Hello, I can not solve a problem. My isp gives me 8 static public ip.
I have this configuration, ISP--- rj11---->modem ---rj45--->eth1 mikrotik eth4-----> user
I want my 5 client navigable each with a different public ip. Unfortunately I do not know how to configure the public ip in mikrotik.
I would need a sempice explanation of how to configure it.
Could you help me?

The short answer is One-to-One NAT. There are many walk throughs on how to set this up.

Configure the internal clients to work properly using the MT and a masquerade route first. Then go back and add your One-to-One NAT configurations and each client will appear to have a public address on the public side and you can still add LAN side devices that are only visible by other LAN side devices.

Curiosity to why you want a client to have a public IP when natting might do the same thing. Seems like a security hols waiting to collapse.

Unfortunately, every client has a server with port 80 I can not change for business reasons

You can also keep the public IP on your gateway router and NAT only the ports they need. Otherwise, One-to-One NAT is the way to go...

the problem is that I do not know if it fits the modem upstream.
My provider gives me authentication pppoa that the mikrotik does not support

PPPoA is new to me but a quick search got this info:
http://robert.penz.name/484/howto-use-a ... onnection/

It looks like it might be worth a try. Beyond that, I do not know.

Some xDSL modems can do a PPPoE <> PPPoA conversion on the fly.

There are several ways depending on how your clients connect.

Lets take 1 example. You have a LAN of 192.168.88.2/24 and are hosting 5 web servers on it, 192.168.88.5-192.168.88.10 with public IP's of 1.1.1.1-1.1.1.5 say.

Assume WAN is ether1


So for each server you do a rule set like this :

/ip firewall nat
add chain=dst-nat action=dst-nat dst-address=1.1.1.1 dst-address=192.168.88.5 protocol=tcp dst-port=80
add chain=src-nat action=src-nat src-address=192.168.88.5 to-addrerss=1.1.1.1 out-interface=ether1

This makes the individual server always masquerade itself with its own public IP and any traffic to it's public IP will be redirected to it. If you remove the protocol=tcp and port=80 then all traffic destined to 1.1.1.1 will be sent to 192.168.88.5 and replies from the server will come from 1.1.1.1

The other way is to have each server (or client router) run a PPPoE client to the Mikrotik and set up a PPPoE Server with a local address equal to it's WAN stub address and each client is assigned a public address.

/ppp secret
add local-address=2.2.2.2 name=uswer1 password=qwerty remote-address
1.1.1.1 service=pppoe
add local-address=2.2.2.2 name=user2 password=1234 remote-address
1.1.1.2 service=pppoe

This approach requires you do not have a masquerade rule for ALL traffic. Be sure to specify a src-address in the default masquerade rule otherwise the public IP's will still get masqueraded as 2.2.2.2

It may be possible to take the NAT out of the equation and to improve the network performance etc: If your ISP is already willing to give you multiple IP-addresses then why not ask for a subnet? Your 8-address pool can be subnetted as well, but you loose some of them in the process and maybe it is better ask for a new /28 or even larger subnet to be routed to your router and then you assign these addresses over to your client side (directly or indirectly depending of your network topology).

thank you very much for your help

There are several ways depending on how your clients connect.

Lets take 1 example. You have a LAN of 192.168.88.2/24 and are hosting 5 web servers on it, 192.168.88.5-192.168.88.10 with public IP's of 1.1.1.1-1.1.1.5 say.

Assume WAN is ether1


So for each server you do a rule set like this :

/ip firewall nat
add chain=dst-nat action=dst-nat dst-address=1.1.1.1 dst-address=192.168.88.5 protocol=tcp dst-port=80
add chain=src-nat action=src-nat src-address=192.168.88.5 to-addrerss=1.1.1.1 out-interface=ether1

This makes the individual server always masquerade itself with its own public IP and any traffic to it's public IP will be redirected to it. If you remove the protocol=tcp and port=80 then all traffic destined to 1.1.1.1 will be sent to 192.168.88.5 and replies from the server will come from 1.1.1.1

The other way is to have each server (or client router) run a PPPoE client to the Mikrotik and set up a PPPoE Server with a local address equal to it's WAN stub address and each client is assigned a public address.

/ppp secret
add local-address=2.2.2.2 name=uswer1 password=qwerty remote-address
1.1.1.1 service=pppoe
add local-address=2.2.2.2 name=user2 password=1234 remote-address
1.1.1.2 service=pppoe

This approach requires you do not have a masquerade rule for ALL traffic. Be sure to specify a src-address in the default masquerade rule otherwise the public IP's will still get masqueraded as 2.2.2.2

I followed your instructions, my configuration is as follows:

/ip address
add address=192.168.1.1/24 disabled=no interface=LAN network=192.168.1.0

add address=220.220.2.3/28 disabled=no interface=WAN1 network=220.220.2.0
add address=220.220.2.4/28 disabled=no interface=WAN1 network=220.220.2.0
add address=220.220.2.5/28 disabled=no interface=WAN1 network=220.220.2.0
add address=220.220.2.6/28 disabled=no interface=WAN1 network=220.220.2.0

add address=220.220.4.3/28 disabled=no interface=WAN2 network=220.220.2.0
add address=220.220.4.4/28 disabled=no interface=WAN2 network=220.220.2.0
add address=220.220.4.5/28 disabled=no interface=WAN2 network=220.220.2.0
add address=220.220.4.6/28 disabled=no interface=WAN2 network=220.220.2.0

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=220.220.2.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=220.220.4.1 scope=30 target-scope=10

/ip firewall nat
add chain=dst-nat action=dst-nat dst-address=220.220.2.3 to-address=192.168.1.5 protocol=tcp dst-port=80
add chain=src-nat action=src-nat src-address=192.168.1.5 to-addrerss=220.220.2.3 out-interface=ether1

add chain=dst-nat action=dst-nat dst-address=220.220.4.3 to-address=192.168.1.10 protocol=tcp dst-port=80
add chain=src-nat action=src-nat src-address=192.168.1.10 to-addrerss=220.220.4.3 out-interface=ether1


but unfortunately I only work with PCs connected to the wan1 public ip 220.220.2.x while the PCs connected to WAN2 with 220.220.4.x not work.

To operate the PC connected to WAN2 with ip 220.220.4.x are costreddo to disable the rule:
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=220.220.2.1 scope=30 target-scope=10


How can I solve?
thanks

I settled with the pre-routing, but now I do not work the filter rules.
I configured pppoe server in a mikrotik