/0 gateway=1.2.3.4
The rest of the available IP's (0/1/2/3/4/6/7) can be assigned however you want on MikroTik2, to customers, different interfaces etc
Many routers support /32 addressing, MikroTik does. Works totally fine (yet ironically does not support /31 properly )
But MikroTik 2 still needs to have an address. Normally on the link between MikroTik 1 and 2 you would give them a private IP
i.e. 10.0.12.1/30 and 10.0.12.2/30
Then on MikroTik1 you just add your static route
/ip route add dst-address=2.3.4.0/29 gateway=10.0.12.2
Make sure on MikroTik1 you are not using NAT'ing this range when going back out to ISP1
i.e. if you just have a basic masquerade rule like
/ip firewall nat chain=srcnat out-interface=ether1 action=masquerade
You either need to modify the rule to exclude public IP addresses, or just add a rule above it so it doesn't trigger the normal masquerade
/ip firewall nat chain=srcnat out-interface=ether1 src-address=2.3.4.0/29 action=accept
MikroTik 2 you can then do whatever you want with the IP addresses. If you assign to a loopback it will work and respond, or you can assign to customers with PPPoE etc
-------------------------------------
If for some reason you don't want a private IP range between MikroTik1 and 2 (maybe because you only want public IP's to show up in traceroute) you can use /32 addresses on both with a static route so you are not wasting any, only using 1 address. These can be entirely different network ranges, its totally valid to have 1.2.3.4 and 5.6.7.8 talking to each other
MikroTik1: (assuming ether2 connects to MikroTik 2)
/ip address add address=1.2.3.4/32 interface=ether2
/ip route add dst-address=2.3.4.5/32 gateway=ether2
/ip route add dst-address=2.3.4.0/29 gateway=2.3.4.5
MikroTik2:
/ip address add address=2.3.4.5/32 interface=ether2
/ip route add dst-address=1.2.3.4/32 interface=ether2
/ip route add dst-address=0.0.0.0/0 gateway=1.2.3.4
The rest of the available IP's (0/1/2/3/4/6/7) can be assigned however you want on MikroTik2, to customers, different interfaces etc
Many routers support /32 addressing, MikroTik does. Works totally fine (yet ironically does not support /31 properly
)Re: Routing a Block of Public IP Addresses to Other Mikrotik
As @millenium said, obviously it is a routing matter, however i had some overthinking since those are Public IPs and i dont know if the ISP has any limitation to the TTL of the packets or anything...
Never tried in the past to route a Public IP to a second Router to see if it actually works as it should or not...
Never tried in the past to route a Public IP to a second Router to see if it actually works as it should or not...
-
-
millenium7
Long time Member
- Posts: 539
- Joined:
Re: Routing a Block of Public IP Addresses to Other Mikrotik
Nope, and on that topic.... TTL can be manipulated on MikroTik with mangle rules. It actually does come in very handy if you have known, fixed number of hops to the 'outside world' and want to hide your internal network from tracerouteshowever i had some overthinking since those are Public IPs and i dont know if the ISP has any limitation to the TTL of the packets or anything...
Lets say you have ISP1->RouterA->B->C->D->E and a customer is connected to E with a public IP address
You can hide A/B/C/D/E (E not so much because that will be their default gateway) by making a mangle rule on E that increases TTL by 5
The way Traceroute works is by starting off with a TTL of 1, first router immediately decreases TTL by 1, then sees it is 0/expired and responds back with an ICMP message of its own IP address saying packet has expired. Then traceroute uses TTL 2, first router decreases and forwards it on, second router decreases to 0 and responds back saying its expired, etc, this repeats until it hits the destination or max TTL (usually ~30 but doesn't have to be)
So if you add a mangle rule on E to increase the TTL by 5. This means that when customer sends a traceroute of 1, it immediately gets set to 5 (increased to 6, but dropped one) meaning that it will forward it on another 5 times. So the customer when doing a traceroute will see ISP1 as the first 'hop'
It is also possible to create infinite routing loops if you don't do this properly
but just an FYI....Re: Routing a Block of Public IP Addresses to Other Mikrotik
I know the TTL can be manipulated... TTL was an example...
Since as i said never routed a Public IP to a second or third Router i cant say what checks the ISPs equipment might be performing...
The OP will test and tell us if it works...
Since as i said never routed a Public IP to a second or third Router i cant say what checks the ISPs equipment might be performing...
The OP will test and tell us if it works...
-
-
millenium7
Long time Member
- Posts: 539
- Joined:
Re: Routing a Block of Public IP Addresses to Other Mikrotik
Well I work as the lead engineer for an ISP so if it doesn't work i'm out of a job 
Re: Routing a Block of Public IP Addresses to Other Mikrotik
haha then if you say it works, what can i say ?Well I work as the lead engineer for an ISP so if it doesn't work i'm out of a job
My only concern was what limitations would exist because the IP is Public, but since you say nothing changes i believe you...
However, you have a little mistake on your first post...
A route from Mikrotik 2 to Mikrotik 1 is needed...
The OP will use a private LAN for communication between Mikrotik 1 and Mikrotik 2... He will Route the Public IP to Mikrotik 2...
But on Mikrotik 2 there would be a default gateway Route 0.0.0.0/0 with dst-address= Mikrotik1 ...
So a Route with 0.0.0.0/0 and Gateway Mikrotik 1 is needed...
In case we want to use as default Route the Public IP then we can do it Recursively ..
Rule 1: 0.0.0.0/0 Gateway Public IP and check Gateway Ping
Rule 2: Destination Address is Public IP Gateway Mikrotik 1 and We do not forget to set the Scope to 10
Then the route will be marked as recursive via Mirkotik 1 ethernet Port
For the Masquerade Rule on Mikrotik 2 the correct way is not to Masquerade but to just src-nat to address and there type the Public IP
Then on Mikrotik 1 as already said we must accept what comes from that Public IP and below that rule we should let out normal masquerade rule...
Last edited by Zacharias on Thu Apr 02, 2020 1:13 pm, edited 2 times in total.
Re: Routing a Block of Public IP Addresses to Other Mikrotik
Thank you very much for detailed explanation, I will test it out right away, I tried something similar to that but my problem was M2 was not be able to reach M1 after adding static routes to routelist. Probably I made a mistake somewhere, I'll go with your solution and let you know about the result.Ummm this is super easy. All you do is add a static route on MikroTik 1 pointing to MikroTik 2
But MikroTik 2 still needs to have an address. Normally on the link between MikroTik 1 and 2 you would give them a private IP
i.e. 10.0.12.1/30 and 10.0.12.2/30
Then on MikroTik1 you just add your static route
/ip route add dst-address=2.3.4.0/29 gateway=10.0.12.2
Make sure on MikroTik1 you are not using NAT'ing this range when going back out to ISP1
i.e. if you just have a basic masquerade rule like
/ip firewall nat chain=srcnat out-interface=ether1 action=masquerade
You either need to modify the rule to exclude public IP addresses, or just add a rule above it so it doesn't trigger the normal masquerade
/ip firewall nat chain=srcnat out-interface=ether1 src-address=2.3.4.0/29 action=accept
MikroTik 2 you can then do whatever you want with the IP addresses. If you assign to a loopback it will work and respond, or you can assign to customers with PPPoE etc
-------------------------------------
If for some reason you don't want a private IP range between MikroTik1 and 2 (maybe because you only want public IP's to show up in traceroute) you can use /32 addresses on both with a static route so you are not wasting any, only using 1 address. These can be entirely different network ranges, its totally valid to have 1.2.3.4 and 5.6.7.8 talking to each other
MikroTik1: (assuming ether2 connects to MikroTik 2)
/ip address add address=1.2.3.4/32 interface=ether2
/ip route add dst-address=2.3.4.5/32 gateway=ether2
/ip route add dst-address=2.3.4.0/29 gateway=2.3.4.5
MikroTik2:
/ip address add address=2.3.4.5/32 interface=ether2
/ip route add dst-address=1.2.3.4/32 interface=ether2
/ip route add dst-address=0.0.0.0/0 gateway=1.2.3.4
The rest of the available IP's (0/1/2/3/4/6/7) can be assigned however you want on MikroTik2, to customers, different interfaces etc
Many routers support /32 addressing, MikroTik does. Works totally fine (yet ironically does not support /31 properly
Thanks!
***Update***
Both of the method has worked just as intended, thank you millenium7!
I just had a small issue with IP block, my ISP gave me an IP block such as; XX.YYY.ZZZ.162/30 (static routed to my main GW). When I tried to add it to my Route List, I got the following error;
Code: Select all
/ip route add dst-address=XX.YYY.ZZZ.162/29 gateway=10.0.12.2
value of dst-address must have all host bits zero, as in XX.YYY.ZZZ.160/29Now I need to Figure out how to use PPPoE Concentrator on M2 while M1 as its NAT Mikrotik
Re: Routing a Block of Public IP Addresses to Other Mikrotik
Yes because in a /30 or even a /29 netowrk the netowrk address is the .160/30...
Also how exactly you made it work with no routes on Mikrotik 2 ? @millenium missed the route on that...
Also how exactly you made it work with no routes on Mikrotik 2 ? @millenium missed the route on that...
-
-
millenium7
Long time Member
- Posts: 539
- Joined:
Re: Routing a Block of Public IP Addresses to Other Mikrotik
I figured the routers already have some config on them, MikroTik2 already has a route to 1 or a default route etc. But yes that is needed if there's no existing routes
From a routers perspective there are no 'private' or 'public' IP addresses, they are just IP's
NAT has changed the way most of us think about it though, there once was a time when every device in a network 'only' had public IP addresses. Long gone are those days
But the idea of a NAT rule that separates the inside and outside world is not originally how networks were designed. It still remains a hack (a very good one admittedly, it does deserve credit)
However most of us think of NAT as 'normal', a nice boundary to do things at, a simple but effective protection mechanism etc. So the idea of passing public IP's inside that boundary seems strange
Just remember that if you are passing public IP's directly to i.e. servers, you can no longer be lazy and let the router be a default block-all. You have to make sure all the right firewall rules are in place on that server
From a routers perspective there are no 'private' or 'public' IP addresses, they are just IP's
NAT has changed the way most of us think about it though, there once was a time when every device in a network 'only' had public IP addresses. Long gone are those days
But the idea of a NAT rule that separates the inside and outside world is not originally how networks were designed. It still remains a hack (a very good one admittedly, it does deserve credit)
However most of us think of NAT as 'normal', a nice boundary to do things at, a simple but effective protection mechanism etc. So the idea of passing public IP's inside that boundary seems strange
Just remember that if you are passing public IP's directly to i.e. servers, you can no longer be lazy and let the router be a default block-all. You have to make sure all the right firewall rules are in place on that server
Re: Routing a Block of Public IP Addresses to Other Mikrotik
Hi Zacharias, Of course thats not possible with no routes on M2, In the example above I added route 0.0.0.0/0 to M1's gateway on M2, forgot to mention it.Yes because in a /30 or even a /29 netowrk the netowrk address is the .160/30...
Also how exactly you made it work with no routes on Mikrotik 2 ? @millenium missed the route on that...
Re: Routing a Block of Public IP Addresses to Other Mikrotik
Exaclty...Hi Zacharias, Of course thats not possible with no routes on M2, In the example above I added route 0.0.0.0/0 to M1's gateway on M2, forgot to mention it.Yes because in a /30 or even a /29 netowrk the netowrk address is the .160/30...
Also how exactly you made it work with no routes on Mikrotik 2 ? @millenium missed the route on that...
Re: Routing a Block of Public IP Addresses to Other Mikrotik
hey, I have the same scenario but with other routers on the way, running on an OSPF and I couldn't get it to work, my ISP gives me 2 blocks of public IP over a private one, go from R1 to R3.
You do not have the required permissions to view the files attached to this post.
-
-
millenium7
Long time Member
- Posts: 539
- Joined:
Re: Routing a Block of Public IP Addresses to Other Mikrotik
If its not working then consider traffic in 'both' directions
It's very simple to create a new 'bridge' with no ports assigned to it (thats the closest thing to a 'loopback' interface in the MikroTik world) and then just put a single IP address from that range on there as a /32
Then check your routing table on other routers. If that route shows up, saying to go to that router, then ur all good (it doesn't matter if ur block is a /24, /28, /29 or just a single /32 its all irrelevant, forget about network/broadcast addresses, you just need to know that the route is there)
So try and ping it from 'inside' your network (those 3 routers). Can they ping that address? if yes, ur good to go on the 'inbound' direction. In that your ISP should be able to send traffic to R1-Core and R1-Core will forward it on as needed
However the return path can mess you up
Very first thing to consider.... NAT...
If you have a NAT rule of 'masquerade' or 'srcnat' and its applying to all ur outbound traffic, then its going to screw up the return path (traffic comes in as 1.2.3.4 but when it leaves back to ISP it becomes 5.6.7.8 or whatever your primary IP is)
Easiest method to deal with this is to add a rule 'above' that NAT rule with type of 'accept' and matching ur additional public IP addresses. This meaning it will not NAT and change the IP address when leaving back out to ISP
If ur sure thats also fine, then it must be a firewall filter rule or something else stopping traffic flow
It's very simple to create a new 'bridge' with no ports assigned to it (thats the closest thing to a 'loopback' interface in the MikroTik world) and then just put a single IP address from that range on there as a /32
Then check your routing table on other routers. If that route shows up, saying to go to that router, then ur all good (it doesn't matter if ur block is a /24, /28, /29 or just a single /32 its all irrelevant, forget about network/broadcast addresses, you just need to know that the route is there)
So try and ping it from 'inside' your network (those 3 routers). Can they ping that address? if yes, ur good to go on the 'inbound' direction. In that your ISP should be able to send traffic to R1-Core and R1-Core will forward it on as needed
However the return path can mess you up
Very first thing to consider.... NAT...
If you have a NAT rule of 'masquerade' or 'srcnat' and its applying to all ur outbound traffic, then its going to screw up the return path (traffic comes in as 1.2.3.4 but when it leaves back to ISP it becomes 5.6.7.8 or whatever your primary IP is)
Easiest method to deal with this is to add a rule 'above' that NAT rule with type of 'accept' and matching ur additional public IP addresses. This meaning it will not NAT and change the IP address when leaving back out to ISP
If ur sure thats also fine, then it must be a firewall filter rule or something else stopping traffic flow
Re: Routing a Block of Public IP Addresses to Other Mikrotik
Thanks for answering millenium7If its not working then consider traffic in 'both' directions
It's very simple to create a new 'bridge' with no ports assigned to it (thats the closest thing to a 'loopback' interface in the MikroTik world) and then just put a single IP address from that range on there as a /32
Then check your routing table on other routers. If that route shows up, saying to go to that router, then ur all good (it doesn't matter if ur block is a /24, /28, /29 or just a single /32 its all irrelevant, forget about network/broadcast addresses, you just need to know that the route is there)
So try and ping it from 'inside' your network (those 3 routers). Can they ping that address? if yes, ur good to go on the 'inbound' direction. In that your ISP should be able to send traffic to R1-Core and R1-Core will forward it on as needed
However the return path can mess you up
Very first thing to consider.... NAT...
If you have a NAT rule of 'masquerade' or 'srcnat' and its applying to all ur outbound traffic, then its going to screw up the return path (traffic comes in as 1.2.3.4 but when it leaves back to ISP it becomes 5.6.7.8 or whatever your primary IP is)
Easiest method to deal with this is to add a rule 'above' that NAT rule with type of 'accept' and matching ur additional public IP addresses. This meaning it will not NAT and change the IP address when leaving back out to ISP
If ur sure thats also fine, then it must be a firewall filter rule or something else stopping traffic flow
Try this:
R1-CORE
Code: Select all
/ip f n
add action=accept chain=srcnat out-interface=ether1-gw src-address=186.201.47.33/28
/ip route add dst-address="186.201.47.33/28" gateway="10.10.10.6"
# ADDRESS NETWORK INTERFACE
40 186.201.47.32/32 186.201.47.32 PLo.0
41 186.201.47.33/32 186.201.47.33 PLo.0
42 186.201.47.34/32 186.201.47.34 PLo.0
43 186.201.47.35/32 186.201.47.35 PLo.0
44 186.201.47.36/32 186.201.47.36 PLo.0
45 186.201.47.37/32 186.201.47.37 PLo.0
46 186.201.47.38/32 186.201.47.38 PLo.0
47 186.201.47.39/32 186.201.47.39 PLo.0
48 186.201.47.40/32 186.201.47.40 PLo.0
49 186.201.47.41/32 186.201.47.41 PLo.0
50 186.201.47.42/32 186.201.47.42 PLo.0
51 186.201.47.43/32 186.201.47.43 PLo.0
52 186.201.47.44/32 186.201.47.44 PLo.0
53 186.201.47.45/32 186.201.47.45 PLo.0
54 186.201.47.46/32 186.201.47.46 PLo.0
55 186.201.47.47/32 186.201.47.47 PLo.0
Code: Select all
/ip route add dst-address="186.201.47.33/28" gateway="10.10.50.2"