Community discussions

MikroTik App
 
zuku
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Jun 27, 2015 3:56 pm

Share public IP to router behind mikrotik

Tue Jan 12, 2021 1:04 pm

Hi,
I have on Mikrotik WAN connection with mask /30 (connection to modem) and I have two other routed public IP x.x.x.80 - x.x.x.83 on the same link.
My goal is how could I share my Public IP (this routed) to a customer router behind my mikrotik, their Mikrotik should be visible on internet on this public IP? This connection should be blocked from access to my Mikrotik.

SFP1 - is my WAN with /30 connection
ETH6 - is my link to customer mikrotik router.
So should I do this:
1.assign x.x.x.81/30 to ETH6 and give x.x.x.82/30 to customer mikrotik.
2.customer should add default gateway to x.x.x.81
3.create nat rule to exclude this routed network x.x.x.80/30 from translation:
add action=masquerade chain=srcnat src-address=!x.x.x.80/30 out-interface=sfp1
4. create firewall rule to allow customer outgoing to internet only:
add action=drop chain=forward comment="block customer, but not on WAN" in-interface=ether6 out-interface=!sfp1

Is this correct? Then Customer mikrotik will be presented on networ by IP x.x.x.82 ?
thanks
 
Sob
Forum Guru
Forum Guru
Posts: 6484
Joined: Mon Apr 20, 2009 9:11 pm

Re: Share public IP to router behind mikrotik

Tue Jan 12, 2021 11:47 pm

You waste three of four available addresses, but other than that it's ok. If you don't mind, you're done. If you do, then check here for other possibilities.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
zuku
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Jun 27, 2015 3:56 pm

Re: Share public IP to router behind mikrotik

Wed Jan 13, 2021 8:49 am

Thank you Sob for now I have only one customer so two usable IP is OK for me.

My customer also what to have full access to their Mikrotik on this public IP, if they want to open mikrotik winbox access they should have, if they would open ports to WWW server they should have this possibility etc. How could I do this I should create any dst-nat rule on my Mikrotik or any firewall policy?
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: Share public IP to router behind mikrotik

Wed Jan 13, 2021 12:42 pm

for now I have only one customer so two usable IP is OK for me.
"for now" means that to make those other two addresses available later on, you'll have to ask the customer to reconfigure their machine too. So I would highly recommend to investigate the other ways @Sob has suggested, to save you future self some headache.


To let the Mikrotik of the customer be fully accessible from the internet, and thus make the customer responsible for their own IT security, it is enough that you don't filter any traffic to or from that address. So your rules above, preventing the traffic from the customer from being sent anywhere else than to WAN, and exclusion of that traffic from src-nat, are sufficient if the general approach of your firewall is "deny exceptions, allow the rest" (as that drop rule suggests). If the general approach is the one I prefer, "allow exceptions, deny the rest", you'll need more permissive rules. You'd have to post the current firewall configuration to get a more detailed advice.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mada3k
Member
Member
Posts: 309
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Share public IP to router behind mikrotik

Wed Jan 13, 2021 6:28 pm

Not sure how you can make that work. RouterOS doesn't support /31 subnets.

You could create a bridge with sfp1 and ether6. Then put you own IP on that bridge-interface.
Manages some CCR's, RB750Gr3, RB922 and wAP's
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: Share public IP to router behind mikrotik

Wed Jan 13, 2021 7:15 pm

Not sure how you can make that work. RouterOS doesn't support /31 subnets.
You are right that routerOS does not support /31 subnets according to RFC3021, but it supports links with an arbitrary /32 address at each end. So do other operating systems. So you can set up an address on an Ethernet interface like this:
/ip address add address=210.14.15.29/32 network=10.0.0.1 interface=etherX
On the Mikrotik on the other end, you set up the reverse:
/ip address add address=10.0.0.1/32 network=210.14.15.29 interface=etherX
When the RouterOS finds an IP address as the gateway parameter of some route, it looks up the /ip address item to whose network (with the mask taken from the address parameter of the item) it matches, and if the /ip address item found is attached to an L2 interface, it sends an ARP request with the IP address of the gateway out that interface to determine its MAC address. When sending the ARP request, it doesn't care that the own IP assigned to the interface doesn't match the network prefix.

In the position of the OP, you need to avoid a potential conflict of that auxiliary address at your end with the internal address plan of the customer. To do that, you can use one of your public addresses (Mikrotik allows to set up the same address at multiple interfaces) or you can use an address from the CGNAT range (100.64.0.0/10).

The lack of RFC3021 support causes issues for OSPF, but not for static routing.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sob
Forum Guru
Forum Guru
Posts: 6484
Joined: Mon Apr 20, 2009 9:11 pm

Re: Share public IP to router behind mikrotik

Wed Jan 13, 2021 8:46 pm

... for now I have only one customer so two usable IP is OK for me.
It's more like one. With /30 mask and no other tricks, two of four addresses are used as network address and broadcast, third goes on your router, and only one is available for customers, so one customer. With slightly different config you can use all four, so for now you'd have three in reserve for future customers.

Even without NAT (which I wouldn't use in this case), you have three different methods you can choose from (PPPoE, routing single address to customer's router, using point to point /32). And you can even combine them if you like, e.g. use simple /32 for customer with MikroTik router, PPPoE for another customer with some less configurable home router, etc.

It's up to you, but with IPv4 addresses becoming scarce, having four seems better to me than one. :)
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
zuku
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Sat Jun 27, 2015 3:56 pm

Re: Share public IP to router behind mikrotik

Thu Jan 14, 2021 9:54 am

If the general approach is the one I prefer, "allow exceptions, deny the rest", you'll need more permissive rules. You'd have to post the current firewall configuration to get a more detailed advice.
My firewall approach is that I have most specific allow or block rules at the beginning so here is only one rule for this customer:
add action=drop chain=forward comment="block customer, but not on WAN" in-interface=ether6 out-interface=!sfp1
and at the end I have two blocking rules:
add action=reject chain=forward reject-with=icmp-admin-prohibit
add action=drop chain=input
I do not have any firewall rule with dst-nat allowed. As I do not port forward.

Who is online

Users browsing this forum: Google [Bot], lullerhaus, muhammadhelmi2505 and 210 guests