Hi,
I have on Mikrotik WAN connection with mask /30 (connection to modem) and I have two other routed public IP x.x.x.80 - x.x.x.83 on the same link.
My goal is how could I share my Public IP (this routed) to a customer router behind my mikrotik, their Mikrotik should be visible on internet on this public IP? This connection should be blocked from access to my Mikrotik.

SFP1 - is my WAN with /30 connection
ETH6 - is my link to customer mikrotik router.
So should I do this:
1.assign x.x.x.81/30 to ETH6 and give x.x.x.82/30 to customer mikrotik.
2.customer should add default gateway to x.x.x.81
3.create nat rule to exclude this routed network x.x.x.80/30 from translation: 4. create firewall rule to allow customer outgoing to internet only:

Is this correct? Then Customer mikrotik will be presented on networ by IP x.x.x.82 ?
thanks

You waste three of four available addresses, but other than that it's ok. If you don't mind, you're done. If you do, then check here for other possibilities.

Thank you Sob for now I have only one customer so two usable IP is OK for me.

My customer also what to have full access to their Mikrotik on this public IP, if they want to open mikrotik winbox access they should have, if they would open ports to WWW server they should have this possibility etc. How could I do this I should create any dst-nat rule on my Mikrotik or any firewall policy?

for now I have only one customer so two usable IP is OK for me.

"for now" means that to make those other two addresses available later on, you'll have to ask the customer to reconfigure their machine too. So I would highly recommend to investigate the other ways @Sob has suggested, to save you future self some headache.


To let the Mikrotik of the customer be fully accessible from the internet, and thus make the customer responsible for their own IT security, it is enough that you don't filter any traffic to or from that address. So your rules above, preventing the traffic from the customer from being sent anywhere else than to WAN, and exclusion of that traffic from src-nat, are sufficient if the general approach of your firewall is "deny exceptions, allow the rest" (as that drop rule suggests). If the general approach is the one I prefer, "allow exceptions, deny the rest", you'll need more permissive rules. You'd have to post the current firewall configuration to get a more detailed advice.

Not sure how you can make that work. RouterOS doesn't support /31 subnets.

You could create a bridge with sfp1 and ether6. Then put you own IP on that bridge-interface.

Not sure how you can make that work. RouterOS doesn't support /31 subnets.

You are right that routerOS does not support /31 subnets according to RFC3021, but it supports links with an arbitrary /32 address at each end. So do other operating systems. So you can set up an address on an Ethernet interface like this:
/ip address add address=210.14.15.29/32 network=10.0.0.1 interface=etherX
On the Mikrotik on the other end, you set up the reverse:
/ip address add address=10.0.0.1/32 network=210.14.15.29 interface=etherX
When the RouterOS finds an IP address as the gateway parameter of some route, it looks up the /ip address item to whose network (with the mask taken from the address parameter of the item) it matches, and if the /ip address item found is attached to an L2 interface, it sends an ARP request with the IP address of the gateway out that interface to determine its MAC address. When sending the ARP request, it doesn't care that the own IP assigned to the interface doesn't match the network prefix.

In the position of the OP, you need to avoid a potential conflict of that auxiliary address at your end with the internal address plan of the customer. To do that, you can use one of your public addresses (Mikrotik allows to set up the same address at multiple interfaces) or you can use an address from the CGNAT range (100.64.0.0/10).

The lack of RFC3021 support causes issues for OSPF, but not for static routing.

... for now I have only one customer so two usable IP is OK for me.

It's more like one. With /30 mask and no other tricks, two of four addresses are used as network address and broadcast, third goes on your router, and only one is available for customers, so one customer. With slightly different config you can use all four, so for now you'd have three in reserve for future customers.

Even without NAT (which I wouldn't use in this case), you have three different methods you can choose from (PPPoE, routing single address to customer's router, using point to point /32). And you can even combine them if you like, e.g. use simple /32 for customer with MikroTik router, PPPoE for another customer with some less configurable home router, etc.

It's up to you, but with IPv4 addresses becoming scarce, having four seems better to me than one. :)

If the general approach is the one I prefer, "allow exceptions, deny the rest", you'll need more permissive rules. You'd have to post the current firewall configuration to get a more detailed advice.

My firewall approach is that I have most specific allow or block rules at the beginning so here is only one rule for this customer:
and at the end I have two blocking rules:
I do not have any firewall rule with dst-nat allowed. As I do not port forward.