Hi Forum,

I have /24 of public ip address for example 137.0.0.1/24 from my ISP, I am trying to give my clients public ip address without NAT. I will be grateful if someone help me with this configurations.

Regards,

HavalTech

do you use some kind of ppp?

Dear Chupaka,

No i am not using PPP, I have postpaid clients they want to have their own public ip address for MS Exchange and Firewall servers. the setup is like this:

RB1000 one interface connected to ISP another interface connected to L2 Cisco Switch.

Using Mikrotik point to point links to give connection to my clients. just want to route a public ip address from my ISP to my client without using NAT.

Regards,

HavalTech

try to add static route with destinaton = client's-public-IP and gateway interface = client's IP, then in your dynamic routing protocol (for example, OSPF) set redistribute-static-routes to yes

should work =)

if they are routing that /24 to you then you can just route it further down the path. If they are bridging that /24 to you, then you have to use nat or proxy-arp. Does your wan have a /30 subnet or the /24 directly on the wan ?

Dear Chupaka,

Can you explain a bit more, if i have public interface ip address 137.0.0.2/24 and default gateway 137.0.0.1 which are public ip address let we say i want to give 137.0.0.3 to my client, which ip address i have to put in my local interface? from my understand shall i make static route with destination=137.0.0.3 and gateway=137.0.0.3 what is else regarding OSPF?

Is it possible to show me the configuration?

Regards,

HavalTech

if i have public interface ip address 137.0.0.2/24

i want to give 137.0.0.3 to my client

if you do not have 137.0.0.3, then you cannot give 137.0.0.3 to client. or you have 137.0.0.0/24?

if latter, then you should not add any ip address to your interfaces. just add static route to 137.0.0.3

Dear Chupaka,

Yes have 137.0.0.0/24, I want to give 137.0.0.2/24 to one client and 137.0.0.3/24 to another client etc..

which config i have to do?


Regards,

Haval

as I said, just add static route to 137.0.0.3 and redistribute that route to other routers

Hello Chupaka,

Can you explian a bit more.

1. which ip address i have to add to public interface of mikrotik?
2. which ip address i have to add to local intrerface of mikrotik?
3. i have to add static route to 137.0.0.2/24?
4. shall i use OSPF for redistribute the route?

Regards,

haval

are that addresses routed or bridged to you?

if former - then 1) none; 2) none; 3) yes; 4) not, but you may. you may use any dynamic routing protocol: rip/ospf/bgp. I prefer ospf =)

if latter - then you should NAT or use proxy-arp + see previous paragraph

Dear Chupaka,

Can you explain more details,

my public ip address is 137.0.0.0/24 my default gateway is 137.0.0.1/24 i just want to give my clinets this range public ip address without using NAT, example

Client 1: 137.0.0.4/30
Client 2: 137.0.0.8/30

Regards,

Havaltech

Chupaka has been as clear as he can be.

Whithout knowing more about the layout of your network, no more detailed help can be provided.

Hello,

I have RB1000,

Public interface is connected to my ISP and have ip address 137.0.0.2/24 the default gateway is 137.0.0.1

on the Local interface of mikrotik i want to have this public ip address for my clients.


Client 1: 137.0.0.4/30 with default gateway 137.0.0.5
Client 2: 137.0.0.8/30 with default gateway 137.0.0.9


is it clear now?

enable proxy-arp on your uplink interface and setup routes to your internal computers with public addresses

you may want to use DHCP to assign public addresses, because in Windows OS with manual network settings the default gateway should be in the same subnet as the computer itself. when using DHCP, you may set any default gateway you want (it should be internal address of your router)

on the other hand, you may just setup bridge between your public and internal interfaces, so your clients will use your provider's default gateway

Hello,

I prefer second solution which is bridge between public interface and local interface. because i have to give my clinets static ip address.

I already made bridge between public interface and local interface your are right 100% now when i put

Client 1: 137.0.0.3/24 default gateway 137.0.0.1
Client 2: 137.0.0.4/24 default gateway 137.0.0.1

this config is working for me, and client have their own ip address.

Question: how i avoid IP confliction if one clinet put the ip address for another client i think that will be a problem is there is any way we can give clients ip address they can not change it?

Note: Local interface is connected to Cisco L2 switch.

the best way is still using DHCP. or you may use 'VLAN per user' scheme - it depends on the number of users you have

Hello,

I tried to created Vlan's on Local interface but did not work, Could tell me how i can create Vlan's I mean on which interface?

you should configure your switch to tag users' vlans first

Hello,

As i said before, i configured Mikrotik as bridge.

I made bridge and added local interface and public interface of mikrotik.

connected local interface to cisco switch and configured that port as Trunk. on the mikrotik local interface created 2 Vlan's Vlan10 ip address: 137.0.0.5/30
Vlan20 ip address: 137.0.0.9/30

In cisco switch created two vlan's also Vlan10 and Vlan20 and added them to Trunk.

is this config right?

your RouterOS works in bridge mode, so you should not add addresses on VLAN interfaces, just add VLANs to bridge. and then in firewall you may drop packets that come from VLAN but not from that client's subnet

Hello,

First of all thanks for your fast responding.

Now i created 2 Vlan's on Bridge interface

Vlan 20 without ip address
Vlan 30 without ip address

in Cisco switch i created same Vlan's Vlan 20 and Vlan 30 without ip address also.

which configuration i have to use for firewall to drop package. i am really do not unserstand what you mean.

at first, /interface bridge settings set use-ip-firewall=yes

then use 'In bridge port' in firewall rules to define needed vlan

Hello,

I am not succeed with your last post, What i am thinking now is to put fake ip address between WAN interface and my ISP router let me give you what i am tring to do.

My ISP interface ip address: 192.168.10.1
My MT WAN interface ip address: 192.168.10.2
Default gateway of MT 0.0.0.0/0 192.168.10.1
I will ask my ISP to route 137.0.0.0/24 through this.

Creating 2 Vlan's on the MT LAN interface.

Vlan 20 ip address: 137.0.0.1/25
Vlan 30 ip address: 137.0.0.128/25

is this config right? do i need to make masquerade or just default gateway 0.0.0.0/0 192.168.10.1 is enough to make verything working?

if you use bridge, there should not be addresses on interfaces, only on bridge

Hello,

I am not using bridge, Will try to use the config as explained.

As i said before, i configured Mikrotik as bridge.

Now i created 2 Vlan's on Bridge interface

I am not using bridge

I'm sorry, I don't understand you... =)

in last config - no, you should not masquerade, just route

My ISP interface ip address: 192.168.10.1
My MT WAN interface ip address: 192.168.10.2
Default gateway of MT 0.0.0.0/0 192.168.10.1
I will ask my ISP to route 137.0.0.0/24 through this.

Creating 2 Vlan's on the MT LAN interface.

Vlan 20 ip address: 137.0.0.1/25
Vlan 30 ip address: 137.0.0.128/25

This is the best option because you're routing and not bridging. Instead of them ARPing for all those IPs on your WAN interface they will just route it to you and you can forward the packets anywhere you wish. Just add those IP addresses to interfaces and the DAC routes will show up automatically, wham, now RouterOS knows about all of those subnets. Then all you need to do is firewall things.

You might need to src-nat outbound traffic originating at the router (dns lookups, pings, traceroutes) because you can't use 192.168.10.2 on the public internet.

Sam

Hello,

Everything is ok for me now using fake ip address, but could you tell me how i can make src-nat to have pinging, traceroute and etc..?

enter a src-nat rule using src-address=192.168.0.0/16, out-interface=your wan port, action=src-nat and then choose the ip address you want on the packets when they leave. This should be an ip address on your routers interface somewhere.

Dear Chupaka and Changeip,

Thanks for grate help. my last question is i want to make document and put all this information the subject will be "How you will route public ip address without using NAT" where is the best place i put this document. because i see many people asking same question.

Regards,

Havaltech

the best place is Wiki =) http://wiki.mikrotik.com/

Hi all,
I have read all the replies. But we need the following:

1. ISP gave me a block of IP. and using one of the IP (i,e. 203.20.25.2/29)
2. I am using NAT for my users.
3. I am requesting another IP block from my ISP to Serve My corporate clients with Public IPs.
with the same PC.

I can do this with 1 PC that can run in bridge mode and another PC is for NAT.

But I need to do this with same PC.
How can I do this?

Please help.
Thanks
Chap

just add another IP Address to your public interface, and then NAT 1:1 to your corporate clients

Thanks Chupaka for reply.

But my user need the public address to set to their PC.
if I use 1:1 nat then in the user side they setup their pc with Local ip subnet. But they will more satisfy if i gave them public addresses.

I heared that there is one way to give my user a public subnet. So they can set that subnet to their local interfaces.

Name of the system is " IP Forwarding "
Steps for Windows:
1. Make 2 block of IPs.
2. Route add -p <sub-net-address> mask <subnet-mask> <IP-address-of-gateway>

Thanks.
Chap

But my user need the public address to set to their PC.

so just route that address to your client. how much routers do you have between the Internet and that client?

or you may try simply use bridge

Hi

I have some problem to give out a public ip address to some users on my lan interface.

Setup is usually like this:
<OUR-ISP-CISCO3560-/30 address> --> <RB1000 /29 on Public interface-LAN Interface VLANs Internal IP addresses> --> <1:1 NAT to client Through VLANs>

Are there any way that we would be able to route a public ip from our /29 pool on our rb1000 public interface down to the client which is now connected by 1:1 nat?

ex. RB1000 IP
Public: 62.xxx.xxx.162/29 All our wifi hotspot clients on our vlan900 to 905 are routed out this interface by src-nat as changeip described.
Public: 62.xxx.xxx.166/29 are netmap 1:1 on vlan801 to client's IP 10.58.1.2/30 which is static ip for now. The different clients are very often asking for a real public address on this vlan801. But for the moment I do not know how to make this?

I have ask the ISP to route the ip so I could get a /30 public address and then have my /29 public addresses on my lan interfaces but unfourtunatly they wont do that.

Should I use proxy-arp or are there other solutions than a 1:1 nat?

Hi all,

The best way is you use fake ip address between you and your ISP and tell you ISP to route your pubilc ip address over this fake ip address. you will get your public ip address on local interface of mikrotik. then it is very easy to mange it. by Vlan's and subneting. I tired all ways this is the best way and working for me without any problem.

If you have any question about this way or how you will config your router i am ready to help.

Regards,

Havaltech

OK, I like the idea of getting to the hotspot with fake addresses and asigning the c class addresses to DHCP on the hotspot side.
Did it, but didn't work.
I'm not sure what I'm doing wrong. Would you help me?
I get a routed C class from my ISP, that part is working. I route everything to the WAN interface at the hotspot. Created DHCP with public addresses pool.
Guess there's no need for firewall roules besides the one hotspot creates.
What am I missing?

I have a similar problem and I hope Chupaka can help.

I have "WAN" and "LAN" IPs assigned to me by my ISP.

My WAN schema is a /30 (aa.bb.59.104 / 30), which gives me a single IP on my Mikrotik's "Public" interface (aa.bb.59.106) to talk to my ISP's Cisco router (which is assigned aa.bb.59.105).

I then have a /29 network (which gives me 6 usable public IPs but is a slightly different IP schema than the /30, - aa.bb.58.161 thru aa.bb.58.166) that is properly passed/routed through the Cisco to my Mikrotik, which I can then use for devices behind the Mikrotik on my "Private" interface.

I can successfully assign aa.bb.58.xx addresses to interfaces on my Mikrotik (which I don't want to do), but I mistakenly gave someone aa.bb.58.161 / 29 as the network range they could use for devices when I should have given them aa.bb.58.160 / 29. So, assuming .161 was the network, they assigned aa.bb.58.162 to a device with a gateway of aa.bb.58.161.

While this eats up two of my public IPs (aa.bb.58.161 and 162), I think I can rectify it by establishing the proper routes in the Mikrotik. Basically, I want to setup routes that allow the device who's IP is aa.bb.58.162 to be able to access (and be accessed by) the Internet, but I can't figure out the proper routes.

Please help! Please send either specific terminal commands or the proper GUI settings so I can get this working! I would prefer not to use bridging, 1:1 NAT, "fake IPs" or anything else "exotic" if it can be helped. I believe a simple route can do the trick.

if I understand you correctly, you should just add aa.bb.58.161/32 address to your RouterOS interface which is looking at 'the device'

Ah, I tried that, but I get a "TTL expired in transit" when I try to ping it and (of course) can't SSH to it... The reply to my ping is coming from aa.bb.59.106, the WAN IP addressed to the Public interface of my Mikrotik (if that helps in tracing the route).

only traceroute can help tracing the route ))) so make tracert from the machine you are trying to access from

Oooh, interesting! Now the tracert gets from me to my Mikrotik, then bounces back and forth between aa.bb.59.106 (my Mikrotik router) and aa.bb.59.105 (the ISP's Cisco router). I get a sense I'm almost there!

I should note that I have a static route on my Public interface, who's gateway is aa.bb.59.105 and destination is 0.0.0.0/0. I believe I put this in so the Public interface could access the Cisco router, i.e. the Internet.

stop-stop... do you have a route for your /29 subnet?..

simething like /ip route add destination=aa.bb.58.160/29 gateway=your_LAN_interface

Such a route was dynamically added by the system a while ago... But in printing out the route table, it made it a /32... How could I change this to a 29?
Please ignore ether2-LAN. This is my private LAN, not my public IP LAN.

Ah, I manually added /29 to the aa.bb.58.160 address on my LAN interface and BAM! I'm able to ping and SSH!

THANK YOU, Chupaka! You gave me just the right nudges to get me going. It's 4:30 in Minsk. I owe you a drink or sandwich of your choice...

I want Apple Big Mac or McDonalds?.. %)

anyway, you are welcome ))

p.s. you mean, added /29 to 58.161?.. then, if this block of addresses is routed to you via .59.106, you've just lost a possibility to use 58.160 for your client =)

I mean, if you add a route as I said, you clould use 58.160 address

Yes, I added /29 to aa.bb.58.161, with a network of aa.bb.58.160 and a broadcast aa.bb.58.167

According to our ISP, the only usable IPs we have are .161 - .166. .160 shouldn't be usable, as it's our network/gateway. Are you saying there's a way to use it? I wouldn't think so...

If my customer programmed their device with .161 instead of .162, what IP would I assign to the LAN interface they're connecting to: .160?

I thought, /29 is routed to you via your /30...

I'm really confused I just want to show You mine simple configuration

INTERNET ----- ether1 / ether2 ------ CLIENTS

ISP IP: 212.XXX.XXX.1/30
MY IP TO ISP: 212.XXX.XXX.2/30

MY PUBLIC CLASS: 92.XXX.XXX.0/24

So my clients will have static IPs like 92.XXX.XXX.2 - 92.XXX.XXX.254

In this case I will setup my gateway like this...

IP > ADDRESS > ether1 -> 212.XXX.XXX.2/30
IP > ADDRESS > ether2 -> 92.XXX.XXX.1/24
IP > ROUTES > 0.0.0.0 - GATEWAY: 212.XXX.XXX.1

And this is case if You trust Your clients... Now then they choose any address 92.XXX.XXX.2 - 92.XXX.XXX.254 and setup their PC / ROUTER like:
IP: 92.XXX.XXX.2
SUBNET: 255.255.255.0
GATEWAY: 92.XXX.XXX.1

Or If You want to make them use only one IP You must split Your /24 subnet to /30 ... And for one client You will loose 4 public IPs... But in that case You must setup Your main gateway for every user something like this:
Remove IP from ether2
Than Add something like this:
IP > ADDRESS > ether2 -> 92.XXX.XXX.1/30

Now Your clients PC/ROUTER configuration looks like:
IP: 92.XXX.XXX.2
SUBNET: 255.255.255.252
GATEWAY: 92.XXX.XXX.1

You next free IP is:
92.XXX.XXX.4 on ether2 and 92.XXX.XXX.5 for client

Etc...

dear m4rk0

i want to use exactly the same config, but want to use that with hotspot, is that possible ?
instead of giving private IP address 10.5.x.x i want to give out public IP, is that possible ? and how as i have hotspot already setup, but need to change the setup so the mikrotik gives out public IP.

thanks for help.

dear m4rk0

i want to use exactly the same config, but want to use that with hotspot, is that possible ?
instead of giving private IP address 10.5.x.x i want to give out public IP, is that possible ? and how as i have hotspot already setup, but need to change the setup so the mikrotik gives out public IP.

thanks for help.

If Your HOTSPOT is on Your GATEWAY You can just change hotspot pool in Your public ip range...

the mikrotik router is on gateway, but then would i not need to disable the NAT rules in firewall ? or just adding another pool on DHCP would work ? and I need to bridge the interfaces so it kind of passes through

do you use some kind of ppp?

Hi there,

Im having this problem on ppp. I can access the entire /29 block from the internet but now when I go to speedtest.net or whatismyip.com etc, I see a different IP and not my public IP. How do I route or setup my public IP to see it on those websites?

Regards