Community discussions

MikroTik App
 
synapsis
newbie
Topic Author
Posts: 27
Joined: Thu Jan 13, 2005 7:41 am
Location: Canberra, Australia

How to setup a server to use a Public IP address inside the network without using NAT

Wed May 12, 2021 4:47 am

Hi there

We have a /29 publicly addressable IP range provided by our ISP and I’m looking for some advice on the best way to setup one of our servers. For most of them we’ve been able to assign private IP addresses to them and use src/dst NAT’ing to make it work with a the public IP address we have assigned to the WAN port. We have one server that is running some software that isn’t playing nicely behind NAT so we want to set it up to use a public IP address but keep it behind the firewall. We have a CRS125 device.

To give some background…

Our ISP provides a layer 2 handoff with a /29 subnet – let’s say x.y.z.0/29

Within this range x.y.z.0 is the network address and x.y.z.7 is the broadcast address.

The ISP has set x.y.z.1 as the address of the gateway for this /29 subnet which is the address of the equipment at their end.

The connection from the ISP is plugged into ether1 which has been removed from the standard default config bridge. We have configured the ether1 port with an address of x.y.z.2 and established a static route for 0.0.0.0/0 with a gateway of x.y.z.1.

The remainder of our network uses various 192.168.x.x private addresses with masquerading for workstations and src/dst NAT’ing for servers and all works perfectly.

For the server that needs to have a public IP address assigned to it rather than using src/dst NAT’ing, let’s say we are assigning an address of x.y.z.3. I’ve tried setting up a separate bridge between ether1 and another ethernet port where the server with the public IP address is connected. The server has an IP address of x.y.z.3, with a gateway of x.y.z.1. This does work, but in this scenario the server is communicating directly with the ISP gateway and isn’t protected behind our firewall. I did experiment with turning on the use IP Firewall feature for the bridge, but it appears to apply to all bridges and effectively slows everything down as well as putting an additional load on the CPU.

I’d be interested in the thoughts of the various guru’s out there on the “best practice” way to allow a server to live inside the network, use a public IP address (in our case x.y.z.3) but remain protected behind our firewall.
 
danamodan
just joined
Posts: 2
Joined: Mon May 17, 2021 7:51 pm

Re: How to setup a server to use a Public IP address inside the network without using NAT

Sun May 23, 2021 4:30 pm

For your information, I’m new to RouterOS. Our ISP provided /30 public IP address for us but after we made a request for more public IP addresses for the use of our servers, we were provided with /29. We have One edge router and three client routers, all on different local networks. All the users are working fine regardless of their locations on the premises and all the users are able to reach the outside world.

My problem is how to configure these servers connected to the different client routers with the different public IP addresses from the /29.

Thank you for your anticipated assistance.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to setup a server to use a Public IP address inside the network without using NAT

Tue May 25, 2021 5:20 pm

This is one area I wish I knew more. I always thought for multiple public IPs, what I used to know in the zyxel world of 1:1 mapping (public IP to private IP), in the Mikrotik world was closest to something called netmap!

1:1 mapping
If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.
/ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \
action=netmap to-addresses=2.2.2.0/24

/ip firewall nat add chain=srcnat src-address=2.2.2.0/24 \
action=netmap to-addresses=11.11.11.0/24

Same can be written using different address notation, that still have to match with the described network
/ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255 \
action=netmap to-addresses=2.2.2.0-2.2.2.255

/ip firewall nat add chain=srcnat src-address=2.2.2.0-2.2.2.255 \
action=netmap to-addresses=11.11.11.0-11.11.11.255
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to setup a server to use a Public IP address inside the network without using NAT

Tue May 25, 2021 5:29 pm

It is a MUST that this server has a public IP ?
If so, I don't think there is much possible, you will have to

1) request a new small subnet with your ISP and have it "routed" to your Mikrotik. On the router you create a new DMZ-LAN with public IP's
2) "Split" your current /29 further, but hey, a /29 is already not large so.

I had a case too (not on Mikrotik but on a Palo Alto FW) where a device on the inside MUST have a public IP because for the solution (EoGRE tunnel = Ethernet-over-GRE) NAT was a big no-no.
We ended up splitting a /27 public subnet further down...and creating a specific "inside" LAN/DMZ with public IP's.
Works great offcourse.
Last edited by jvanhambelgium on Wed May 26, 2021 8:27 am, edited 1 time in total.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: How to setup a server to use a Public IP address inside the network without using NAT

Tue May 25, 2021 6:41 pm

 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: How to setup a server to use a Public IP address inside the network without using NAT

Wed May 26, 2021 12:46 am

Run your internet into a dumb switch Take one output from that switch and run into the WAN port of your MT router and configured it with one of your /29 addresses - for example x.y.z.2. Connect your outside server to another port of that dumb switch and give it a different address in the /29 range - for example x.y.z.6. That will of course directly put your server on the internet, so make DAMN sure the firewalling in the server is good. This does give your server the desired public address, but it is not behind your MT firewall.
Just another option...

Who is online

Users browsing this forum: Bing [Bot] and 63 guests