Hello,

i'm having a question regarding the usage of a assigned /29 subnet to be used partly with NAT and without (so to say that i can use for example one ip of the subnet directly on a VM and use the built in firewall feature and for other vms use the mikrotik firewall rules)

So far i have been using all the time the built in firewall on the CHR but as i'm in a migration process i want to use for some specific vms directly the ips without any NAT though i'm unsure how i need to do that?

I've been trying to setup one ip of the subnet directly on a VM with defined gateway the CHR (where the subnet is being routed on) but no success so far.

Does anyone have a hint on this?

Thanks!

You will need to enable proxy arp on the internal facing interface

You will need to enable proxy arp on the internal facing interface

local proxy arp or proxy arp?

thanks!

I'm not familiar with the Hetzner Subnet, so is it an L2 tunnel with one of the /29 addresses acting as a gateway, or it just means that traffic for any of the /29 is delivered to you via an L3 tunnel?

If it is an L2 tunnel:

• one possibility is to insert a bridge between the uplink interface and the one facing to the VMs on which the public IPs should be up. So the WAN configuration of the router would move from the uplink interface to the bridge, and the traffic between the VMs and the uplink gateway would be forwarded at L2.
• another possibility is to keep routing the traffic between the uplink and the VMs; in that case, you need to create "point-to-point over Ethernet" tunnels, assign the IP addresses as /32 ones to the VM ends of these tunnels, and assign some arbitrary address outside that /29 to the ends of these tunnels at Mikrotik side, and set that Mikrotik address as the default gateway at the VMs. Routes to those /32 addresses will be dynamically added to Mikrotik's routing table, and you'll still be able to use the IP firewall on the Mikrotik to control the traffic. And in this latter case, you need to set arp=proxy-arp on the WAN interface if one of the /29 addresses is the gateway.

If it is an L3 tunnel, the second approach is possible, except that you don't need the proxy-arp. Or you may give away the first and last address of the /29, and use the /29 as a subnet on a LAN-side bridge to which the VMs will be connected.

Hello Ennercy,

You need to "detach" certain IP addresses from your CHR and "attach" them to your specific VMs. You might need to remove configuration specific to IPs you are detaching on your CHR, depending on how you set this up.

In Hetzner cloud you should be able to "detach" and "attach" resources in menu "Networks" by selecing network you want to manipulate and then click "Subnets" tab. I am giving you an example in the screenshot below.



In case you didn't assign network like this the places you are able to manipulate IPs are either "Servers/Networking", "Floating IPs" or "Networks/Routes" tab.

Ideally first you want to break the poblem down to either some or all of these:
a) your understanding of Hetzner cloud
b) your understanding of MikroTIk platform
c) your understanding of general networking