Community discussions

MikroTik App
 
OzanOral26
just joined
Topic Author
Posts: 13
Joined: Wed Sep 01, 2021 1:25 pm

Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 1:49 pm

Hello,

Hello.According to given Information below, what i want to do is devices that connected to port 2 should use xx.xxx.11.148 public IP and devices (only one device actually ) that connected to port 3 should use xx.xxx.11.149 public IP. My ISP opened 2 ports for me on their router so i can use 2 ports as wan on mikrotik if necessery. If there is an easy scenerio to do it without using seperate ports (using nat to forward specific lan ip addresses to use specified public IP etc. etc.) i'm open to your valuable advices. Thanks for your helps.

IP Addresses
xx.xxx.11.144/29
xx.xxx.11.146
xx.xxx.11.147
xx.xxx.11.148
xx.xxx.11.149
xx.xxx.11.150
Gateway
xx.xx.11.145

Regards.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 5:14 pm

A question: do you want to use specific public IP address for any device connected to specific router port (e.g. ether2)? Or you rather want to use specific public IP address for specific LAN IP address? (these are two completely different things)
 
OzanOral26
just joined
Topic Author
Posts: 13
Joined: Wed Sep 01, 2021 1:25 pm

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 5:35 pm

A question: do you want to use specific public IP address for any device connected to specific router port (e.g. ether2)? Or you rather want to use specific public IP address for specific LAN IP address? (these are two completely different things)
Actually it doesn't matter. I need only one server to use different public IP then other devices on network. So which was the easiest way i can go for it. I can plug the server directly to specific port or i can bound server's LAN IP address to specific public IP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 5:46 pm

I personally like the idea of having two separate WANIPs in general but in your case not for redundancy because likely if one ISP IP is not available its likely the other will also be failing.
(as opposed to real redundancy afforded to separate ISPs cable and dsl for example where its less likely both are down).

In your case simply because the flexibility of not tying one IP directly and only to one private server can be easily managed in a standard setup.
Also to be honest, I am horrible and unfamiliar when it comes to DIRECT public IP to PRIVATE IP one to one NAT setups.
I find it confusing and not sure how that changes firewall rules etc....

For detailing on a standard default setup for one private IP (server) to use a specific WANIP is dirt simple and its all done in the IP Routes section.
standard route ISP1 distance=5 check gateway=ping
standard route ISP2 distance=10

Right away with this setup ALL users will only use ISP 1 with a shorter distance.
The router will only look to ISP2 if ISP1 fails the ping check but in your case, likely ISP2 is failing as well.

To ensure one IP address is using ISP 2 we do the following.
standard route ISP1 distance=5 check gateway=ping
standard route ISP2 distance=10
special route ISP2 distance=10 route-mark=USETHISWANIP

Then in Route Rules........... create a new rule to match with only the following entries
Source Address: = IP of server
Action: = Lookup only in Table
Table: = USETHISWANIP

Done.
 
OzanOral26
just joined
Topic Author
Posts: 13
Joined: Wed Sep 01, 2021 1:25 pm

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 5:55 pm

I personally like the idea of having two separate WANIPs in general but in your case not for redundancy because likely if one ISP IP is not available its likely the other will also be failing.
(as opposed to real redundancy afforded to separate ISPs cable and dsl for example where its less likely both are down).

In your case simply because the flexibility of not tying one IP directly and only to one private server can be easily managed in a standard setup.
Also to be honest, I am horrible and unfamiliar when it comes to DIRECT public IP to PRIVATE IP one to one NAT setups.
I find it confusing and not sure how that changes firewall rules etc....

For detailing on a standard default setup for one private IP (server) to use a specific WANIP is dirt simple and its all done in the IP Routes section.
standard route ISP1 distance=5 check gateway=ping
standard route ISP2 distance=10

Right away with this setup ALL users will only use ISP 1 with a shorter distance.
The router will only look to ISP2 if ISP1 fails the ping check but in your case, likely ISP2 is failing as well.

To ensure one IP address is using ISP 2 we do the following.
standard route ISP1 distance=5 check gateway=ping
standard route ISP2 distance=10
special route ISP2 distance=10 route-mark=USETHISWANIP

Then in Route Rules........... create a new rule to match with only the following entries
Source Address: = IP of server
Action: = Lookup only in Table
Table: = USETHISWANIP

Done.
First of all thank you for your answer.

How should my ip address list will be? This is how it looks now
Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 6:04 pm

First the question is not relevant to your original post and has no relationship with IP routes ??? Secondly you have the same question in a different post in Forwarding Protocols which is a no no! :-).
What I suggest is that you post your config...
/export hide-sensitive file=anynameyouwish

To see what is going on.
 
OzanOral26
just joined
Topic Author
Posts: 13
Joined: Wed Sep 01, 2021 1:25 pm

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 6:48 pm

First the question is not relevant to your original post and has no relationship with IP routes ??? Secondly you have the same question in a different post in Forwarding Protocols which is a no no! :-).
What I suggest is that you post your config...
/export hide-sensitive file=anynameyouwish

To see what is going on.
I'm asking this persistently because whenever i try to add another address to list with same or different ether port it causes to connection lost on all devices at network. Here is the exported info. I have hided some part of IP addresses manually and deleted simple queue and static dhcp leases. And yes i know there is lots of useless things from test configs that i run from the past. :D Thank you.

# sep/01/2021 18:33:55 by RouterOS 6.47.1
# software id = E28V-ALZB
#
# model = 1100AHx2
/interface l2tp-server
add disabled=yes name=l2tp-in1 user=ozan
/interface bridge
add fast-forward=no name=bridge1_internet
add name=bridge2
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether12 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether13 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pptp-server
add disabled=yes name=VPN_CON user=RS
add disabled=yes name=pptp-in1 user=""
/interface vlan
add interface=bridge1_internet name="VLAN Guest" vlan-id=201
/interface list
add name=WAN
add name=LAN
/ip firewall layer7-protocol
add name=block regexp="^.+(youtube.com|trendyol.com|puhutv.com|facebook.com|tw\
itter.com|login.yahoo.com|wetransfer.com|instagram.com|transfernow.net|tra\
nsferxl.com|sendgb.com|iogames.space|agar.io|hole.io|paper.io|io.games|oyu\
nskor.com|kraloyun.com|webtekno.com|oyunkolu.com|y8.com|dersimiz.com|oyunf\
lash.com|3doyunlar.org|mynet.com|tamindir.com|oyungezer.com.tr|oyunavarim.\
com|indiroyunu.com|geekmahal.com|pcnet.com.tr|flashoyunlari.net|gezginler.\
net|erenet.net|pinterest.com|oyunskor.online|oynatsak.com|geyikmi.com|crox\
yproxy.com|proxysite.com|blockaway.net|animizm.com|vk.com|paribu.com|mail.\
google.com|n11.com|morhipo.com|linkedin.com|netflix.com|accounts.google.co\
m/signin/|accounts.google.com/ServiceLogin|login.live.com/).*\$"
/ip ipsec peer
add address=**.***.106.230/32 disabled=yes exchange-mode=ike2 name=istanbul
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256
add dh-group=modp1024 name=profile_1
add dh-group=modp1536 enc-algorithm=3des name=TB
/ip ipsec peer
add address=**.***.242.170/32 name=TB profile=TB
/ip ipsec proposal
add enc-algorithms=3des name=TB pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.20.35-192.168.20.180
add name=dhcp_pool2 ranges=192.168.21.2-192.168.21.254
add name=dhcp_pool4 ranges=192.168.20.20-192.168.20.50
add name=dhcp_pool5 ranges=192.168.40.2-192.168.40.254
add name=vpn_ppol ranges=192.168.25.1-192.168.25.255
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=ether3 name=\
dhcp1
add address-pool=dhcp name=dhcp2
add address-pool=dhcp disabled=no interface=bridge1_internet name=dhcptest
add address-pool=dhcp_pool5 disabled=no interface="VLAN Guest" name=dhcp3
/ppp profile
add local-address=192.168.25.1 name=vpn_profile remote-address=vpn_ppol
set *FFFFFFFE dns-server=8.8.8.8 local-address=10.0.0.1 remote-address=\
10.0.0.2 wins-server=8.8.4.4

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 remote=192.168.20.235
add name=remotelog remote=192.168.20.235 target=remote
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=SINIRSIZ name-for-users=SINIRSIZ override-shared-users=off owner=\
admin price=0 starts-at=logon validity=0s
add name=STANDART-2MBIT name-for-users=STANDART-2MBIT override-shared-users=\
off owner=admin price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" ip-pool6="" \
name=2MBIT owner=admin rate-limit-min-rx=524288B rate-limit-min-tx=\
2097152B rate-limit-rx=524288B rate-limit-tx=2097152B transfer-limit=0B \
upload-limit=0B uptime-limit=0s
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=admin policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winb\
ox,web,sniff,sensitive,api,romon,dude,tikapp,!password"
add name=subadmin policy="local,read,write,policy,test,winbox,web,!telnet,!ssh\
,!ftp,!reboot,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge1_internet interface=ether2
add bridge=bridge1_internet interface=ether8
add bridge=bridge1_internet interface=ether6
add bridge=bridge1_internet interface=ether7
add bridge=bridge1_internet interface=ether9
add bridge=bridge2 interface=ether3
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add list=LAN
/interface pptp-server server
set authentication=chap,mschap1,mschap2
/interface sstp-server server
set authentication=mschap2 certificate=Server enabled=yes force-aes=yes pfs=\
yes port=444
/ip address
add address=**.***.11.149/29 comment="default configuration" interface=ether1 \
network=**.***.11.144
add address=192.168.20.1/24 interface=bridge1_internet network=192.168.20.0
add address=192.168.40.1/24 interface="VLAN Guest" network=192.168.40.0
add address=192.168.21.1/24 interface=bridge1_internet network=192.168.21.0
add address=192.168.22.1/24 interface=bridge1_internet network=192.168.22.0
add address=192.168.23.1/24 interface=bridge1_internet network=192.168.23.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
add address=192.168.21.0/24 gateway=192.168.21.1
add address=192.168.23.0/24 gateway=192.168.23.1
add address=192.168.40.0/24 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,208.67.220.222
/ip firewall address-list
add address=**.***.11.144/29 list=allow-ip
add address=192.168.20.0/24 list=allow-ip
add address=192.168.21.0/24 list=alt-ip-list
add address=192.168.20.50-192.168.20.166 list=CM
add address=192.168.20.1.192.168.20.255 list="Local ALL"
add address=192.168.21.10-192.168.21.255 list="Full CM"
add address=192.168.20.235 list=Server
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=25 protocol=tcp \
src-address=89.207.14.92
add action=accept chain=forward disabled=yes dst-port=25 protocol=tcp \
src-address=89.207.14.84
add action=accept chain=forward disabled=yes dst-address-list=Server \
dst-port=25 protocol=tcp
add action=drop chain=forward disabled=yes dst-port=25 protocol=tcp
add action=drop chain=input dst-port=53,8728,8729,21,22,23,80,443,8291 \
protocol=tcp
add action=drop chain=forward layer7-protocol=block src-address-list=\
"Full CM"
add action=drop chain=forward layer7-protocol=block src-address-list=CM
add action=add-src-to-address-list address-list=allow-ip \
address-list-timeout=1h chain=input comment=2 packet-size=1083
add action=accept chain=input comment=PPTP-VPN dst-port=1723 protocol=tcp
add action=accept chain=forward dst-address=192.168.20.235 src-address=\
192.168.40.1-192.168.40.255
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward dst-address-list="" src-address-list=""
add action=accept chain=input comment=1 src-address-list=allow-ip
add action=passthrough chain=input comment=4
add action=passthrough chain=input
add action=accept chain=forward disabled=yes layer7-protocol=block \
src-address=192.168.20.48
add action=log chain=forward connection-state=new dst-port=80,443 log-prefix=\
WebLog protocol=tcp
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos disabled=yes dst-limit=\
32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos disabled=yes src-address=192.168.0.1
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=detect-ddos disabled=yes
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=detect-ddos disabled=yes
add action=drop chain=forward disabled=yes dst-address=\
192.168.20.1-192.168.20.255 src-address=192.168.1.1-192.168.19.255
add action=drop chain=input comment=3 dst-port=53 protocol=udp
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
src-address-list=ddoser
add action=drop chain=forward disabled=yes dst-address=\
192.168.20.1-192.168.20.255 src-address=192.168.21.1-192.168.255.255
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" disabled=\
yes in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500/udp)" disabled=yes \
dst-port=500 in-interface=ether1 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=7001 \
protocol=tcp to-addresses=192.168.20.235 to-ports=7001
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=211 \
protocol=tcp to-addresses=192.168.20.234 to-ports=211
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=25 \
protocol=tcp to-addresses=192.168.20.235 to-ports=25
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=587 \
protocol=tcp to-addresses=192.168.20.235 to-ports=587
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=8090 \
protocol=tcp to-addresses=192.168.20.235 to-ports=8090
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3389 \
protocol=udp src-address=**.***.48.140 to-addresses=192.168.20.235 \
to-ports=3389
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3389 \
protocol=tcp src-address=**.***.48.140 to-addresses=192.168.20.235 \
to-ports=3389
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=9090 \
protocol=tcp to-addresses=192.168.20.235 to-ports=9090
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=7171 \
protocol=tcp to-addresses=192.168.20.235 to-ports=7171
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3389 \
protocol=tcp src-address=**.***.100.230 to-addresses=192.168.20.235 \
to-ports=3389
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3389 \
protocol=udp src-address=**.***.100.230 to-addresses=192.168.20.235 \
to-ports=3389
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=995 \
protocol=tcp src-port="" to-addresses=192.168.20.235 to-ports=995
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=465 \
protocol=tcp to-addresses=192.168.20.235 to-ports=465
add action=masquerade chain=srcnat dst-address=192.168.20.0/24 src-address=\
192.168.20.0/24
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=993 \
protocol=tcp to-addresses=192.168.20.235 to-ports=993
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=110 \
protocol=tcp to-addresses=192.168.20.235 to-ports=110
add action=masquerade chain=srcnat dst-address=192.168.21.0/24 src-address=\
192.168.21.0/24
add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=\
192.168.20.0/24
add action=masquerade chain=srcnat disabled=yes src-address=15.20.30.0/24
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 port=2121 \
protocol=tcp to-addresses=192.168.20.230 to-ports=2121
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=21 \
protocol=tcp to-addresses=192.168.20.230 to-ports=21
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3388 \
protocol=tcp to-addresses=192.168.20.175 to-ports=3388
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=2525 \
protocol=tcp to-addresses=192.168.20.235 to-ports=2525
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=8080 \
protocol=tcp src-address=**.***.106.230 to-addresses=192.168.20.230 \
to-ports=8080
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3387 \
protocol=tcp to-addresses=192.168.20.176 to-ports=3387
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=8597 \
protocol=tcp src-port="" to-addresses=192.168.20.235 to-ports=8597
add action=masquerade chain=srcnat dst-address=192.168.40.0/24 src-address=\
192.168.40.0/24
add action=accept chain=srcnat dst-address=192.168.7.0/24 src-address=\
192.168.20.0/24
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3389 \
protocol=tcp src-address=**.***.106.230 to-addresses=192.168.20.235 \
to-ports=3389
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=37777 \
protocol=tcp src-address=0.0.0.0 to-addresses=192.168.20.7 to-ports=37777
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=82 \
protocol=tcp to-addresses=192.168.20.7 to-ports=82
add action=masquerade chain=srcnat src-address=10.20.30.0/24
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add disabled=yes peer=istanbul
add peer=TB
/ip ipsec policy
add dst-address=192.168.7.0/24 peer=TB proposal=TB \
sa-dst-address=**.***.242.170 sa-src-address=**.***.11.148 src-address=\
192.168.20.0/24 tunnel=yes
add disabled=yes dst-address=192.168.10.0/24 peer=istanbul src-address=\
192.168.20.0/24 tunnel=yes
/ip route
add distance=1 gateway=**.***.11.145
/ip service
set www-ssl disabled=no
/ip socks
set max-connections=500 port=3629
/ip socks access
add action=deny src-address=!5.96.0.0/12
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=Europe/Istanbul
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
add action=remote prefix=hotspot topics=!firewall
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=2MBIT profile=STANDART-2MBIT till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=\
auth-fail name=mikrotik use-coa=no
/tool user-manager user
add customer=admin disabled=no ipv6-dns=:: shared-users=1 username=test \
wireless-enc-algo=none wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no first-name=ibrahim ipv6-dns=:: last-name=\
"u\C5\9Fak" shared-users=2 username=46036213724 wireless-enc-algo=none \
wireless-enc-key="" wireless-psk=""
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 7:46 pm

@OzanOral26 ,
I see no Mangle configuration in your export... nor any routes....
Neither any Route rule as @anav suggested... Which is an alternative ofcorse...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 7:52 pm

The config has grown out of its usefulness I would say as you cannot see the forest for the trees.

In clearer terms, ;-) things like this should be obvious.
/interface list member
add interface=ether1 list=WAN
add list=LAN

the second entry is meaningless, the config should look like this
/interface list member
add interface=ether1 list=WAN

add bridge1_internet list=LAN
add bridge2 list=LAN


Personally, I am not a fan of two bridges if one will suffice.
If the purpose of one of the bridges is only to hold a single vlan, then its not required as the vlan can be moved to the single bridge very easily.

Did you intend to do the following, as its not normally needed on most configs as the regulae firewall rules suffice quite nicely.
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes ?????

THE ADDRESS BLOCK IS PROBLEMATIC>
The only addresses that are normally in the IP address section are
a. WANIP address (obviously changed to xx.xxx.xxx.xxx for security reasons if it did show up on the config
b. LAN IP address of any bridges
c. LANIP of any vlans

Thus you should technically have two WANIPs, TWO Bridge IPs and one VLAN IP

As far as your firewall rules are concerned, way to complex for me, I would burn them and restart with defaults and modify to only what you need to begin with. It looks like a dogs breakfast but if it works for you then leave it. :-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 7:54 pm

What I suggest you do, is make a diagram similar to the one here, to communicate your intentions.....
viewtopic.php?f=13&t=177979#p876218
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 8:03 pm

@anav as i can see you did like that diagram... :lol:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 8:58 pm

@anav as i can see you did like that diagram... :lol:
Especially the colours!! I like good communications.
a. Network diagram sufficiently labelled and yes colours please
b. /export config
c. Set of detailed requirements detailing what the users/device should be able to do and should not be able to do without any mention of equipment or config.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Different Public IP for different devices (On Different port preferably if posible)

Wed Sep 01, 2021 9:59 pm

@anav, you' re right on that...
Network diagrams are a must on Complex networks but not only... Even on simple topologies, visualising the Network is really helpfull...
 
OzanOral26
just joined
Topic Author
Posts: 13
Joined: Wed Sep 01, 2021 1:25 pm

Re: Different Public IP for different devices (On Different port preferably if posible)

Thu Sep 02, 2021 2:16 pm

I personally like the idea of having two separate WANIPs in general but in your case not for redundancy because likely if one ISP IP is not available its likely the other will also be failing.
(as opposed to real redundancy afforded to separate ISPs cable and dsl for example where its less likely both are down).

In your case simply because the flexibility of not tying one IP directly and only to one private server can be easily managed in a standard setup.
Also to be honest, I am horrible and unfamiliar when it comes to DIRECT public IP to PRIVATE IP one to one NAT setups.
I find it confusing and not sure how that changes firewall rules etc....

For detailing on a standard default setup for one private IP (server) to use a specific WANIP is dirt simple and its all done in the IP Routes section.
standard route ISP1 distance=5 check gateway=ping
standard route ISP2 distance=10

Right away with this setup ALL users will only use ISP 1 with a shorter distance.
The router will only look to ISP2 if ISP1 fails the ping check but in your case, likely ISP2 is failing as well.

To ensure one IP address is using ISP 2 we do the following.
standard route ISP1 distance=5 check gateway=ping
standard route ISP2 distance=10
special route ISP2 distance=10 route-mark=USETHISWANIP

Then in Route Rules........... create a new rule to match with only the following entries
Source Address: = IP of server
Action: = Lookup only in Table
Table: = USETHISWANIP

Done.
Hello again,

I'm following this post of yours. Here some pictures from my config. In routes 2 dynamic entries that i can't delete or change anyting market with red. After i add the rule device can access lan network but can't access the internet.

Image
Image
Image

==== EDİT====
Changed like this
Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Public IP for different devices (On Different port preferably if posible)

Thu Sep 02, 2021 2:59 pm

pictures of the tables are not always that helpful.
/export hide-sensitive file=anynameyouwish please.
 
OzanOral26
just joined
Topic Author
Posts: 13
Joined: Wed Sep 01, 2021 1:25 pm

Re: Different Public IP for different devices (On Different port preferably if posible)

Thu Sep 02, 2021 3:12 pm

Here export results.

# sep/02/2021 15:07:00 by RouterOS 6.47.1
# software id = E28V-ALZB
#
# model = 1100AHx2
/interface bridge
add fast-forward=no name=bridge1_internet
add fast-forward=no name=bridge2_internet
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether12 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether13 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pptp-server
add disabled=yes name=VPN_CON user=REZSITESI
/interface vlan
add interface=bridge1_internet name="VLAN Guest" vlan-id=201
/interface list
add name=WAN
add name=LAN
/ip firewall layer7-protocol
add name=block regexp="^.+(youtube.com|trendyol.com|puhutv.com|facebook.com|tw\
    itter.com|login.yahoo.com|wetransfer.com|instagram.com|transfernow.net|tra\
    nsferxl.com|sendgb.com|iogames.space|agar.io|hole.io|paper.io|io.games|oyu\
    nskor.com|kraloyun.com|webtekno.com|oyunkolu.com|y8.com|dersimiz.com|oyunf\
    lash.com|3doyunlar.org|mynet.com|tamindir.com|oyungezer.com.tr|oyunavarim.\
    com|indiroyunu.com|geekmahal.com|pcnet.com.tr|flashoyunlari.net|gezginler.\
    net|erenet.net|pinterest.com|oyunskor.online|oynatsak.com|geyikmi.com|crox\
    yproxy.com|proxysite.com|blockaway.net|animizm.com|vk.com|paribu.com|mail.\
    google.com|n11.com|morhipo.com|linkedin.com|netflix.com|accounts.google.co\
    m/signin/|accounts.google.com/ServiceLogin|login.live.com/|fox.com.tr|atv.\
    com.tr|startv.com.tr).*\$"
/ip ipsec peer
add address=**.***.106.230/32 disabled=yes exchange-mode=ike2 name=istanbul
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
add dh-group=modp1024 name=profile_1
add dh-group=modp1536 enc-algorithm=3des name=TB
/ip ipsec peer
add address=**.***.242.170/32 name=TB profile=TB
/ip ipsec proposal
add enc-algorithms=3des name=TB pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.20.35-192.168.20.180
add name=dhcp_pool2 ranges=192.168.21.2-192.168.21.254
add name=dhcp_pool4 ranges=192.168.20.20-192.168.20.50
add name=dhcp_pool5 ranges=192.168.40.2-192.168.40.254
add name=vpn_ppol ranges=192.168.25.1-192.168.25.255
add name=dhcp_pool7 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=ether3 name=\
    dhcp1
add address-pool=dhcp name=dhcp2
add address-pool=dhcp disabled=no interface=bridge1_internet name=dhcptest
add address-pool=dhcp_pool5 disabled=no interface="VLAN Guest" name=dhcp3
add address-pool=dhcp_pool7 disabled=no interface=bridge2_internet name=dhcp4
/ppp profile
add local-address=192.168.25.1 name=vpn_profile remote-address=vpn_ppol
set *FFFFFFFE dns-server=8.8.8.8 local-address=10.0.0.1 remote-address=\
    10.0.0.2 wins-server=8.8.4.4

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 remote=192.168.20.235
add name=remotelog remote=192.168.20.235 target=remote
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=SINIRSIZ name-for-users=SINIRSIZ override-shared-users=off owner=\
    admin price=0 starts-at=logon validity=0s
add name=STANDART-2MBIT name-for-users=STANDART-2MBIT override-shared-users=\
    off owner=admin price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" ip-pool6="" \
    name=2MBIT owner=admin rate-limit-min-rx=524288B rate-limit-min-tx=\
    2097152B rate-limit-rx=524288B rate-limit-tx=2097152B transfer-limit=0B \
    upload-limit=0B uptime-limit=0s
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=admin policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winb\
    ox,web,sniff,sensitive,api,romon,dude,tikapp,!password"
add name=subadmin policy="local,read,write,policy,test,winbox,web,!telnet,!ssh\
    ,!ftp,!reboot,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge1_internet interface=ether2
add bridge=bridge1_internet interface=ether8
add bridge=bridge1_internet interface=ether6
add bridge=bridge1_internet interface=ether7
add bridge=bridge1_internet interface=ether9
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface l2tp-server server
set one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1_internet list=LAN
add interface=bridge2_internet list=LAN
/interface pptp-server server
set authentication=chap,mschap1,mschap2
/interface sstp-server server
set authentication=mschap2 certificate=Server enabled=yes force-aes=yes pfs=\
    yes port=444
/ip address
add address=**.***.11.147/29 comment="default configuration" interface=ether1 \
    network=**.***.11.144
add address=192.168.20.1/24 interface=bridge1_internet network=192.168.20.0
add address=192.168.40.1/24 interface="VLAN Guest" network=192.168.40.0
add address=192.168.21.1/24 interface=bridge1_internet network=192.168.21.0
add address=192.168.22.1/24 interface=bridge1_internet network=192.168.22.0
add address=192.168.23.1/24 interface=bridge1_internet network=192.168.23.0
add address=192.168.23.1/24 interface=ether2 network=192.168.23.0
add address=**.***.11.149/29 interface=ether5 network=**.***.11.144
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
add address=192.168.21.0/24 gateway=192.168.21.1
add address=192.168.23.0/24 gateway=192.168.23.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,208.67.220.222
/ip firewall address-list
add address=**.***.11.144/29 list=allow-ip
add address=192.168.20.0/24 list=allow-ip
add address=192.168.21.0/24 list=alt-ip-list
add address=192.168.20.50-192.168.20.175 list=CM
add address=192.168.20.1.192.168.20.255 list="Local ALL"
add address=192.168.21.10-192.168.21.255 list="Full CM"
add address=192.168.20.235 list=Server
/ip firewall filter
add action=drop chain=input dst-port=53,8728,8729,21,22,23,80,443,8291 \
    protocol=tcp
add action=drop chain=forward layer7-protocol=block src-address-list=\
    "Full CM"
add action=drop chain=forward layer7-protocol=block src-address-list=CM
add action=drop chain=forward content=film src-address-list=CM
add action=drop chain=forward content=dizi src-address-list=CM
add action=drop chain=forward content=izle src-address-list=CM
add action=drop chain=forward content=porn src-address-list=CM
add action=add-src-to-address-list address-list=allow-ip \
    address-list-timeout=1h chain=input comment=2 packet-size=1083
add action=accept chain=input comment=PPTP-VPN dst-port=1723 protocol=tcp
add action=accept chain=forward dst-address=192.168.20.235 src-address=\
    192.168.40.1-192.168.40.255
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward dst-address-list="" src-address-list=""
add action=accept chain=input comment=1 src-address-list=allow-ip
add action=passthrough chain=input comment=4
add action=passthrough chain=input
add action=log chain=forward connection-state=new dst-port=80,443 log-prefix=\
    WebLog protocol=tcp
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=drop chain=input comment=3 dst-port=53 protocol=udp
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=7001 \
    protocol=tcp to-addresses=192.168.20.235 to-ports=7001
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=211 \
    protocol=tcp to-addresses=192.168.20.234 to-ports=211
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=25 \
    protocol=tcp to-addresses=192.168.20.235 to-ports=25
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=587 \
    protocol=tcp to-addresses=192.168.20.235 to-ports=587
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=8090 \
    protocol=tcp to-addresses=192.168.20.235 to-ports=8090
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3389 \
    protocol=udp src-address=**.***.48.140 to-addresses=192.168.20.235 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3389 \
    protocol=tcp src-address=**.***.48.140 to-addresses=192.168.20.235 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=9090 \
    protocol=tcp to-addresses=192.168.20.235 to-ports=9090
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=7171 \
    protocol=tcp to-addresses=192.168.20.235 to-ports=7171
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3389 \
    protocol=tcp src-address=**.***.100.230 to-addresses=192.168.20.235 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=995 \
    protocol=tcp src-port="" to-addresses=192.168.20.235 to-ports=995
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=465 \
    protocol=tcp to-addresses=192.168.20.235 to-ports=465
add action=masquerade chain=srcnat dst-address=192.168.20.0/24 src-address=\
    192.168.20.0/24
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=993 \
    protocol=tcp to-addresses=192.168.20.235 to-ports=993
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=110 \
    protocol=tcp to-addresses=192.168.20.235 to-ports=110
add action=masquerade chain=srcnat dst-address=192.168.21.0/24 src-address=\
    192.168.21.0/24
add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=\
    192.168.20.0/24
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 port=2121 \
    protocol=tcp to-addresses=192.168.20.230 to-ports=2121
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=21 \
    protocol=tcp to-addresses=192.168.20.230 to-ports=21
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3388 \
    protocol=tcp to-addresses=192.168.20.175 to-ports=3388
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=2525 \
    protocol=tcp to-addresses=192.168.20.235 to-ports=2525
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=8080 \
    protocol=tcp src-address=**.***.106.230 to-addresses=192.168.20.230 \
    to-ports=8080
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3387 \
    protocol=tcp to-addresses=192.168.20.176 to-ports=3387
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=8597 \
    protocol=tcp src-port="" to-addresses=192.168.20.235 to-ports=8597
add action=masquerade chain=srcnat dst-address=192.168.40.0/24 src-address=\
    192.168.40.0/24
add action=accept chain=srcnat dst-address=192.168.7.0/24 src-address=\
    192.168.20.0/24
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=3389 \
    protocol=tcp src-address=**.***.106.230 to-addresses=192.168.20.235 \
    to-ports=3389
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=37777 \
    protocol=tcp src-address=0.0.0.0 to-addresses=192.168.20.7 to-ports=37777
add action=dst-nat chain=dstnat dst-address=**.***.11.144/29 dst-port=82 \
    protocol=tcp to-addresses=192.168.20.7 to-ports=82
add action=masquerade chain=srcnat src-address=10.20.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 src-address=\
    192.168.30.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether5
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add disabled=yes peer=istanbul
add peer=TB
/ip ipsec policy
add disabled=yes dst-address=192.168.7.0/24 peer=TB proposal=\
    TB sa-dst-address=**.***.242.170 sa-src-address=**.***.11.148 \
    src-address=192.168.20.0/24 tunnel=yes
add disabled=yes dst-address=192.168.10.0/24 peer=istanbul src-address=\
    192.168.20.0/24 tunnel=yes
/ip route
add check-gateway=ping distance=10 dst-address=**.***.11.149/32 gateway=\
    ether5 routing-mark=WAN2
add distance=1 gateway=**.***.11.145
add check-gateway=ping distance=5 dst-address=**.***.11.147/32 gateway=ether1
add distance=10 dst-address=**.***.11.149/32 gateway=ether5
/ip route rule
add action=lookup-only-in-table src-address=192.168.20.175/32 table=WAN2
/ip service
set www-ssl disabled=no
/ip socks
set max-connections=500 port=3629
/ip socks access
add action=deny src-address=!5.96.0.0/12
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=Europe/Istanbul
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
add action=remote prefix=hotspot topics=!firewall
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=2MBIT profile=STANDART-2MBIT till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=\
    auth-fail name=mikrotik use-coa=no
/tool user-manager user
add customer=admin disabled=no ipv6-dns=:: shared-users=1 username=test \
    wireless-enc-algo=none wireless-enc-key="" wireless-psk=""
add customer=admin disabled=no first-name=ibrahim ipv6-dns=:: last-name=\
    "u\C5\9Fak" shared-users=2 username=46036213724 wireless-enc-algo=none \
    wireless-enc-key="" wireless-psk=""
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Public IP for different devices (On Different port preferably if posible)

Thu Sep 02, 2021 6:46 pm

(1) Not sure its legal to use the same POOL for different servers ????
Suggesting the norm is for EACH SUBNET to have:
- one IP address
- one pool
- one dhcp server
- one dhcp server network..

/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=ether3 name=\
dhcp1
add address-pool=dhcp name=dhcp2
add address-pool=dhcp disabled=no interface=bridge1_internet name=dhcptest
add address-pool=dhcp_pool5 disabled=no interface="VLAN Guest" name=dhcp3
add address-pool=dhcp_pool7 disabled=no interface=bridge2_internet name=dhcp4

(2) Why is this selected, normally not required as FW rules cover firewall requirements........ must be a reason.......
'
(3) Still a problem as ether 3 should be listed as a LAN entry (not part of either bridge)
/interface list member
add interface=ether1 list=WAN
add interface=bridge1_internet list=LAN
add interface=bridge2_internet list=LAN

(4) You did not clean up the addresses...
The ones in red are duplicates, the bridge1 only requires a single address.
The second bridge is totally missing and needs an address
The ether2 should not be there as you have it on the bridge, so either remove the address or remove it from the bridge.

ip address
add address=**.***.11.147/29 comment="default configuration" interface=ether1 \
network=**.***.11.144
add address=192.168.20.1/24 interface=bridge1_internet network=192.168.20.0
add address=192.168.40.1/24 interface="VLAN Guest" network=192.168.40.0
add address=192.168.21.1/24 interface=bridge1_internet network=192.168.21.0
add address=192.168.22.1/24 interface=bridge1_internet network=192.168.22.0
add address=192.168.23.1/24 interface=bridge1_internet network=192.168.23.0

add address=192.168.23.1/24 interface=ether2 network=192.168.23.0
add address=**.***.11.149/29 interface=ether5 network=**.***.11.144

(5) In terms of firewall rules.
- dont see the purpose of this rule..... ( the default rules cover all of this and if you want to block lan to router traffic simply use block all as the last rule in the input chain)
add action=drop chain=input dst-port=53,8728,8729,21,22,23,80,443,8291 \
protocol=tcp
- the rest is a quagmire of jump and other things I dont use and frankly IMHO are generally not required, so wont comment.

(6) Source nat rules only mention one ether port if you have multiple WANs then you should add another line for the other etherport or change in-interface with in-interface-list=WAN
OKAY I see the second rule now at the very bottom of NAT rules.

BUT what the heck is the purpose of these two rules....
add action=masquerade chain=srcnat src-address=10.20.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 src-address=\
192.168.30.0/24


Dont think I can be of much further help. GLuck!
 
OzanOral26
just joined
Topic Author
Posts: 13
Joined: Wed Sep 01, 2021 1:25 pm

Re: Different Public IP for different devices (On Different port preferably if posible)

Thu Sep 02, 2021 9:32 pm

(1) Not sure its legal to use the same POOL for different servers ????
Suggesting the norm is for EACH SUBNET to have:
- one IP address
- one pool
- one dhcp server
- one dhcp server network..

/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=ether3 name=\
dhcp1
add address-pool=dhcp name=dhcp2
add address-pool=dhcp disabled=no interface=bridge1_internet name=dhcptest
add address-pool=dhcp_pool5 disabled=no interface="VLAN Guest" name=dhcp3
add address-pool=dhcp_pool7 disabled=no interface=bridge2_internet name=dhcp4

(2) Why is this selected, normally not required as FW rules cover firewall requirements........ must be a reason.......
'
(3) Still a problem as ether 3 should be listed as a LAN entry (not part of either bridge)
/interface list member
add interface=ether1 list=WAN
add interface=bridge1_internet list=LAN
add interface=bridge2_internet list=LAN

(4) You did not clean up the addresses...
The ones in red are duplicates, the bridge1 only requires a single address.
The second bridge is totally missing and needs an address
The ether2 should not be there as you have it on the bridge, so either remove the address or remove it from the bridge.

ip address
add address=**.***.11.147/29 comment="default configuration" interface=ether1 \
network=**.***.11.144
add address=192.168.20.1/24 interface=bridge1_internet network=192.168.20.0
add address=192.168.40.1/24 interface="VLAN Guest" network=192.168.40.0
add address=192.168.21.1/24 interface=bridge1_internet network=192.168.21.0
add address=192.168.22.1/24 interface=bridge1_internet network=192.168.22.0
add address=192.168.23.1/24 interface=bridge1_internet network=192.168.23.0

add address=192.168.23.1/24 interface=ether2 network=192.168.23.0
add address=**.***.11.149/29 interface=ether5 network=**.***.11.144

(5) In terms of firewall rules.
- dont see the purpose of this rule..... ( the default rules cover all of this and if you want to block lan to router traffic simply use block all as the last rule in the input chain)
add action=drop chain=input dst-port=53,8728,8729,21,22,23,80,443,8291 \
protocol=tcp
- the rest is a quagmire of jump and other things I dont use and frankly IMHO are generally not required, so wont comment.

(6) Source nat rules only mention one ether port if you have multiple WANs then you should add another line for the other etherport or change in-interface with in-interface-list=WAN
OKAY I see the second rule now at the very bottom of NAT rules.

BUT what the heck is the purpose of these two rules....
add action=masquerade chain=srcnat src-address=10.20.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 src-address=\
192.168.30.0/24


Dont think I can be of much further help. GLuck!
Hello again

Thanks for your all advices.

1)First two dhcp are disabled thats from the old config without bridge i don't delete them and just disabled.
2) is missing i guess i didn't get what do you mean by what is selected.
3)I'm not using ether 3 port. I'm using port 1 as wan port2 to switch and 6-7-8-9 directly to unifi access points with guest vlan.
4)I will use this addresses for seperate the devices on my network like 21 for floor 2 computers 22 for floor 3 computers 23 for IP phones etc. But i would not know ether 2 there. I will delete it.
Bridge 2 is not in use just tried somethings and leave it there
5) I will take your advice.
6) Those are from the tries i made at past with vpn or something. I just leave them there thinking they are not effecting anythink.

I will clean the trash but do you think any of these are the reason why config up there not working?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Public IP for different devices (On Different port preferably if posible)

Thu Sep 02, 2021 9:37 pm

When things are this messy from past attempts I recommend resetting the router to defaults and just add what is required to get desired functionality.
Its actually much faster in the long run.
Without a set of requirements and good network diagram, trying to understand what you want with the current config is too difficult for me at least and am unable to pick out any one thing that is specific to the problems encountered
 
OzanOral26
just joined
Topic Author
Posts: 13
Joined: Wed Sep 01, 2021 1:25 pm

Re: Different Public IP for different devices (On Different port preferably if posible)

Thu Sep 02, 2021 9:55 pm

When things are this messy from past attempts I recommend resetting the router to defaults and just add what is required to get desired functionality.
Its actually much faster in the long run.
Without a set of requirements and good network diagram, trying to understand what you want with the current config is too difficult for me at least and am unable to pick out any one thing that is specific to the problems encountered
Actually i would love to do that but as you can tell i'm not that good with networking yet.(I'm trying to learn) Every config that i made like bridging, hairpin, vlan etc is a learning process for me and it was hard to achive things without knowing the specific way and using youtube tutorials searching the internet and trying things by myself failing multiple times and sometimes i don't even know how i reached the desired result :D So i don't want to lost my working setup and my company works with multiple shifts so don't have much time to reset the router and start from begining but it should be that way i guess. So one last favor if it aint too much. Lets say i reseted my router config and first of all things to do can you give me setup example just for ether1 wan ether2 other wan ether3 lan to switch let's say i have two computers connected the switch and seperate those computer with two public IPs. I know you gave me an example but i don't even sure about address list is the correct way.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Different Public IP for different devices (On Different port preferably if posible)

Fri Sep 03, 2021 5:19 am

THe best way to communicate what you would like to see (before a sample config)
is
a. a network diagram labelled
b. SET of written requirements
- identifying the users/devices requireing services
- what each set of users/devices should be able to do
-what easch set of users/devices should not be able to do
and do not mention config switches router etc........

Who is online

Users browsing this forum: diasdm, hjf, SMARTNETTT and 61 guests